Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-10-18 06:41:04 2020-10-18 06:45:53 289 seconds Show Options Show Log
route = tor
2020-05-13 09:13:32,750 [root] INFO: Date set to: 20201018T06:41:02, timeout set to: 200
2020-10-18 06:41:02,062 [root] DEBUG: Starting analyzer from: C:\tmpq_mrpfl7
2020-10-18 06:41:02,062 [root] DEBUG: Storing results at: C:\OPIZFU
2020-10-18 06:41:02,062 [root] DEBUG: Pipe server name: \\.\PIPE\WqOwHUXvY
2020-10-18 06:41:02,062 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-10-18 06:41:02,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-10-18 06:41:02,062 [root] INFO: Automatically selected analysis package "exe"
2020-10-18 06:41:02,062 [root] DEBUG: Importing analysis package "exe"...
2020-10-18 06:41:02,312 [root] DEBUG: Initializing analysis package "exe"...
2020-10-18 06:41:02,750 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2020-10-18 06:41:02,765 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2020-10-18 06:41:02,812 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2020-10-18 06:41:02,859 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2020-10-18 06:41:02,890 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2020-10-18 06:41:02,890 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2020-10-18 06:41:02,906 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2020-10-18 06:41:02,906 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-10-18 06:41:02,906 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-10-18 06:41:02,906 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-10-18 06:41:02,906 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-10-18 06:41:02,906 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-10-18 06:41:02,906 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-10-18 06:41:02,921 [lib.api.screenshot] DEBUG: Importing 'math'
2020-10-18 06:41:02,921 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-10-18 06:41:03,750 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-10-18 06:41:03,765 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-10-18 06:41:03,796 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-10-18 06:41:03,796 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2020-10-18 06:41:03,812 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2020-10-18 06:41:03,828 [root] DEBUG: Initializing auxiliary module "Browser"...
2020-10-18 06:41:03,828 [root] DEBUG: Started auxiliary module Browser
2020-10-18 06:41:03,828 [root] DEBUG: Initializing auxiliary module "Curtain"...
2020-10-18 06:41:03,828 [root] DEBUG: Started auxiliary module Curtain
2020-10-18 06:41:03,828 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2020-10-18 06:41:03,828 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-10-18 06:41:04,796 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-10-18 06:41:04,796 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-10-18 06:41:04,796 [root] DEBUG: Started auxiliary module DigiSig
2020-10-18 06:41:04,796 [root] DEBUG: Initializing auxiliary module "Disguise"...
2020-10-18 06:41:04,828 [modules.auxiliary.disguise] INFO: Disguising GUID to 3055ff0e-3cb5-4862-a165-95ab9193947b
2020-10-18 06:41:04,828 [root] DEBUG: Started auxiliary module Disguise
2020-10-18 06:41:04,828 [root] DEBUG: Initializing auxiliary module "Human"...
2020-10-18 06:41:04,828 [root] DEBUG: Started auxiliary module Human
2020-10-18 06:41:04,828 [root] DEBUG: Initializing auxiliary module "Procmon"...
2020-10-18 06:41:04,843 [root] DEBUG: Started auxiliary module Procmon
2020-10-18 06:41:04,843 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2020-10-18 06:41:04,843 [root] DEBUG: Started auxiliary module Screenshots
2020-10-18 06:41:04,843 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2020-10-18 06:41:04,843 [root] DEBUG: Started auxiliary module Sysmon
2020-10-18 06:41:04,843 [root] DEBUG: Initializing auxiliary module "Usage"...
2020-10-18 06:41:04,843 [root] DEBUG: Started auxiliary module Usage
2020-10-18 06:41:04,843 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-10-18 06:41:04,843 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-10-18 06:41:04,843 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2020-10-18 06:41:04,843 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2020-10-18 06:41:05,046 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Rebecca\AppData\Local\Temp\PO8479349743085.exe" with arguments "" with pid 2584
2020-10-18 06:41:05,046 [lib.api.process] INFO: Monitor config for process 2584: C:\tmpq_mrpfl7\dll\2584.ini
2020-10-18 06:41:05,046 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\ncmLQu.dll, loader C:\tmpq_mrpfl7\bin\HVuEqqH.exe
2020-10-18 06:41:05,109 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\WqOwHUXvY.
2020-10-18 06:41:05,109 [root] DEBUG: Loader: Injecting process 2584 (thread 4992) with C:\tmpq_mrpfl7\dll\ncmLQu.dll.
2020-10-18 06:41:05,125 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpq_mrpfl7\dll\ncmLQu.dll.
2020-10-18 06:41:05,125 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:41:05,125 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\ncmLQu.dll.
2020-10-18 06:41:07,125 [lib.api.process] INFO: Successfully resumed process with pid 2584
2020-10-18 06:41:07,359 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:41:07,359 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:41:07,359 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:41:07,359 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2584 at 0x68d00000, image base 0x11f0000, stack from 0x246000-0x250000
2020-10-18 06:41:07,375 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\PO8479349743085.exe"
2020-10-18 06:41:07,375 [root] INFO: Loaded monitor into process with pid 2584
2020-10-18 06:41:07,390 [root] INFO: Disabling sleep skipping.
2020-10-18 06:41:07,390 [root] INFO: Disabling sleep skipping.
2020-10-18 06:41:07,390 [root] INFO: Disabling sleep skipping.
2020-10-18 06:41:07,390 [root] DEBUG: DLL loaded at 0x68CC0000: C:\Windows\system32\odbcint (0x38000 bytes).
2020-10-18 06:41:07,390 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf0 and local view 0x000F0000 to global list.
2020-10-18 06:41:07,406 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-10-18 06:41:33,234 [root] INFO: Announced 32-bit process name: PO8479349743085.exe pid: 5400
2020-10-18 06:41:33,234 [lib.api.process] INFO: Monitor config for process 5400: C:\tmpq_mrpfl7\dll\5400.ini
2020-10-18 06:41:33,249 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\ncmLQu.dll, loader C:\tmpq_mrpfl7\bin\HVuEqqH.exe
2020-10-18 06:41:33,281 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\WqOwHUXvY.
2020-10-18 06:41:33,281 [root] DEBUG: Loader: Injecting process 5400 (thread 5468) with C:\tmpq_mrpfl7\dll\ncmLQu.dll.
2020-10-18 06:41:33,281 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpq_mrpfl7\dll\ncmLQu.dll.
2020-10-18 06:41:33,296 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:41:33,296 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\ncmLQu.dll.
2020-10-18 06:41:33,296 [root] DEBUG: DLL loaded at 0x75AE0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-10-18 06:41:33,343 [root] DEBUG: DLL unloaded from 0x011F0000.
2020-10-18 06:41:33,343 [root] DEBUG: CreateProcessHandler: Injection info set for new process 5400, ImageBase: 0x011F0000
2020-10-18 06:41:33,343 [root] INFO: Announced 32-bit process name: PO8479349743085.exe pid: 5400
2020-10-18 06:41:33,343 [lib.api.process] INFO: Monitor config for process 5400: C:\tmpq_mrpfl7\dll\5400.ini
2020-10-18 06:41:33,343 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\ncmLQu.dll, loader C:\tmpq_mrpfl7\bin\HVuEqqH.exe
2020-10-18 06:41:33,359 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\WqOwHUXvY.
2020-10-18 06:41:33,359 [root] DEBUG: Loader: Injecting process 5400 (thread 5468) with C:\tmpq_mrpfl7\dll\ncmLQu.dll.
2020-10-18 06:41:33,359 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpq_mrpfl7\dll\ncmLQu.dll.
2020-10-18 06:41:33,359 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-10-18 06:41:33,359 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\ncmLQu.dll.
2020-10-18 06:41:33,421 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x0001CA20 (process 5400).
2020-10-18 06:41:33,421 [root] INFO: Announced 32-bit process name: PO8479349743085.exe pid: 5400
2020-10-18 06:41:33,421 [lib.api.process] INFO: Monitor config for process 5400: C:\tmpq_mrpfl7\dll\5400.ini
2020-10-18 06:41:33,421 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\ncmLQu.dll, loader C:\tmpq_mrpfl7\bin\HVuEqqH.exe
2020-10-18 06:41:33,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\WqOwHUXvY.
2020-10-18 06:41:33,437 [root] DEBUG: Loader: Injecting process 5400 (thread 5468) with C:\tmpq_mrpfl7\dll\ncmLQu.dll.
2020-10-18 06:41:33,437 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpq_mrpfl7\dll\ncmLQu.dll.
2020-10-18 06:41:33,437 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-10-18 06:41:33,437 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\ncmLQu.dll.
2020-10-18 06:41:33,468 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2584
2020-10-18 06:41:33,468 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-10-18 06:41:33,468 [root] DEBUG: GetHookCallerBase: thread 4992 (handle 0x0), return address 0x01216B6C, allocation base 0x011F0000.
2020-10-18 06:41:33,484 [root] DEBUG: Dropped file limit defaulting to 100.
2020-10-18 06:41:33,484 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x011F0000.
2020-10-18 06:41:33,484 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-10-18 06:41:33,484 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x011F0000.
2020-10-18 06:41:33,484 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000271D.
2020-10-18 06:41:33,484 [root] INFO: Disabling sleep skipping.
2020-10-18 06:41:33,484 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-10-18 06:41:33,484 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5400 at 0x68d00000, image base 0x400000, stack from 0x256000-0x260000
2020-10-18 06:41:33,484 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\PO8479349743085.exe"
2020-10-18 06:41:33,500 [root] INFO: Loaded monitor into process with pid 5400
2020-10-18 06:41:33,531 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2de00.
2020-10-18 06:41:33,625 [root] INFO: Process with pid 2584 has terminated
2020-10-18 06:41:37,234 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 5400
2020-10-18 06:41:37,281 [root] DEBUG: GetHookCallerBase: thread 5468 (handle 0x0), return address 0x00417F0A, allocation base 0x00400000.
2020-10-18 06:41:37,328 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-10-18 06:41:37,328 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-10-18 06:41:37,375 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00400000.
2020-10-18 06:44:27,437 [root] INFO: Analysis timeout hit, terminating analysis.
2020-10-18 06:44:27,453 [lib.api.process] ERROR: Failed to open terminate event for pid 5400
2020-10-18 06:44:27,453 [root] INFO: Terminate event set for process 5400.
2020-10-18 06:44:27,453 [root] INFO: Created shutdown mutex.
2020-10-18 06:44:28,453 [root] INFO: Shutting down package.
2020-10-18 06:44:28,453 [root] INFO: Stopping auxiliary modules.
2020-10-18 06:44:28,578 [lib.common.results] WARNING: File C:\OPIZFU\bin\procmon.xml doesn't exist anymore
2020-10-18 06:44:28,578 [root] INFO: Finishing auxiliary modules.
2020-10-18 06:44:28,578 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-10-18 06:44:28,578 [root] WARNING: Folder at path "C:\OPIZFU\debugger" does not exist, skip.
2020-10-18 06:44:28,593 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_4 win7_4 KVM 2020-10-18 06:41:04 2020-10-18 06:45:52

File Details

File Name PO8479349743085.exe
File Size 342016 bytes
File Type PE32 executable (console) Intel 80386, for MS Windows
PE timestamp 2020-10-17 09:19:45
MD5 ed96c254e53b9d7a33827da32e02d513
SHA1 5c074c70293c77c4d1409facdc930de69070917d
SHA256 92625b5d11e691107b8aa2e733c1be9fe3677b5a86f03e08f239bf6e0d450885
SHA512 61b9591b2ac8823074d23308d296abb9c5b7f48248f60e7ab9c123a6ead0c128abbd533b36aac320c0ee412b531c5ae01226c63bc211ab2c585d897bd3dcd778
CRC32 741850AE
Ssdeep 6144:tj72aAQiYdRh5VPUgaLTzhwuswIWU3/Ght5NyPHD4J31NwD:d2aAsdRe9zqusw3U3/fPHD6iD
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Dynamic (imported) function loading detected
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: kernel32.dll/AreFileApisANSI
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2584 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 2584 trigged the Yara rule 'shellcode_stack_strings'
Hit: PID 2584 trigged the Yara rule 'HeavensGate'
Creates RWX memory
Reads data out of its own binary image
self_read: process: PO8479349743085.exe, pid: 2584, offset: 0x00000000, length: 0x00053800
A process created a hidden window
Process: PO8479349743085.exe -> C:\Users\Rebecca\AppData\Local\Temp\PO8479349743085.exe
HTTP traffic contains suspicious features which may be indicative of malware related traffic
get_no_useragent: HTTP traffic contains a GET request with no user-agent header
suspicious_request: http://www.wesportscity.com/d8h/?CZ=RNqt58oOHd5whgsyY//zCocy/IAQsQ+MvXWW5F1sEvHFYvdOdh2k9zEoYfo2HQfR+MAsuw==&F4=5jfHZl
suspicious_request: http://www.matu-edu.com/d8h/
suspicious_request: http://www.matu-edu.com/d8h/?CZ=ulW4hg8SaoSBMicQPLeLzGLAYISMMUrPq5TiGuQvBZj25AUzjLF0HiLMwqY5/y8pnWBQwA==&F4=5jfHZl
suspicious_request: http://www.anaejoao2021.com/d8h/
suspicious_request: http://www.anaejoao2021.com/d8h/?CZ=+QMxmTeVf6/neLoGOkNsNs+LKlSXE0MxkEjUxGYXWHXlvifn05TjUCnrln+mEdCmifiDWQ==&F4=5jfHZl
suspicious_request: http://www.winemakingkit.net/d8h/
suspicious_request: http://www.winemakingkit.net/d8h/?CZ=n0pc3cc6+0YkqSdGzLl7lNQKfOxVym8vHjGAPluz8akYvGl+n6gqY40t1sna0O++Cmsdmg==&F4=5jfHZl
suspicious_request: http://www.nvschoolology.com/d8h/
suspicious_request: http://www.nvschoolology.com/d8h/?CZ=XczcMB0aajN3I/quEKBTt7tD1KlbLTvwFAYdJ5YNCiKZfupTYXN/NChr6+O1rfV/MbkJeg==&F4=5jfHZl
suspicious_request: http://www.bottrader.digital/d8h/
suspicious_request: http://www.bottrader.digital/d8h/?CZ=0JNaWD+pZ3KDLBE5iz+TKeKuqytbEj/rGfjbjeIfajn9ucyGpdURLSXmWNJLTYpCRIqlvg==&F4=5jfHZl
suspicious_request: http://www.circuswiththestars.com/d8h/
suspicious_request: http://www.circuswiththestars.com/d8h/?CZ=72ryGVi52SYw3Z05dszLppNw4lfJ3Q6AR/BR0ugDEYU2pawrN2MNGhIyMSqEezpT4yh7iA==&F4=5jfHZl
suspicious_request: http://www.couple.chat/d8h/
suspicious_request: http://www.couple.chat/d8h/?CZ=zzjBtj82D0lM/IFEFN5PdbZrvD3M2tuGi9VeoSz9B+GsqX4EGedb7pMBE/vISEc9tcNd7w==&F4=5jfHZl
suspicious_request: http://www.griffinmcshane.com/d8h/
suspicious_request: http://www.griffinmcshane.com/d8h/?CZ=mysH9cXML1wr6NRiYHF9S8UuE4GcUml5Q7MHClWYVlHYAm7+JMRJI0agjNUgWKqhrNZRbQ==&F4=5jfHZl
suspicious_request: http://www.maskupforschool.com/d8h/
suspicious_request: http://www.maskupforschool.com/d8h/?CZ=b4AuRmO/7JUbS6k+Qiq3knCjLs8pOUSKEo2G3RGwxeZ8hlUmNd0Cp9x7zXXV/1MTFJXwcw==&F4=5jfHZl
suspicious_request: http://www.albumofindia.online/d8h/
suspicious_request: http://www.albumofindia.online/d8h/?CZ=ube7AmU+EvAnH+Xlrh0U30zwPZ9MNWHW5q3SgJsfZjcQPenx3wyCbXPTDbZJSuwiq2aJFQ==&F4=5jfHZl
suspicious_request: http://www.chaoscraftsonthesidellc.com/d8h/
suspicious_request: http://www.chaoscraftsonthesidellc.com/d8h/?CZ=VgunWFR9q8pb4tGPCv38d+jgIlwl93I0dvwhFuWclZmZupki7t7em12E06SitRi9BTDT4Q==&F4=5jfHZl
suspicious_request: http://www.igensheets.com/d8h/
suspicious_request: http://www.igensheets.com/d8h/?CZ=zqmrbz2APNYG5UWSEGf5jI58xAusWeMf/pOsnRHmq9084BhKlfjR/DNu4vOcfXkGQkQRvw==&F4=5jfHZl
suspicious_request: http://www.pidoo.pet/d8h/
suspicious_request: http://www.pidoo.pet/d8h/?CZ=zcL2OsP5dJ0pRZhy1VbtKvKvJGO/342DftNu0qyiAGEkclQPJgjNg2OTP9GV97K68Qm91Q==&F4=5jfHZl
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Performs some HTTP requests
url: http://www.wesportscity.com/d8h/
url: http://www.wesportscity.com/d8h/?CZ=RNqt58oOHd5whgsyY//zCocy/IAQsQ+MvXWW5F1sEvHFYvdOdh2k9zEoYfo2HQfR+MAsuw==&F4=5jfHZl
url: http://www.matu-edu.com/d8h/
url: http://www.matu-edu.com/d8h/?CZ=ulW4hg8SaoSBMicQPLeLzGLAYISMMUrPq5TiGuQvBZj25AUzjLF0HiLMwqY5/y8pnWBQwA==&F4=5jfHZl
url: http://www.anaejoao2021.com/d8h/
url: http://www.anaejoao2021.com/d8h/?CZ=+QMxmTeVf6/neLoGOkNsNs+LKlSXE0MxkEjUxGYXWHXlvifn05TjUCnrln+mEdCmifiDWQ==&F4=5jfHZl
url: http://www.winemakingkit.net/d8h/
url: http://www.winemakingkit.net/d8h/?CZ=n0pc3cc6+0YkqSdGzLl7lNQKfOxVym8vHjGAPluz8akYvGl+n6gqY40t1sna0O++Cmsdmg==&F4=5jfHZl
url: http://www.nvschoolology.com/d8h/
url: http://www.nvschoolology.com/d8h/?CZ=XczcMB0aajN3I/quEKBTt7tD1KlbLTvwFAYdJ5YNCiKZfupTYXN/NChr6+O1rfV/MbkJeg==&F4=5jfHZl
url: http://www.bottrader.digital/d8h/
url: http://www.bottrader.digital/d8h/?CZ=0JNaWD+pZ3KDLBE5iz+TKeKuqytbEj/rGfjbjeIfajn9ucyGpdURLSXmWNJLTYpCRIqlvg==&F4=5jfHZl
url: http://www.circuswiththestars.com/d8h/
url: http://www.circuswiththestars.com/d8h/?CZ=72ryGVi52SYw3Z05dszLppNw4lfJ3Q6AR/BR0ugDEYU2pawrN2MNGhIyMSqEezpT4yh7iA==&F4=5jfHZl
url: http://www.couple.chat/d8h/
url: http://www.couple.chat/d8h/?CZ=zzjBtj82D0lM/IFEFN5PdbZrvD3M2tuGi9VeoSz9B+GsqX4EGedb7pMBE/vISEc9tcNd7w==&F4=5jfHZl
url: http://www.griffinmcshane.com/d8h/
url: http://www.griffinmcshane.com/d8h/?CZ=mysH9cXML1wr6NRiYHF9S8UuE4GcUml5Q7MHClWYVlHYAm7+JMRJI0agjNUgWKqhrNZRbQ==&F4=5jfHZl
url: http://www.maskupforschool.com/d8h/
url: http://www.maskupforschool.com/d8h/?CZ=b4AuRmO/7JUbS6k+Qiq3knCjLs8pOUSKEo2G3RGwxeZ8hlUmNd0Cp9x7zXXV/1MTFJXwcw==&F4=5jfHZl
url: http://www.albumofindia.online/d8h/
url: http://www.albumofindia.online/d8h/?CZ=ube7AmU+EvAnH+Xlrh0U30zwPZ9MNWHW5q3SgJsfZjcQPenx3wyCbXPTDbZJSuwiq2aJFQ==&F4=5jfHZl
url: http://www.chaoscraftsonthesidellc.com/d8h/
url: http://www.chaoscraftsonthesidellc.com/d8h/?CZ=VgunWFR9q8pb4tGPCv38d+jgIlwl93I0dvwhFuWclZmZupki7t7em12E06SitRi9BTDT4Q==&F4=5jfHZl
url: http://www.igensheets.com/d8h/
url: http://www.igensheets.com/d8h/?CZ=zqmrbz2APNYG5UWSEGf5jI58xAusWeMf/pOsnRHmq9084BhKlfjR/DNu4vOcfXkGQkQRvw==&F4=5jfHZl
url: http://www.pidoo.pet/d8h/
url: http://www.pidoo.pet/d8h/?CZ=zcL2OsP5dJ0pRZhy1VbtKvKvJGO/342DftNu0qyiAGEkclQPJgjNg2OTP9GV97K68Qm91Q==&F4=5jfHZl
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\PO8479349743085.exe
Created a process from a suspicious location
File executed: C:\Users\Rebecca\AppData\Local\Temp\PO8479349743085.exe
Commandline executed:
Network activity detected but not expressed in API logs
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header
Created network traffic indicative of malicious activity
signature: ET JA3 Hash - Possible Malware - Various Malspam/RigEK

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 72.55.191.197 [VT] Canada
N 54.85.86.211 [VT] United States
N 34.102.136.180 [VT] United States
N 3.131.184.38 [VT] United States
N 217.160.0.80 [VT] Germany
N 216.58.205.243 [VT] United States
N 198.58.118.167 [VT] United States
N 184.168.131.241 [VT] United States
N 162.241.253.15 [VT] United States
N 162.214.80.6 [VT] United States
N 160.153.136.3 [VT] United States
N 116.255.246.111 [VT] China
Y 1.1.1.1 [VT] Australia

DNS

Name Response Post-Analysis Lookup
www.wesportscity.com [VT] A 3.131.184.38 [VT] 3.131.184.38 [VT]
www.freyafallen.com [VT]
www.matu-edu.com [VT] A 116.255.246.111 [VT] 116.255.246.111 [VT]
www.anaejoao2021.com [VT] A 54.85.86.211 [VT] 54.85.86.211 [VT]
www.winemakingkit.net [VT] A 72.55.191.197 [VT] 72.55.191.197 [VT]
www.nvschoolology.com [VT] A 198.58.118.167 [VT] 45.33.23.183 [VT]
www.bottrader.digital [VT] A 34.102.136.180 [VT] 34.102.136.180 [VT]
www.circuswiththestars.com [VT] 34.102.136.180 [VT]
www.couple.chat [VT] A 217.160.0.80 [VT] 217.160.0.80 [VT]
www.griffinmcshane.com [VT] A 216.58.205.243 [VT] 74.125.21.121 [VT]
www.maskupforschool.com [VT] A 184.168.131.241 [VT] 184.168.131.241 [VT]
www.albumofindia.online [VT] A 162.214.80.6 [VT] 162.214.80.6 [VT]
www.chaoscraftsonthesidellc.com [VT] A 160.153.136.3 [VT] 198.71.232.3 [VT]
www.igensheets.com [VT] A 162.241.253.15 [VT] 162.241.253.15 [VT]
www.pidoo.pet [VT] 34.102.136.180 [VT]

Summary

C:\Windows\System32\en-US\odbcint.dll.mui
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-localization-l1-2-1.DLL
C:\Users\Rebecca\AppData\Local\Temp\PO8479349743085.exe
C:\Windows\System32\ntdll.dll
C:\Windows\System32\en-US\odbcint.dll.mui
C:\Users\Rebecca\AppData\Local\Temp\PO8479349743085.exe
C:\Windows\System32\ntdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BidInterface\Loader
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\SOFTWARE\ODBC\ODBC.INI\ODBC
HKEY_LOCAL_MACHINE\SOFTWARE\ODBC\ODBC.INI\ODBC
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.TryEnterCriticalSection
kernel32.dll.SetCriticalSectionSpinCount
kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.LCMapStringEx
kernel32.dll.AreFileApisANSI
"C:\Users\Rebecca\AppData\Local\Temp\PO8479349743085.exe"

BinGraph Download graph

2020-10-18T07:13:05.826737 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x0040271d 0x0003096b 0x0005b4e0 6.0 2020-10-17 09:19:45 7dbd7c8e32759da28014dd464db8fc16 da86b69773b3d1a0cab558dba35d1d3e c8294825238e779bae8cb9c502157251

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x0001b973 0x0001ba00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.65
.rdata 0x0001be00 0x0001d000 0x0000773c 0x00007800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.25
.data 0x00023600 0x00025000 0x00004da4 0x00002a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.13
.rsrc 0x00026000 0x0002a000 0x00004300 0x00004400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.31
.reloc 0x0002a400 0x0002f000 0x000014d8 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.46

Overlay

Offset 0x0002ba00
Size 0x00027e00

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x0002a0c0 0x00004228 LANG_ENGLISH SUBLANG_ENGLISH_US 2.30 None
RT_GROUP_ICON 0x0002e2e8 0x00000014 LANG_ENGLISH SUBLANG_ENGLISH_US 1.92 None

Imports

0x41d030 HeapSize
0x41d038 ReadFile
0x41d03c ReadConsoleW
0x41d040 PeekConsoleInputA
0x41d044 ReadConsoleInputW
0x41d04c SetConsoleMode
0x41d050 HeapReAlloc
0x41d054 GetProcessHeap
0x41d058 GetStringTypeW
0x41d05c SetStdHandle
0x41d06c WideCharToMultiByte
0x41d070 MultiByteToWideChar
0x41d074 GetCPInfo
0x41d078 GetOEMCP
0x41d07c GetACP
0x41d080 IsValidCodePage
0x41d084 FindNextFileW
0x41d088 WriteConsoleW
0x41d08c SetEndOfFile
0x41d094 VirtualProtect
0x41d098 CreateFileW
0x41d09c GetStdHandle
0x41d0a0 FindFirstFileExW
0x41d0a4 FindClose
0x41d0ac CreateProcessW
0x41d0b8 GetCurrentProcess
0x41d0bc TerminateProcess
0x41d0c8 GetCurrentProcessId
0x41d0cc GetCurrentThreadId
0x41d0d4 InitializeSListHead
0x41d0d8 IsDebuggerPresent
0x41d0dc GetStartupInfoW
0x41d0e0 GetModuleHandleW
0x41d0e4 RtlUnwind
0x41d0e8 GetLastError
0x41d0ec SetLastError
0x41d100 TlsAlloc
0x41d104 TlsGetValue
0x41d108 TlsSetValue
0x41d10c TlsFree
0x41d110 FreeLibrary
0x41d114 GetProcAddress
0x41d118 LoadLibraryExW
0x41d11c RaiseException
0x41d120 ExitProcess
0x41d124 GetModuleHandleExW
0x41d128 WriteFile
0x41d12c GetModuleFileNameW
0x41d130 GetCommandLineA
0x41d134 GetCommandLineW
0x41d138 GetConsoleCP
0x41d13c HeapAlloc
0x41d140 HeapFree
0x41d144 CompareStringW
0x41d148 LCMapStringW
0x41d14c GetFileType
0x41d150 CloseHandle
0x41d154 FlushFileBuffers
0x41d158 GetConsoleMode
0x41d15c GetFileSizeEx
0x41d160 SetFilePointerEx
0x41d164 WaitForSingleObject
0x41d168 GetExitCodeProcess
0x41d16c DecodePointer
0x41d000 CreateEllipticRgn
0x41d004 EnumEnhMetaFile
0x41d008 GetTextCharsetInfo
0x41d00c GetBoundsRect
0x41d010 StrokePath
0x41d1d8 TracePrintfExW
0x41d1e0 LogErrorA
0x41d1e4 TraceGetConsoleW
0x41d1a4 PathCompactPathExA
0x41d1b8 SHRegDeleteUSValueA
0x41d1bc PathIsPrefixA
0x41d174 None
0x41d178 None
0x41d17c None
0x41d198 ExtractIconW
0x41d19c ShellHookProc
0x41d01c ImmRegisterWordW
0x41d024 ImmUnlockIMC
0x41d028 ImmIsIME
0x41d184 None
0x41d188 None
0x41d18c None
0x41d190 None

!This program cannot be run in DOS mode.
.text
`.rdata
@.data
.rsrc
@.reloc
KuVhD
Hu+hD
32.df
t4.df
SVWh(
u"hh|B
Y__^[
5ineI
5Genu
URPQQh
BVj(j
SVWUj
;t$,v-
UQPXY]Y[
j,hx6B
~1WPQ
F4_^[]
F4_^[
A1<Fu
<ItC<Lt3<Tt#<h
A<lt'<tt
SWj P
F1<at
F1<gt
C;^8u
W8^&u>
W8^&u>
pwJt8
<ItM<Lt:<Tt'<h
?<lt <tt
VVVVV
35X}B
< t3<
PPPPP
SSSSj
zSSSSj
j8hX8B
PPPPP
;5<}B
D:( t
<at1<rt!<wt
<=upG8
_^tWh
Wj0XPV
SPSVQ
SPjdVQ
-jd_;
PPPPP
PPPPP
SSSSS
PPPPP
PPPPP
SWj\V
PPPPP
u"j\V
t.j/V
tSj/V
PPPPP
PPPPPWS
PP9E u<PPVWP
SSSSj
SSSSS
WWWWW
t4h]"A
SSVWh
*t`=+
f9:t!V
WSVPP
SWj=V
SSSSS
PPPPP
Y_[^]
9E WW
t1RWV
tl=0wB
^f93u
(HtMf
(Ht5F
t~SSS
SSSSS
PPPPP
PPPPP
;=$yB
RQWPV
XVVV3
;5 yB
;5,yB
VVVVV
u kE$<
PPPPP
:uLFV
PPPPP
SSSSS
PRPQh
PPPPP
Systj
emRof
uG9]$t
PPPPPPPP
@h &B
>@s5f
loading...
All lives completed
Better Luck Next Time!!!
Press any key to quit the game
Welcome to the mini Snake game.(press any key to continue)
Game instructions:
-> Use arrow keys to move the snake.
-> You will be provided foods at the several coordinates of the screen which you have to eat. Everytime you eat a food the length of the snake will be increased by 1 element and thus the score.
-> Here you are provided with three lives. Your life will decrease as you hit the wall or snake's body.
-> YOu can pause the game in its middle by pressing any key. To continue the paused game press any other key once again
-> If you want to exit press esc.
Press any key to play game...
record.txt
Enter your name
Player Name :%s
Played Date:%s
Score:%d
wanna see past records press 'y'
SCORE : %d
Life : %d
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__swift_1
__swift_2
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
operator<=>
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
`anonymous namespace'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
( 8PX
700WP
`h````
xpxxxx
(null)
[aOni*{
eLK(w
~ $s%r
@b;zO]
iu+-,
obwQ4
v2!L.2
^<V7w
INITY
inity
SNAN)
snan)
IND)ind)m
CorExitProcess
COMSPEC
cmd.exe
AreFileApisANSI
CompareStringEx
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
GetSystemTimePreciseAsFileTime
InitializeCriticalSectionEx
LCMapStringEx
LocaleNameToLCID
AppPolicyGetProcessTerminationMethod
UTF-8
UTF-16LEUNICODE
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
e+000
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
1#INF
1#QNAN
1#SNAN
1#IND
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
log10
log10
?5Wg4p
BC .=
%S#[k
"B <1=
#.X'=
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
.text$mn
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data
.rsrc$01
.rsrc$02
GetStdHandle
VirtualProtect
SetConsoleCursorPosition
KERNEL32.dll
GetBoundsRect
StrokePath
GetTextCharsetInfo
EnumEnhMetaFile
CreateEllipticRgn
GDI32.dll
RouterLogEventStringA
TracePrintfExW
TraceGetConsoleW
LogErrorA
rtutils.dll
PathCompactPathExA
PathRemoveBackslashA
SHRegDeleteEmptyUSKeyA
PathIsUNCServerShareA
PathIsPrefixA
SHRegDeleteUSValueA
SHIsLowMemoryMachine
SHLWAPI.dll
MAPI32.dll
ExtractIconW
ShellHookProc
SHELL32.dll
SetStandardColorSpaceProfileW
CreateProfileFromLogColorSpaceA
DisassociateColorProfileFromDeviceA
EnumColorProfilesA
mscms.dll
ImmIsIME
ImmUnlockIMC
ImmGetRegisterWordStyleW
ImmRegisterWordW
ImmGetCandidateListW
IMM32.dll
ODBC32.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwind
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
RaiseException
ExitProcess
GetModuleHandleExW
WriteFile
GetModuleFileNameW
GetCommandLineA
GetCommandLineW
GetConsoleCP
HeapAlloc
HeapFree
CompareStringW
LCMapStringW
GetFileType
CloseHandle
FlushFileBuffers
GetConsoleMode
GetFileSizeEx
SetFilePointerEx
WaitForSingleObject
GetExitCodeProcess
CreateProcessW
GetFileAttributesExW
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
MultiByteToWideChar
WideCharToMultiByte
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetStringTypeW
GetProcessHeap
CreateFileW
SetConsoleMode
GetNumberOfConsoleInputEvents
ReadConsoleInputW
PeekConsoleInputA
ReadConsoleW
ReadFile
GetTimeZoneInformation
HeapSize
HeapReAlloc
WriteConsoleW
SetEndOfFile
DecodePointer
;;"x=
Uj/pf_
&1g(D
)ae!V
>XU~Sg
%YaQ)
9DA(c
WR]0hO
Rn+b[
zNi|4q
_XG&S
.T)9w
r\J9-
`sy_-MO%
^?cg"
E)I=L$
NX2r~
H0IWe
+*{Q*
OAUnz
\^gqhFIm
|[sJ?P
1 VQA|
dE$)`
uEHPt
-~)&{r7
HA6r}
MS=GNcH:
IrDKs
'#U6'
*G3~c
8bAm%?
(*(\U
6a?>}
BzYw~
Y8yzMN
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0$0)0s0|0
1-171<1F1O1X1
242;2B2b2l2q2{2
3S3{3
3%4.454;4C4l4y4
5$515D5M5X5v5
6(62686>6C6Q6X6a6k6t6
7%7.747A7H7N7U7_7
8%838:8A8G8Q8q8
9!9(9.949>9\9b9s9x9~9
:%:8:P:c:
;,;5;?;I;S;a;k;
=$=3===G=Q=
>!>s>y>
?-?2?8?D?I?
70D0I0Z0d0r0
131F1W1f1z1
2$2*20262<2B2H2N2T2Z2`2f2l2r2x2~2
3$3*31383?3F3M3T3[3c3k3s3
4#4)4/464=4D4K4R4Y4`4h4p4x4
6U6|7
8'8-83898?8E8K8`8u8|8
9;9M9
:$:o:x:~:\;|;
;I<R<W<j<~<
>(>1>F>O>~>
010>0`0
2U3a3~4
505>5D5_5
6-6M6[6b6h6
8'8P8c8
9!9&9A9K9W9\9a9
:':E:S:
<8<?<D<H<L<P<
2 2v2
2%5?5N5\5h5t5
<9<Z<
<P=U=\=
?,?U?
9\9d9
;!;U;
?&?]?d?
2`4h4
;D;K;[>
0E0L0
9 9$9(9,9-<c=
>&>>>C>O>T>h>/?6?H?\?d?n?w?
0]0r0
6"6)616I6W6_6w6
6c7l7
<(<3<@<N<
<-=Q=
>">(>0>I>N>W>
?(?U?^?f?
333>3F3Q3W3b3h3v3
3P4m4
7;7N7U7t7{7
8(858=8Z8
8T:_:
1(292D2t2
3'3m3s3
4 4E4a4o4{4
5F5^5n5
6.6>6C6H6c6m6}6
7#727=7B7G7b7q7|7
888O8T8_8
:#:_:
:Y;i;
;,<B<
?"?(?C?J?S?
0"0s0
253t3
7"8?8^8-9
9':1:
:6<h<
1S2b2
3&3;3W3
3y4V5]5
:L:|:
:,;B;
=B=W=i=v=
>H>O>p>
?#?4?I?S?v?
k4-7l7s7~7
1T3z4o5?6l6
8!8,8>8I8[8f8
9^:5=
:-:P:
=#>/>A>
?&?S?}?
4%434>4
5\6b6p6
81888O8e8
8"959?9X9
:%:`:g:
:6;H;Z;l;~;
</<A<S<e<w<
0=1v1
3F3d3
4j4q4x4
5(616I6u6
<"<2<8<D<\<b<x<~<
=5=;=G=e=k=
???_?
F0P0z0
3'3J3
6J6]6
6A7Y7
98:O:x:
;W;s;
4F5b5
686j6
5U5\5\8
252a2
5*575>5G5P5`5q5{5
6*737q7z7
8#8(8.8
8r:}:
;^<h<~<
3|465
5(6U6
:3;9;
3"3j3
4%4.4F4
7i7q7y7
818=8I8i8
9*9=:n:
;#;p;
;<<n<
>k>l?|?
0(0.070q0
1\1e1n1w1
3#4B4s4
727H7P7
3a4r4
2 2$2(2,2
6 6([email protected]`6h6p6x6
7 7([email protected]`7h7p7x7
8 8([email protected]`8h8p8x8
>$>,>0>4>8><>
3 3$3(3,30343
: :$:(:,:0:4:8:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
h4l4p4t4
5$5,545<5D5L5T5\5d5l5t5|5
6$6,646<6D6L6T6\6d6l6t6|6
7$7,747<7D7L7T7\7d7l7t7|7
8$8,848<8D8L8T8\8d8l8t8|8
9$9,949<9D9L9T9\9d9l9t9|9
:$:,:4:<:D:L:T:\:d:l:t:|:
;$;,;4;<;D;L;T;\;d;l;t;|;
6 6([email protected]`6h6p6x6
7 7([email protected]`7h7p7x7
8 8([email protected]`8h8p8x8
9 9([email protected]`9h9p9x9
: :(:0:8:@:H:P:X:`:h:p:x:
; ;(;0;8;@;H;P;X;`;h;p;x;
< <(<0<8<@<H<P<X<`<h<p<x<
1$1,141<1D1L1T1\1d1l1t1|1
6,606P6p6
707P7l7p7
808P8p8
909P9p9
:0:P:p:
;0;P;p;
2074787<[email protected]`7d7h7l7p7t7x7|7
e31bo
40b6d80e31b7be46c7a90f06ff3cf9
040l)
FZQ^Z_
cf90040Z
a90f06ff3cf900402sd8|d21
n)46c7a90f
6dg8bl90\60b6d80e31B
ce4&c7a
2f06&f3sf90240g6e80e31g7ce46c7a
2f04ff3cf920t
b6t80u31b7re4&c7a90f 6ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff
AD0406\f80u31b[`e4&c7a90f06ff3cf9
04Pb6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf900407
WekWw<
12Uo<
id\cf
wm7;fk
0e31`
3?24i
'?24b
cj5a5
80e33
>?6ia5
}Bd2oc
u:1ba5
`80ebYb
7A906g
a71bg
\7c_a80f
4<0bd
Xd3[n
4o067
6jjfg
-0140
x7jf9
l7beok
o<Ui>
ff3P2
0b6WL
0b6Wd
f3cUe
t<4a`6
_ eD3|E
w>Cf"|C
g900^1
nf3c8
e6d8n
0%,1m
1ffdP
+c5iV
m0b]f
Vk9nlM>p
=ff`2
vo806a
g=Cl^oSdL4
2hF;ZkRfA2
?QZ4E
A46c7
1kE0^:2b
1$uZl
;403d
;e3g2
:)zql
b7ce46
@0eY14
46ffh
=0f0m
e90fk
}j\|i
3a90=
06c7:
y>3`0
e8bg0
(<`4f
bj3cd
|8W0P
0fa\a$a01
1b7be4m<i
cCuR$
7Cj]u
bL!Z
5Du]v
80f0h
lf351
$ob7R
X`26f6
040bP
<t~"U
G9g9`
0f`\F
j0b]b
sj90fD/
ql90e3
ChbfSX
180Z5Zl
wa904V
[(`5b
5Z4\0R6dP0!,1
3'y9Z0b
&m3ci
|d315
=d8a7c
f80f0
d46ci
og1b\d
'1bg1
Zwf3l
X!b6d80e
_rf93
wl>gm
6ffFl
40c6d8
b7be46
i11bd
q<>6d8
<\c]e
75g9Z8^5
2d80>
2b6dc
fe468
a9ZxZ6
J<d8`3
:f0g0
c6d8n8
~df35
1c7bj
73g9Z
v01Y\
ndd8XM
M&Zvg
71bd5
6ffUZy6
fbe\Y!
Dv10c
q06ce
C:b7ce460
%:f0e
H;e3B
A46c7
X100b
b7a9n
11baQ
9ZfZ6
b7a9n;
y71bd
+50b`W
Xc11be
64ffb
Ck]aS4
j$90i
6c6a908o
h6dof
e^%4a
90Z4Zja2
2cf9km
g90cbgQ
0e21b7
c7c90fZ2
-6dR0
2~g0\n
m1b\d
Ol90gb
d8ZeY$5a
=0f0m
k``\<b6lh`5c
Ct`2o
440bm
4d80>
w14Zb\f
r1eY1
Bvg0\f
ybfS0
]3E}g
e;f05
90040b
Ie9DD
v440b6
7aM 1f
m90g\
M-Z4Zb`
g06f8n
31bd42^
%\c]ajg
@Z4Zbe3
0\f5d
4\cf6
4=e3c
4;c76
i461]vn
<b66o5
1.na`
?6ch?
m11bd
==f09
3cfogX22b64
y71ba
7l90fg9
490b6k
i46c8
n>cf9?
<h31b8
204cQ
>2e3a
Qrd32
==04b
^e5a9V
0'2ce
:f3c5_
f9Z0^%
g3cfg
lnC7,6
46b7a9o
kg1ga11d01
\i6dfk:
ka7)4
0e3Ekf
b^gb3c
e2jc5ce5
tJ'X3%b7
l!0b6
9!6c7
v9m8;
:c7dL<6
Vq80eG=5
[f'cfJ-
"0\cf3i
<6fcFl1
!e3F/e32
p46cCmi
M5cBE
:df300
X71b6
g0^eg3c
+bf90
$.f80e
v~36ff
v}71b7
%~<004
f06 !
#+mb7b
k7a80f0
$}86c7
I41ba"
LOl\D
t<ksd
nA$Ng
Aw"'m<J
"AlDwe%:x
56c7?
f 6fi
;g90f
56cd6
t<gga
l<1be
<1e3W
14Zbe3
gl903
d3[qa
~=6ffG
<40bB
y>1b7
C:a90
B>cf9D}
f<d80
!=f0a
x50ed
@50elo?
OL9EM
NHfGF
NT8D|
bf90m
df300nX
7c7afn=
.402\d
4\`f7
xgg0j
f#cfQ0050
6e31b
'i46b7
3a3]g2
m<7ea5
rmS4c06gf[cv90`^05
b80e3
/ie`1`
`9004
80f0h;
0df34
1040<
90e3o
?,f06
7cf90
c6d8n8
s9b7be
Gzgq<
t8b6d8
!bJ&gd
4a07c
c80e3n
1be46=j
m11bd
31ba5V
^e5a9`
iH6a:
1C4ew
V3sf9n
9ZfX'gf34
A-2\lR1
df300n
!,0e31
60b\dP
`6dig
r0cfj
f5B4d8`2
2z7be
d0671
3z6d8
3b7xe46
2+g0f
x6af3o
=`g5]V
g312f
,0f`\f
!g7f`4^A5a9
E11bg
F`f300
b2cfi
YZ3be
c7b\j*
`Z.a4
gvZ041
'>gk;
|jd42
y2f0\b
3Sf9`Z4a
v 4af
7a90i
}0Z*TM"]o
cBn]h
lV3Bc
c804ea
7f0g06
Z*TM"]o
cBn]h
lV3Bc
c804ea
7f0g06
Z*TM"]o
cBn]h
lV3Bc
c804ea
11b7I+0
rce4a
t87g`
b2cfk
LafL+
m11bd42
1c906
d:0e`
Kg3c5
bd:b6d
0G80V
c7aQ0v060
g9X0$0b`
~d4^c'a9f
N<d8g3
9R7aS0
8Zpdg
i6dM*2e
if90D
Zb\rof
>be4BlQ
>,003Ef
t,b77
>%6fa3cf
11ba5
E<eGu
d\C]ahg
ce46=
!11baQ
I<bBX
)PPJ5
d7a9D-
2gf300Q3140
hg9`Z4
y11bd4V
^e5a9`
t0#0P
1]iSC
90e3j
wN`\n
jSlZPf
bZ<Z>\
2\mRl
7d80>n
11bd4
%:f0`
67ffr
A46c7n
qt^1c<
7d80>
M21bd5
[8$CgQ
440b`
%ced`4
2cf9noo
ref300
b2cfi
1b6dc
,<c7?bm
\93f09
f36fi
emefQ
e71ba
&jE7T)
zgf300
%kbe46<i:
1f06g
0o<m9
'?=;tm
>df351
0040m
Y81e3M
"X1e31
6be4h>
JPbC5
3D)d5
6a90Om&
p?Bi8n~E5
g3cfgm
26Ju|
'ud`4
62KvyyE
26bu|
fe8 %zD
'ud`4
`d3!*~
62cvyyE
[5c7b7
Q4g066
e$6cg
.df3P
Q62402
7bf9b
n21e[5c7b
v!3e2
e=1b_
53b73
X0df31
e4^g6a9
71bd42
1c906
_dg461
01bd42\5b7a
_dg462
:_^1k<
L<g^0
4p:f3c
d0e3f4Q
ts52U
10f0P
>c7a_
a6d8V
41bd4V
90X22b6
Z%`[c
90v0^fF3c
"5beg
46c71
M}5DB
5*;fk
41bf2
n80:m
c7beo
:6E>ZV
I82\|
]ahb6fa
ef300
7e3Dka
*i7aif
M,5El^
~k5S4
2\~if
+Z9)?
0a9DX
?0e`b1
f=1`24f`
n805e
36cCqS
e>41e
`05iaf
>0bd2
h90fE<
g3cfg
P6g312
ce46=
*af351
[ed90b
:nf35U
50b6:
bf35U
e<eb2
7`906
i51bd42
2d0gU
aYb5be
F7be4
N=beff
e805p
hXf26f
b^11f2
};20fg4
0c6dK'5
6a90=
911ba
}004V
90f8\g
9Z0ff
6be4h
e71baQ
c]`M$
d0e3W
80fc\g
90fX)dd3
P/g11
Y}5`e
y<3\d
tP/g11
35bZ4
;<a90
&bf351
X:4b64
@e465Q
6bf35U
0e3[l
50b6:
d0e3W
gS;gb
Xz13b
khf93
80f0h
:402`
56c7?
<\c]inf
NffYc
J=bek
b7a9n;
u11baQ
\0a7ai
80e3W
7f0d0
?a9a0
b462e7
_bE465
bdf35U
X660bf
<b64R0
n6dR0
ne46l
bf9cZ8
Lzc73
?cfiZ0^00a
Ie3[_a
of9Z0^02a
Ie3[\a
fS0ac
Od8Z$e
fYc4n
0\f6d
N9bC|
(80d31bl=;
3a906V
84e3>
50b6:^
c6d8n
X06e#;
d31bi
m`g5s
qja5V
c7f90f
006Z``
\e43c7a
P.6di
X06cf3c
b6a80e
bf90ni
;a9Zw
<f0\f
\7b5ce
X0698h>
d8Z%d
bece5
104g1`
>7ffYg
<\4c6d
X-313d
Xx40Q
n7k9V
Xxe3a
j905A
q"3e7h
a11bBq
$-`4fg
+cg90Ef
b31Yg~
Z804c[b
@_(/T
>df351
X22b64
kF900;
jKZZpf
t0e21b7
of9Z0^02a
Zb\dig
22\dR0
6be4h
m11ba
M>6cd1o
`;00e
J=be46c7
jc7aS0
70b71
9Zec`
<c72i
40b6d8k
h6djp3
Nl3cfL*Z4Zt
:e3a4
N:6f9m
m11ba5
004D+
P6g312
b7be46
B6d8DZeY
A90f06f
q900g
Q3c0n
>0050b6
lP0%314
b:6f8n
ee4`f7A901
0z90Z"c
d20eG![
E31c7bekh8j
m?,HOm7
}i`g5
2n8050
n9cf8~4
d6be4
CCf9n
50b6?e
b7a9k;
Kie46
Cf90D
<be56c7
<ffb5
Jh7a9D+
a3cfM9f
J<d80
)[b]t
i7akf
Ck]`k
f3c0S
X450b
iXi04f
00\4c6d
u \1b)dh
f3c&6
:df35U
X660bf
2cf9n
N=bBh5b
t~d42
90Ze[1b7j3
9Xy09f1`
ujf\f
;Zb\dR07c`1
k{]yj
9fg^0
40e;[b]b
>tf06
F6=iQ
1e319
\dR04
w^y`4
&df34U
X660bf
Fn\MR3
Z[8 B
x`6dj
0a31m
g900k
ff351Q8
l0-3W
Ncka_
[1r7b2
b:6ffG
4\cg2
n90cf
86ca6
7if9ag
6be4h
11baQ
d0e3a
F3cfiV
l40bg
21b7<
cf300
f0^Nd3c
%f464
g7kZi`b1d56b
/;b733
hvDz_
df9D#^T
30bB}
81b]P
djh<>
a11bd4
biQ0v06
v|c2d
;1bd5
0401a
3[9b7
Be47c7a
pB6dgnV
}j`\f
?a9Xf46f0
Z4Zce
fYc0h
7c7ab
31bd42
Qxf0f
[kf9fV
s^k7ahc
8Zdeb
ta55h
3[ba3
reeb3
7>5R0
cn6d24
ta56h
},t`3`
'mf\c]ao`
ujg3j`
g900o
W0Y4V
lb6d^
0&ffc0
}vg^bg3c
\y402\d
v-c`1
|6c`1
X*6di`
[+f9`
gf30U
1ZgZ8
!4Zecg
)4dfe
4[cg90
Xf6dhZd
a4614
[gf9X
E3o<m
)4dfe
`^fd3c0S1
!4c5d
1f06=
d46cl
B7bd46c
1e319
14~cQ
H4lbP
J:cCyS&0g
04f5
(\p0d
r6dng
^Nf32
g06f8
\:M"f
:%]anf
t(ceg
RG7]FCqg
M01bd42
u$dc4
a>6cf3
b300^0
0<c73
f<d8`
0<c71hg
E?Zj`
11bd42\5b7a
7aQ3g06
D86Z751
&f9Z0^%1a
104`5
B9004
c7bYK9
B2cfj
b7b\q
2e807
[gg90`
nS5Z(
E}Q[8
>df35U
X660bf
0?[be
nef300nX|60b
YS0Z4a5
fYc4n
}$`1g
41baQ
z0\0P
~0_3W
%7XeR
o6n8V
b9cfS6
0:b66
0b\fR0
cfS2Z4
16ffm
q71ba5V
nS0Z5f5
[4Cm]aS30g
Z5ZA`
NsfL&Z4Zw`3
Cgh?d
7ff3=;
31ba5
@b6d^
K0f0P
pcf9V
46ce6
0404a
56c7?
24c71
:004V
=4:bP
r6dM9
7e311a
Hd31m
3he4g
0<c71
b7a9k
f<d8`7
2i7ai
6a90=
g\0f6dnV
eZb\dR0
38f51b54
'>6R0
16ffh
q>1d2o`
b6$hf
ruS06f
e^65f
7bed`
04Zba2
rj6^6
40"f3n
9Zffa
c4aa4`
e:1ba5V
3cfS0Z5
0l06f
^b:0ea
'd3cU
| 6ca
CocfS}g
c[b]b4
$0bCuc
8b7ce46<i
f9cf8004o<
qYS24
Yj7b5c
re4Cul
o06gf3c9
1040<
b=be56c7>
1f068
&bf301
8EqY1
68cfM9
0h6d8DXl
E)0fE
o3cg900
f:6fg3cf
g0651
6ffb1
21b]b5
?d8b2
of3bf90o
1b6dc
e>6c6a909
7ff38
j90fD<
g3cfg
>2e3a
cfS4X4
8 e3[ba
6c]aS%
Lb0c5
2Y84e3Bu`
m0616
bf90n
v`f300
8cfM%`
`6`b1d
9104?
0e80V
e80eh
yw_a90
e2jXb
))Z0d
\0f6dj
>n80a31b
e30fZ0
`20eY1
4>0b\d;
9h7b2f
b3007
l20eY1
9ZfZ6
3he45
g=a9Zfgf
<:e3[b
1:f0d
7;b7a
8:405g
b9cfS0
b300^0
f0\d0
6df300n
f2cfk
`B`6b
1f06=
9r= 7
90e3j
ff300S
A({TZ0^01`
o]aS05f
GFf9X
p%\dR06e
6c_Sw
e^60a
Z4Zbe2
!0Z(c
bed\c]ajf
@qZb\dkf
r]aS05f
8Ze`g
O44DX
1f06=
hf30U
Xd4d8
0fX0df3
?7a9V
e4^z5c9
0b^d|/ee
84e3`!
b^fn3c
2\eka3
6be4m
B#cfi
d31bj
Mj\dR33d
KvfF{
9Z%bg
16ffm
b9cfS0
n9cfg
g=a9Zfbf
m>6ch?
_38bQ
C5ff`5
A46c7
f7cfh
<:b6`80e
2i7aS6
=:f0\f
a>6c4
fIbe7
f<d8Ze
3k906
?M6fe
4h6dR0
b3007
l20eY1
n300f
v%b7be
4h6dR0
11bd42^
i7be;
[b]b2b
)f0^'
9Z0cf
\c]anf
z7aQj
fYc1o
Z0^05`
ZfZ610
6c7XL
0b6]M
Kk_s<0f
2^d:0eb
`90fk
u 6ef
jZdY1
t<bda
31bd4V
F6ffc
]N0f3
k7aib
7c7ab
f<d8f2a
10409
Vjf351
6ga70
Gf900
224c
ocf9V
|64cd
5\6g7a
Yb3befq
4Y05e4
l20e71b7
;c=a_
Xbe^05
^c3a9a
Q04403
igaff
g06f8
I51bd4V
c66ce
>e461Q
[ffYb
D6c_x;2f
$X026f
S46ca
Gbe\/a5a
^55a9
ElloQ
80f0m
e4\g`
I6c]cn
{lR24
jMb6"
0<\ae
!Me3w
be46Xc
0040m
1f06=
5P<HO7
ugf)00
1f068;
&d3c6
~<eb1
1i=l<
1b6dcm
e06cf6
9Z0^02a
_f56cBq
0\f7d
90ZaY
72^d80dY!
:df351
^l:0ec
(7aQ4g060
5Yb7a
mg17fd2a
cfhcZ4Zb\dhf
m5gd1e0o
6be4m
5h7b4d
ld3kb7f
[f3kfO8
;5kZeY1
C5d8V\
/ae4e5
gf3c9
t440g
tj]f5
2gf351
^`90ec
]vk96
M<\f)
Zf!80
DotY;,D
DotY;,D
6#6k`
ef301Q3140
;jYM5
a56cf
.ma9V_&C"
S6|00A
z8e4PZ9n
3#90?
':d80e<
&;Z~(
I82g3
a4\dj
1040<
1d:jk
b0tj]f7d
ecfnm
d5=;i
5`#5g
riogZ3AJ
i0.jS1`e
cj6b1
~=0g3
u<eb2
y<0f5
7:4ib
&;0k`
d4$5Zd
Gi=yo
r0dn]`
x.af3
60k=h
a:u<^40f
e2:fn
7.ck`
1*70g
alh<8
.30?[f
a;koj
469h<
j0|n]f
67oo<
63oo<
73+<\b
e49:j
uibc2
}<4aa
7idg1
c1j=i
k;}iY52f
`ch<8
ujad6
6jiab
7:4ib
e4'i^21g
67oo<
let<Z0`3
0dl>g
239i:
D$eu&
i0.jS1`e
`?koj
a0&jS4bd
c2m<i
b3?gn
92=oh
Mq0|r
de|<Z5b2
258h?
8a(8\gg0
62k=h
a6m98
NFX7Gc
31ba
)(]c<j
;)\<
:(Oj%L
p[&-Y0X
B0)Z6
?vSBS
@NRApD
x(H';
+/AJD
Pee#n
v`}Kl
g900om
h[313d
<X90bg
F]f9bc
H]7anc
(w3=u
2R:V[
AV^|K
PZfZ660
c6d8n
i01bd42\5b7a
1`e4g
Br7ai
p00^1
Zub64
AS1Zx
p0eY0
{cfS1Ze
Y61bd42u
\;u5w
w97{C
AxHBAi
AUF_yX+f
WY,s>g4}qu<
;wE(A
UT?+tM
pI1~0Y
vll3[K
N.2oA!_54U
U3V1Y
(y~`]
H5&0m
TJDrm
`HKE7
(-&m3
M;1bd4
f80\m
]3c5
r7d8g
>Zecf
cY12`
fYc7n
4\ce6
\c]ak
5[bg5
7c7agm
}ce4^cBa9f
S0Z4c5
104Zbf3
0\f7d
ZfZ641
e^62`
m8^}1
fYc4n
1b6dL
%21bd42\
huf{4
0g^Dd3c
}i`g5
E21ba5
a06cf
2?d80
/\c]aS0
:ZfZ6
37c72S1
4\cd6
v|50b6
1a90f
0^$33|
f&,cM
3u8a2e3
0tne26c
`7d806d
6*beba
ak7beA
9ZfZ6
i2=oG9"
90f06
6:cfS1Z4Za\dR0
31b]c
M,4Dh
e30b7b
R+f0e0
6ff[/
20fZ645
~bf57
xaig7
-6d80e
9MD~#a
c6d8n8
^r7aL
X%0b\p7
~b6be4
'd8Eb[
NN0B&
7{t%'
B:6f9m8
Lj]c2
EjZ41
00401a
`e4a3
e2f0-ff3
Y204%b6d
[c90K06f
d90640b
se90f
ilo9j
n80fa
Ad461
nk0nX0
Fdf35
e#1bCa
&26fMv
>dx0e[1R7b5
$1Zf`
#-cfi
_q*0fad
00E31
w$`ca
'r9043
a90fD
B9004
"1?bf3c
t"rwL<
v%'rBm
$s'uM>
!st%Co
'%!sCh
!!w!Co
})!tF4
'u)El
!w!Co
)!tF#
E$cF6
`CvZt
tsU9c
r c6d8
;f0`6
;f0`6
;f0`6
;f0`6
;f0`6
;f0`6
o803c
;f0`6
o803c
;f0`6
;f0`6
o803c
o803c
o803c
6h803c
>h803c
5<f0`6
&h803c
-<f0`6
.h803c
*h803c
h803c
h803c
h803c
h803c
h803c
h803c
h803c
h803c
vh803c
rh803c
q<f0`6
zh803c
i<f0`6
nh803c
jh803c
Vh803c
Rh803c
^h803c
Zh803c
I<f0`6
M<f0`6
v=beb\U]ah
L:ffe3
'if9fZ
i314g
'if9fZ
i314g
'if9fZ
i314g
z=beb\%]ah
:ffe3
z=beb\$]ah
:ffe3
Ch900`
Hk6dn`
h900`
\k6dn`
Lk6dn`
h900`
dl314g
)4b5b
h?ffe3
u<7c`
l?ffe3
u<7c`
P?ffe3
+?16h
Tl314g
}<4aa
X?ffe3
`z5ge
rjNL.
#?X$!B
iZ0^04a
%5$<i:
pZtef
xZ#f5
+]Bog
*\Tng
7d80;n
qvVr2ZrqL+
t `^0
)050b
X6Vf3`
w$Z7c3`
v~gd6
~,Zae5n
Xb6d^
<a9ZfZ4
vrki8
50b\d
62Vw#
6a90=
M{fMt
M{fM+
zqS 7
i21ba5
6d80=
-4a9Q
6d80=
-4a9Q
1b7b%u
+[906
A?ZbU=El
d46cvZ
Eei:c
9 f0D
g900o
2*chfo
040bv%qx
11bd4V
1dub6
1040<k
0wM[4
3ra9Dno
'>2zb5
`74nf
(n6cQX8Ej
tj04V[>
^'2 46
(n6cQX8Ej
(n6cQX1Ej
m<7ba
t<af`
-<\cf1
u8^02
`81gc`
c6d8k
M<cZbg4
5\di`
Bh1Yc0
1f06;
Zb\dh
{v7Yc0
e80eml
UZgM;
kv0dP
`90fkk
7?<h98
\7Dbr
3dejk
dra5V
cG9"Q
46cd6
64ffc
46c7!_
gV9nm
0040"
isi=j
"!9m>
90e3j?
hBlyV
80e3Doi9V
}>74d
7ff3<;
9004Dy
E9!]N
c7beo
1040?
u>Z9GCZ
;^?B2_V
8004m
0<i?e
+Z:ok
#KdYnIa3A
g900i
m11ba
[`g90
bZxL6
a<p,B
g900j
2gf35
RG7!_
&'1hb
21bd4
E;1ba
4ff`4
J704`
:\>Dbs
>?!if5
g3cfbn
qhp, 8
bf90ni
t06`0g
2gf300Q3140
:]cOo4
a21bd4
^:@*_
Z_EgZxB
QH=^L
'^f)00B6Q
'm\6s7ai
'>3j`
f a3e
4h=;
e80em
;$B0U
ijm<i
E>16e
"XoeK
Bina0
pFk:m
&df35U
X660bg
36fDt
6be4h
d80ek
6ff3;
46c79
040bn
FQ405
q$kdy
YPO$&1
<m06Es
8'U>N
YHSuAC
h0_V]
xd9x^S1R
|xn<|
VGwZ
wTh>G
+[9>%_!^Tu0:;
;XH8k9
9YWPr
>pN;s
d8YpY|k
ou6%`w
PrU.jx~
4"m5^
myv13
g12=Q_a
Z$Au(
IP:36
903y;
7~a+[
RZ0I;
<,\*K
31b7:
c7a9h
_#d#g
~6sWl
#c'd&6
d80ek
6c7aa
3cf9h
W$YfN
d80ek
6c7aa
cf90h
0e31:
6c7aa
KY\CDfY%T
4Y6;?
cf90h
(W+#MK{7^40A?#
\YH++5
7Q_yXy)w
90g<5~
d}~F6
0WQ6/W
sRPTs
3+h2n
-'%L,
t,`*D{
a90fh
f3cfa
0e31:
90f0n
80e3i
6ff3;
1b7b=
cf90h
e46co
040bn
7a90>
6d80=
f06f>
b6d8h
6c7aa
0b6d`
46c79
cf90h
31b7:
f06f>
b6d8h
T^ie/
>|4DC
*[=lI
M0x(plB
mqw/`
0Uxme(
:G`w<
DzbJED
;W-\0m
,y_S$+
k"*#+
~HC&z4y
BA3~n
SCOi8
6d=q<
_X#pZ
vt+}C
jLpk<
><2p+
cWIc;
a:y"%
Q;dK(
uS>pp
=%wfD
EZ6:WU
]v<'"
25(<,
n4(kn
6F^jY
e`cBR-
\oHQl
sSklu
lXlIy
wND#%y
*((>wF
3.K[zd
w%8y=
PBbsW
G&\}Z
`j*60
EX,N~
;ULjo
pdqPc"Ab
]0*EV
UZ60i
sD{bO0
$B|tr
>m"N0
2~uS'
|]'Ur
j(^M9
p>3cd
IWL,`
;f&p=
g+H"`
HeO&i
'!TbH
=c^q|
zzx-w>
JM8M5C
LI7Rb3
`0`[i
Jc[f&
+<`K|
J' ^.
[X7p7
w=E\R
WeX7x
FE?g\
<`a,
A]:f3r
,7#*N
O%B9P
P!1L>
s'/q,>
HVzv~x
YvW."aQ
KP>lt
f1;6v
0)Zq$
m#TXT
`mTKO
#B-Y\
iA9wj
p1%R1
de-#/^
U?*Z5
q.9,xq
L+|S'mB
J%:X6
QMD6r
$5s30
\6TH[
9[*b6
naq8f
*#{0
6$rVC
ExLeJ.
\y)6)
\t#Uc
owK~S
7N]MKp
!T3d`Z
s,rz]l
#ff6zhTWn
1zsox
wMW-E
xkyMv
6|odhkm
[Yp3}
!>%[`
'O!nv
%<TgE
5:(|=e
cj/88
ZMk"X&
*-vXqV1
r#H?z
ca(>]
D>fu^
>'$"}D)-
B.\;p
cI>i?uOn
rA;V
~M;EHG
"!fB"
rBJB\
y4TL~
aIBEq
R$/lo
JF:S=
3Y`}{
XgUG$,
05th=
`_-Bm
)#^eS
LKO>o
zr"/W
`0B;H
~=55'
4Cb$l
oo+t^
q$7lB
<v,ok?
)"7D|UuK0
{$Q*4
UH6&'j
p8X!<
g00lC
/@:q5
$wB^lA
^2E'F
2D]l8
v*IJRiOl
"*Bo&
no:L-
kjCG.G
%r[WDi
WX%L-
db'-X?
,L_+]
@&ky3&
I_RHQ
;O6vR
{KNhIzn[
\.6(;:
Tu)P`
^&XYe
`PA75
06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf90040b6d80e31b7be46c7a90f06ff3cf9004
jjjjj
Aapi-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
(null)
minkernel\crts\ucrt\inc\corecrt_internal_strtox.h
__crt_strtox::floating_point_value::as_double
_is_double
__crt_strtox::floating_point_value::as_float
!_is_double
mscoree.dll
;T^h<U_i=V`j>[email protected][eoC\fpD]gq
Aapi-ms-win-core-datetime-l1-1-1
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-synch-l1-2-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
kernel32
ntdll
api-ms-win-appmodel-runtime-l1-1-2
user32
api-ms-
ext-ms-
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
((((( H
Bja-JP
zh-CN
ko-KR
zh-TW
CONIN$
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
CONOUT$
IDI_SMALL
No antivirus signatures available.
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 72.55.191.197 [VT] Canada
N 54.85.86.211 [VT] United States
N 34.102.136.180 [VT] United States
N 3.131.184.38 [VT] United States
N 217.160.0.80 [VT] Germany
N 216.58.205.243 [VT] United States
N 198.58.118.167 [VT] United States
N 184.168.131.241 [VT] United States
N 162.241.253.15 [VT] United States
N 162.214.80.6 [VT] United States
N 160.153.136.3 [VT] United States
N 116.255.246.111 [VT] China
Y 1.1.1.1 [VT] Australia

TCP

Source Source Port Destination Destination Port
192.168.1.5 49184 116.255.246.111 www.matu-edu.com 80
192.168.1.5 49185 116.255.246.111 www.matu-edu.com 80
192.168.1.5 49211 116.255.246.111 www.matu-edu.com 80
192.168.1.5 49212 116.255.246.111 www.matu-edu.com 80
192.168.1.5 49204 160.153.136.3 www.chaoscraftsonthesidellc.com 80
192.168.1.5 49205 160.153.136.3 www.chaoscraftsonthesidellc.com 80
192.168.1.5 49202 162.214.80.6 www.albumofindia.online 80
192.168.1.5 49203 162.214.80.6 www.albumofindia.online 80
192.168.1.5 49206 162.241.253.15 www.igensheets.com 80
192.168.1.5 49207 162.241.253.15 www.igensheets.com 80
192.168.1.5 49200 184.168.131.241 www.maskupforschool.com 80
192.168.1.5 49201 184.168.131.241 www.maskupforschool.com 80
192.168.1.5 49190 198.58.118.167 www.nvschoolology.com 80
192.168.1.5 49191 198.58.118.167 www.nvschoolology.com 80
192.168.1.5 49198 216.58.205.243 www.griffinmcshane.com 80
192.168.1.5 49199 216.58.205.243 www.griffinmcshane.com 80
192.168.1.5 49196 217.160.0.80 www.couple.chat 80
192.168.1.5 49197 217.160.0.80 www.couple.chat 80
192.168.1.5 49182 3.131.184.38 www.wesportscity.com 80
192.168.1.5 49183 3.131.184.38 www.wesportscity.com 80
192.168.1.5 49210 3.131.184.38 www.wesportscity.com 80
192.168.1.5 49192 34.102.136.180 www.bottrader.digital 80
192.168.1.5 49193 34.102.136.180 www.bottrader.digital 80
192.168.1.5 49194 34.102.136.180 www.bottrader.digital 80
192.168.1.5 49195 34.102.136.180 www.bottrader.digital 80
192.168.1.5 49208 34.102.136.180 www.bottrader.digital 80
192.168.1.5 49209 34.102.136.180 www.bottrader.digital 80
192.168.1.5 49186 54.85.86.211 www.anaejoao2021.com 80
192.168.1.5 49187 54.85.86.211 www.anaejoao2021.com 80
192.168.1.5 49213 54.85.86.211 www.anaejoao2021.com 80
192.168.1.5 49214 54.85.86.211 www.anaejoao2021.com 80
192.168.1.5 49188 72.55.191.197 www.winemakingkit.net 80
192.168.1.5 49189 72.55.191.197 www.winemakingkit.net 80
192.168.1.5 49215 72.55.191.197 www.winemakingkit.net 80
192.168.1.5 49216 72.55.191.197 www.winemakingkit.net 80

UDP

Source Source Port Destination Destination Port
192.168.1.5 49677 1.1.1.1 53
192.168.1.5 50775 1.1.1.1 53
192.168.1.5 51152 1.1.1.1 53
192.168.1.5 52987 1.1.1.1 53
192.168.1.5 54312 1.1.1.1 53
192.168.1.5 62311 1.1.1.1 53
192.168.1.5 63931 1.1.1.1 53
192.168.1.5 137 192.168.1.255 137
192.168.1.5 49677 8.8.8.8 53
192.168.1.5 49765 8.8.8.8 53
192.168.1.5 50775 8.8.8.8 53
192.168.1.5 51152 8.8.8.8 53
192.168.1.5 52528 8.8.8.8 53
192.168.1.5 52876 8.8.8.8 53
192.168.1.5 52987 8.8.8.8 53
192.168.1.5 53686 8.8.8.8 53
192.168.1.5 54312 8.8.8.8 53
192.168.1.5 54724 8.8.8.8 53
192.168.1.5 56909 8.8.8.8 53
192.168.1.5 58268 8.8.8.8 53
192.168.1.5 59879 8.8.8.8 53
192.168.1.5 60452 8.8.8.8 53
192.168.1.5 60932 8.8.8.8 53
192.168.1.5 61410 8.8.8.8 53
192.168.1.5 61689 8.8.8.8 53
192.168.1.5 62311 8.8.8.8 53
192.168.1.5 62795 8.8.8.8 53
192.168.1.5 63931 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.wesportscity.com [VT] A 3.131.184.38 [VT] 3.131.184.38 [VT]
www.freyafallen.com [VT]
www.matu-edu.com [VT] A 116.255.246.111 [VT] 116.255.246.111 [VT]
www.anaejoao2021.com [VT] A 54.85.86.211 [VT] 54.85.86.211 [VT]
www.winemakingkit.net [VT] A 72.55.191.197 [VT] 72.55.191.197 [VT]
www.nvschoolology.com [VT] A 198.58.118.167 [VT] 45.33.23.183 [VT]
www.bottrader.digital [VT] A 34.102.136.180 [VT] 34.102.136.180 [VT]
www.circuswiththestars.com [VT] 34.102.136.180 [VT]
www.couple.chat [VT] A 217.160.0.80 [VT] 217.160.0.80 [VT]
www.griffinmcshane.com [VT] A 216.58.205.243 [VT] 74.125.21.121 [VT]
www.maskupforschool.com [VT] A 184.168.131.241 [VT] 184.168.131.241 [VT]
www.albumofindia.online [VT] A 162.214.80.6 [VT] 162.214.80.6 [VT]
www.chaoscraftsonthesidellc.com [VT] A 160.153.136.3 [VT] 198.71.232.3 [VT]
www.igensheets.com [VT] A 162.241.253.15 [VT] 162.241.253.15 [VT]
www.pidoo.pet [VT] 34.102.136.180 [VT]

HTTP Requests

URI Data
http://www.wesportscity.com/d8h/
POST /d8h/ HTTP/1.1
Host: www.wesportscity.com
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.wesportscity.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.wesportscity.com/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=ePeXnah-S8ta~yZOAb2pY842wK065kqJ0nva3VxXTrGXeMoxYhXeoBcQesoqADP_5-RT8-KSNRCBVFKvWJUFhfOLzqaa2P(cYO54DSsJwuDOc6NapDXay1Y6cVTykotrwzR45lFziPwuDrThUqtqEdY.
http://www.wesportscity.com/d8h/?CZ=RNqt58oOHd5whgsyY//zCocy/IAQsQ+MvXWW5F1sEvHFYvdOdh2k9zEoYfo2HQfR+MAsuw==&F4=5jfHZl
GET /d8h/?CZ=RNqt58oOHd5whgsyY//zCocy/IAQsQ+MvXWW5F1sEvHFYvdOdh2k9zEoYfo2HQfR+MAsuw==&F4=5jfHZl HTTP/1.1
Host: www.wesportscity.com
Connection: close

http://www.matu-edu.com/d8h/
POST /d8h/ HTTP/1.1
Host: www.matu-edu.com
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.matu-edu.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.matu-edu.com/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=hniC(FoFMKCzUx54RebikBrGYo2JF2Xko_e7F8oUHpzP~iMrk-gNdyP-5K0i9zk0r3MkqfQoUJRtnXkcDlUkW_W0(MiqUkhwv5T-dCEdUPNjLLPCrADuZyENUTMIohEjL5vb1NAzjSLbYUhPiEpQgLA.
http://www.matu-edu.com/d8h/?CZ=ulW4hg8SaoSBMicQPLeLzGLAYISMMUrPq5TiGuQvBZj25AUzjLF0HiLMwqY5/y8pnWBQwA==&F4=5jfHZl
GET /d8h/?CZ=ulW4hg8SaoSBMicQPLeLzGLAYISMMUrPq5TiGuQvBZj25AUzjLF0HiLMwqY5/y8pnWBQwA==&F4=5jfHZl HTTP/1.1
Host: www.matu-edu.com
Connection: close

http://www.anaejoao2021.com/d8h/
POST /d8h/ HTTP/1.1
Host: www.anaejoao2021.com
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.anaejoao2021.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.anaejoao2021.com/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=xS4L4zm7cL6RIq9nQD4wRqHpEgiREnE18kq88l4JQy3iji6E3sKrARfeqHykLvSmqcP6LMnESIDVaGEz(nWoeg6JR-LjETk1(18sCK41bO4nRPGZK6NiVc(QSMDKkLAq6s4BTk(LBInWfC9qp8pnvAc.
http://www.anaejoao2021.com/d8h/?CZ=+QMxmTeVf6/neLoGOkNsNs+LKlSXE0MxkEjUxGYXWHXlvifn05TjUCnrln+mEdCmifiDWQ==&F4=5jfHZl
GET /d8h/?CZ=+QMxmTeVf6/neLoGOkNsNs+LKlSXE0MxkEjUxGYXWHXlvifn05TjUCnrln+mEdCmifiDWQ==&F4=5jfHZl HTTP/1.1
Host: www.anaejoao2021.com
Connection: close

http://www.winemakingkit.net/d8h/
POST /d8h/ HTTP/1.1
Host: www.winemakingkit.net
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.winemakingkit.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.winemakingkit.net/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=o2dmp5U-li4M7jQpj8oY4YA6ebBc7GsyTl(QD3CO0fMJmlo9qdF-Lrlw2Oi5v_CxKnIVwuHbVFq6l0IMMKe3acdfy9cl72ybc9tR1w50(MNV6B2YA5s9R1p030zY4Vv0fG2P2V~aXiKNNPcetfeifIE.
http://www.winemakingkit.net/d8h/?CZ=n0pc3cc6+0YkqSdGzLl7lNQKfOxVym8vHjGAPluz8akYvGl+n6gqY40t1sna0O++Cmsdmg==&F4=5jfHZl
GET /d8h/?CZ=n0pc3cc6+0YkqSdGzLl7lNQKfOxVym8vHjGAPluz8akYvGl+n6gqY40t1sna0O++Cmsdmg==&F4=5jfHZl HTTP/1.1
Host: www.winemakingkit.net
Connection: close

http://www.nvschoolology.com/d8h/
POST /d8h/ HTTP/1.1
Host: www.nvschoolology.com
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.nvschoolology.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.nvschoolology.com/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=YeHmSnUwGVtWJI74acon18da7qJtCAXTXERoJ4k0AH6pYcg3SSEPeh5p1b~rv8VzK54FPWTSK3soj4uzWxXuHCAxrvHiOWzMq03MMP1AwxwwP18T7UPGUca2smINbvz8cSo2fho8QM59hjOnPPjFhKg.
http://www.nvschoolology.com/d8h/?CZ=XczcMB0aajN3I/quEKBTt7tD1KlbLTvwFAYdJ5YNCiKZfupTYXN/NChr6+O1rfV/MbkJeg==&F4=5jfHZl
GET /d8h/?CZ=XczcMB0aajN3I/quEKBTt7tD1KlbLTvwFAYdJ5YNCiKZfupTYXN/NChr6+O1rfV/MbkJeg==&F4=5jfHZl HTTP/1.1
Host: www.nvschoolology.com
Connection: close

http://www.bottrader.digital/d8h/
POST /d8h/ HTTP/1.1
Host: www.bottrader.digital
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.bottrader.digital
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.bottrader.digital/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=7L5gInzVaQOOKSp690nYc5~D~g8MCnvIfoOB7fRbVmX6mP7_kNVZZULbdslzXJAfZ7(t7ggJcnJmMSQclRifd1PmnNuytGToyGbgYQ7wd64H8Z(SzWBCRVtR1SpLwF3by8OSdl7mp2AXdxwAGuMrryk.
http://www.bottrader.digital/d8h/?CZ=0JNaWD+pZ3KDLBE5iz+TKeKuqytbEj/rGfjbjeIfajn9ucyGpdURLSXmWNJLTYpCRIqlvg==&F4=5jfHZl
GET /d8h/?CZ=0JNaWD+pZ3KDLBE5iz+TKeKuqytbEj/rGfjbjeIfajn9ucyGpdURLSXmWNJLTYpCRIqlvg==&F4=5jfHZl HTTP/1.1
Host: www.bottrader.digital
Connection: close

http://www.circuswiththestars.com/d8h/
POST /d8h/ HTTP/1.1
Host: www.circuswiththestars.com
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.circuswiththestars.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.circuswiththestars.com/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=00fIY1u_jDItjaoxLZOoz59VxnPkxE~rC_9B6ewdFYYkv51xLThYSC8APXCYARNOihs1~RNpdiLTcvE7hOIXuuOLgOSHE4jeDRsQlDCHMUMITF34ntzq0HSEFj(eEzPFlkx7StCFgO(coXCfV68X9Kg.
http://www.circuswiththestars.com/d8h/?CZ=72ryGVi52SYw3Z05dszLppNw4lfJ3Q6AR/BR0ugDEYU2pawrN2MNGhIyMSqEezpT4yh7iA==&F4=5jfHZl
GET /d8h/?CZ=72ryGVi52SYw3Z05dszLppNw4lfJ3Q6AR/BR0ugDEYU2pawrN2MNGhIyMSqEezpT4yh7iA==&F4=5jfHZl HTTP/1.1
Host: www.circuswiththestars.com
Connection: close

http://www.couple.chat/d8h/
POST /d8h/ HTTP/1.1
Host: www.couple.chat
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.couple.chat
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.couple.chat/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=8xX7zDQ7bGYxnLgOcq0ZNvUK7GP5~tuh~a0ZzHLPIeW5vFMVDrokof8oDtjTRnAm38ULufN_5KY3s_q-5TLaZMsIwcf3nk7KGEQtQLWzVbl0pcuSlbHhzEPNS6sdoJT9CwJ7bZWE1urGs4xAqS7r9VI.
http://www.couple.chat/d8h/?CZ=zzjBtj82D0lM/IFEFN5PdbZrvD3M2tuGi9VeoSz9B+GsqX4EGedb7pMBE/vISEc9tcNd7w==&F4=5jfHZl
GET /d8h/?CZ=zzjBtj82D0lM/IFEFN5PdbZrvD3M2tuGi9VeoSz9B+GsqX4EGedb7pMBE/vISEc9tcNd7w==&F4=5jfHZl HTTP/1.1
Host: www.couple.chat
Connection: close

http://www.griffinmcshane.com/d8h/
POST /d8h/ HTTP/1.1
Host: www.griffinmcshane.com
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.griffinmcshane.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.griffinmcshane.com/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=pwY9j5jOe3Udr_QYNAE4N8wmCry2eFNiBvRTal3BF0XpJEaVPaUtKkv9rM8vS56ukekCNUtWIByFmPsZnMnSZ9uPkd8DNtfBpP4lrcSfwf8RRKi2OEGaz3brwsi-kkdOs7BrnLA6qIM4gzSqR7MJgUc.
http://www.griffinmcshane.com/d8h/?CZ=mysH9cXML1wr6NRiYHF9S8UuE4GcUml5Q7MHClWYVlHYAm7+JMRJI0agjNUgWKqhrNZRbQ==&F4=5jfHZl
GET /d8h/?CZ=mysH9cXML1wr6NRiYHF9S8UuE4GcUml5Q7MHClWYVlHYAm7+JMRJI0agjNUgWKqhrNZRbQ==&F4=5jfHZl HTTP/1.1
Host: www.griffinmcshane.com
Connection: close

http://www.maskupforschool.com/d8h/
POST /d8h/ HTTP/1.1
Host: www.maskupforschool.com
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.maskupforschool.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.maskupforschool.com/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=U60UPD23rJ0fKKw4BiHYmyy9JO4LPlmLXcORuC616sNLmAczAqlGr-BXs1n4nGlPda~ECRqbYbSChvcfi14dwihxqodIE_0hmuYeEGa6xlnAIwCAeeY_mmVVZQpc46c3Op~tb1V1tK9bZLGbHzTT6Ok.
http://www.maskupforschool.com/d8h/?CZ=b4AuRmO/7JUbS6k+Qiq3knCjLs8pOUSKEo2G3RGwxeZ8hlUmNd0Cp9x7zXXV/1MTFJXwcw==&F4=5jfHZl
GET /d8h/?CZ=b4AuRmO/7JUbS6k+Qiq3knCjLs8pOUSKEo2G3RGwxeZ8hlUmNd0Cp9x7zXXV/1MTFJXwcw==&F4=5jfHZl HTTP/1.1
Host: www.maskupforschool.com
Connection: close

http://www.albumofindia.online/d8h/
POST /d8h/ HTTP/1.1
Host: www.albumofindia.online
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.albumofindia.online
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.albumofindia.online/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=hZqBeDANUO8wfP7izU1vrz3qIqdWMy(s8fK5u6ANSjMmIfm93X7FPhfnDa1KW80foVGDetH4r7pCrHHZ7r1Rlrq1Xyy1T-ILctJUqMveSau-n7xQaiaqwh82qRBaB0oR7LR-mp1GLZqjLsM3(zuj67M.
http://www.albumofindia.online/d8h/?CZ=ube7AmU+EvAnH+Xlrh0U30zwPZ9MNWHW5q3SgJsfZjcQPenx3wyCbXPTDbZJSuwiq2aJFQ==&F4=5jfHZl
GET /d8h/?CZ=ube7AmU+EvAnH+Xlrh0U30zwPZ9MNWHW5q3SgJsfZjcQPenx3wyCbXPTDbZJSuwiq2aJFQ==&F4=5jfHZl HTTP/1.1
Host: www.albumofindia.online
Connection: close

http://www.chaoscraftsonthesidellc.com/d8h/
POST /d8h/ HTTP/1.1
Host: www.chaoscraftsonthesidellc.com
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.chaoscraftsonthesidellc.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.chaoscraftsonthesidellc.com/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=aiadIjpt~clWovOLCIbrfuPRNW0Z63sgBLlgcNuCtriVj5RKzquc81m286KTvQWxJg7an8BpnYg2kxAkYkcOPuHFn5FOLw4brE6Tz7Bi44g0sSlQCMP2k58zZeYM15QTvdhG5nOBtn7fpqZKnJYWVoU.
http://www.chaoscraftsonthesidellc.com/d8h/?CZ=VgunWFR9q8pb4tGPCv38d+jgIlwl93I0dvwhFuWclZmZupki7t7em12E06SitRi9BTDT4Q==&F4=5jfHZl
GET /d8h/?CZ=VgunWFR9q8pb4tGPCv38d+jgIlwl93I0dvwhFuWclZmZupki7t7em12E06SitRi9BTDT4Q==&F4=5jfHZl HTTP/1.1
Host: www.chaoscraftsonthesidellc.com
Connection: close

http://www.igensheets.com/d8h/
POST /d8h/ HTTP/1.1
Host: www.igensheets.com
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.igensheets.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.igensheets.com/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=8oSRFTagXNkIlTPkQGCa1YRG2AyacMMAqMDNuhLVmvMT5BEZ3IuzpR9Cysm0SHZad1QV88WToebv1GGHpsZ658qR8MarEuXuSJ51P3BB6kOctIgZmAd9easuc-D8T1Bkak8RNTXl(GR7Z3pcEizFbM8.
http://www.igensheets.com/d8h/?CZ=zqmrbz2APNYG5UWSEGf5jI58xAusWeMf/pOsnRHmq9084BhKlfjR/DNu4vOcfXkGQkQRvw==&F4=5jfHZl
GET /d8h/?CZ=zqmrbz2APNYG5UWSEGf5jI58xAusWeMf/pOsnRHmq9084BhKlfjR/DNu4vOcfXkGQkQRvw==&F4=5jfHZl HTTP/1.1
Host: www.igensheets.com
Connection: close

http://www.pidoo.pet/d8h/
POST /d8h/ HTTP/1.1
Host: www.pidoo.pet
Connection: close
Content-Length: 156
Cache-Control: no-cache
Origin: http://www.pidoo.pet
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://www.pidoo.pet/d8h/
Accept-Language: en-US
Accept-Encoding: gzip, deflate

CZ=8e(MQMjTdI0KKJp6rV2kVKuKF06856mIGdI0s5GXWl42VldYCH~q3F7JJe~Nx4u56jPNnsAzSDCreVZLOePFKwvVRSuTHTgMouf8GZca4prNn1iyYPxqMgs4YDtRWWlN0k3XLXuk~fkRJdQzOp6MV9Y.
http://www.pidoo.pet/d8h/?CZ=zcL2OsP5dJ0pRZhy1VbtKvKvJGO/342DftNu0qyiAGEkclQPJgjNg2OTP9GV97K68Qm91Q==&F4=5jfHZl
GET /d8h/?CZ=zcL2OsP5dJ0pRZhy1VbtKvKvJGO/342DftNu0qyiAGEkclQPJgjNg2OTP9GV97K68Qm91Q==&F4=5jfHZl HTTP/1.1
Host: www.pidoo.pet
Connection: close

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.1.5 1.1.1.1 3
192.168.1.5 1.1.1.1 3
192.168.1.5 1.1.1.1 3
192.168.1.5 1.1.1.1 3
192.168.1.5 1.1.1.1 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3
192.168.1.5 8.8.8.8 3

CIF Results

No CIF Results

Suricata Alerts

Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity
2020-10-18 06:42:37.109 192.168.1.5 [VT] 49179 13.107.42.23 [VT] 443 TCP 1 2028397 2 ET JA3 Hash - Possible Malware - Various Malspam/RigEK Unknown Traffic 3

Suricata TLS

Timestamp Source IP Source Port Destination IP Destination Port Subject Issuer Fingerprint Version
2020-10-18 06:42:37.321 192.168.1.5 [VT] 49179 13.107.42.23 [VT] 443 CN=edge.skype.com 5c:3b:53:ee:b8:65:a3:2a:66:d4:04:36:67:98:af:88:8d:96:5d:74 TLS 1.2

Suricata HTTP

Timestamp Source IP Source Port Destination IP Destination Port Method Status Hostname URI Content Type User Agent Referrer Length
2020-10-18 06:42:26.497 192.168.1.5 [VT] 49216 72.55.191.197 [VT] 80 None www.winemakingkit.net [VT] /d8h/?CZ=n0pc3cc6+0YkqSdGzLl7lNQKfOxVym8vHjGAPluz8akYvGl+n6gqY40t1sna0O++Cmsdmg==&F4=5jfHZl None None None 0
2020-10-18 06:43:16.778 192.168.1.5 [VT] 49182 3.131.184.38 [VT] 80 None www.wesportscity.com [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.wesportscity.com/d8h/ 0
2020-10-18 06:43:17.783 192.168.1.5 [VT] 49183 3.131.184.38 [VT] 80 None www.wesportscity.com [VT] /d8h/?CZ=RNqt58oOHd5whgsyY//zCocy/IAQsQ+MvXWW5F1sEvHFYvdOdh2k9zEoYfo2HQfR+MAsuw==&F4=5jfHZl None None None 0
2020-10-18 06:43:41.681 192.168.1.5 [VT] 49184 116.255.246.111 [VT] 80 None www.matu-edu.com [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.matu-edu.com/d8h/ 0
2020-10-18 06:43:42.691 192.168.1.5 [VT] 49185 116.255.246.111 [VT] 80 None www.matu-edu.com [VT] /d8h/?CZ=ulW4hg8SaoSBMicQPLeLzGLAYISMMUrPq5TiGuQvBZj25AUzjLF0HiLMwqY5/y8pnWBQwA==&F4=5jfHZl None None None 0
2020-10-18 06:43:48.503 192.168.1.5 [VT] 49186 54.85.86.211 [VT] 80 None www.anaejoao2021.com [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.anaejoao2021.com/d8h/ 0
2020-10-18 06:43:49.517 192.168.1.5 [VT] 49187 54.85.86.211 [VT] 80 None www.anaejoao2021.com [VT] /d8h/?CZ=+QMxmTeVf6/neLoGOkNsNs+LKlSXE0MxkEjUxGYXWHXlvifn05TjUCnrln+mEdCmifiDWQ==&F4=5jfHZl None None None 0
2020-10-18 06:43:55.580 192.168.1.5 [VT] 49188 72.55.191.197 [VT] 80 None www.winemakingkit.net [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.winemakingkit.net/d8h/ 0
2020-10-18 06:43:56.595 192.168.1.5 [VT] 49189 72.55.191.197 [VT] 80 None www.winemakingkit.net [VT] /d8h/?CZ=n0pc3cc6+0YkqSdGzLl7lNQKfOxVym8vHjGAPluz8akYvGl+n6gqY40t1sna0O++Cmsdmg==&F4=5jfHZl None None None 0
2020-10-18 06:44:03.966 192.168.1.5 [VT] 49190 198.58.118.167 [VT] 80 None www.nvschoolology.com [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.nvschoolology.com/d8h/ 0
2020-10-18 06:44:04.970 192.168.1.5 [VT] 49191 198.58.118.167 [VT] 80 None www.nvschoolology.com [VT] /d8h/?CZ=XczcMB0aajN3I/quEKBTt7tD1KlbLTvwFAYdJ5YNCiKZfupTYXN/NChr6+O1rfV/MbkJeg==&F4=5jfHZl None None None 0
2020-10-18 06:44:12.210 192.168.1.5 [VT] 49192 34.102.136.180 [VT] 80 None www.bottrader.digital [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.bottrader.digital/d8h/ 0
2020-10-18 06:44:13.220 192.168.1.5 [VT] 49193 34.102.136.180 [VT] 80 None www.bottrader.digital [VT] /d8h/?CZ=0JNaWD+pZ3KDLBE5iz+TKeKuqytbEj/rGfjbjeIfajn9ucyGpdURLSXmWNJLTYpCRIqlvg==&F4=5jfHZl None None None 0
2020-10-18 06:44:19.098 192.168.1.5 [VT] 49194 34.102.136.180 [VT] 80 None www.circuswiththestars.com [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.circuswiththestars.com/d8h/ 0
2020-10-18 06:44:20.110 192.168.1.5 [VT] 49195 34.102.136.180 [VT] 80 None www.circuswiththestars.com [VT] /d8h/?CZ=72ryGVi52SYw3Z05dszLppNw4lfJ3Q6AR/BR0ugDEYU2pawrN2MNGhIyMSqEezpT4yh7iA==&F4=5jfHZl None None None 0
2020-10-18 06:44:26.293 192.168.1.5 [VT] 49196 217.160.0.80 [VT] 80 None www.couple.chat [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.couple.chat/d8h/ 0
2020-10-18 06:44:27.298 192.168.1.5 [VT] 49197 217.160.0.80 [VT] 80 None www.couple.chat [VT] /d8h/?CZ=zzjBtj82D0lM/IFEFN5PdbZrvD3M2tuGi9VeoSz9B+GsqX4EGedb7pMBE/vISEc9tcNd7w==&F4=5jfHZl None None None 0
2020-10-18 06:44:38.407 192.168.1.5 [VT] 49198 216.58.205.243 [VT] 80 None www.griffinmcshane.com [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.griffinmcshane.com/d8h/ 0
2020-10-18 06:44:39.408 192.168.1.5 [VT] 49199 216.58.205.243 [VT] 80 None www.griffinmcshane.com [VT] /d8h/?CZ=mysH9cXML1wr6NRiYHF9S8UuE4GcUml5Q7MHClWYVlHYAm7+JMRJI0agjNUgWKqhrNZRbQ==&F4=5jfHZl None None None 0
2020-10-18 06:44:48.046 192.168.1.5 [VT] 49200 184.168.131.241 [VT] 80 None www.maskupforschool.com [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.maskupforschool.com/d8h/ 0
2020-10-18 06:44:49.048 192.168.1.5 [VT] 49201 184.168.131.241 [VT] 80 None www.maskupforschool.com [VT] /d8h/?CZ=b4AuRmO/7JUbS6k+Qiq3knCjLs8pOUSKEo2G3RGwxeZ8hlUmNd0Cp9x7zXXV/1MTFJXwcw==&F4=5jfHZl None None None 0
2020-10-18 06:44:55.158 192.168.1.5 [VT] 49202 162.214.80.6 [VT] 80 None www.albumofindia.online [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.albumofindia.online/d8h/ 0
2020-10-18 06:44:56.173 192.168.1.5 [VT] 49203 162.214.80.6 [VT] 80 None www.albumofindia.online [VT] /d8h/?CZ=ube7AmU+EvAnH+Xlrh0U30zwPZ9MNWHW5q3SgJsfZjcQPenx3wyCbXPTDbZJSuwiq2aJFQ==&F4=5jfHZl None None None 0
2020-10-18 06:45:02.072 192.168.1.5 [VT] 49204 160.153.136.3 [VT] 80 None www.chaoscraftsonthesidellc.com [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.chaoscraftsonthesidellc.com/d8h/ 0
2020-10-18 06:45:03.079 192.168.1.5 [VT] 49205 160.153.136.3 [VT] 80 None www.chaoscraftsonthesidellc.com [VT] /d8h/?CZ=VgunWFR9q8pb4tGPCv38d+jgIlwl93I0dvwhFuWclZmZupki7t7em12E06SitRi9BTDT4Q==&F4=5jfHZl None None None 0
2020-10-18 06:45:09.927 192.168.1.5 [VT] 49206 162.241.253.15 [VT] 80 None www.igensheets.com [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.igensheets.com/d8h/ 0
2020-10-18 06:45:10.939 192.168.1.5 [VT] 49207 162.241.253.15 [VT] 80 None www.igensheets.com [VT] /d8h/?CZ=zqmrbz2APNYG5UWSEGf5jI58xAusWeMf/pOsnRHmq9084BhKlfjR/DNu4vOcfXkGQkQRvw==&F4=5jfHZl None None None 0
2020-10-18 06:45:18.390 192.168.1.5 [VT] 49208 34.102.136.180 [VT] 80 None www.pidoo.pet [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.pidoo.pet/d8h/ 0
2020-10-18 06:45:19.392 192.168.1.5 [VT] 49209 34.102.136.180 [VT] 80 None www.pidoo.pet [VT] /d8h/?CZ=zcL2OsP5dJ0pRZhy1VbtKvKvJGO/342DftNu0qyiAGEkclQPJgjNg2OTP9GV97K68Qm91Q==&F4=5jfHZl None None None 0
2020-10-18 06:45:25.408 192.168.1.5 [VT] 49210 3.131.184.38 [VT] 80 None www.wesportscity.com [VT] /d8h/?CZ=RNqt58oOHd5whgsyY//zCocy/IAQsQ+MvXWW5F1sEvHFYvdOdh2k9zEoYfo2HQfR+MAsuw==&F4=5jfHZl None None None 0
2020-10-18 06:45:38.800 192.168.1.5 [VT] 49211 116.255.246.111 [VT] 80 None www.matu-edu.com [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.matu-edu.com/d8h/ 0
2020-10-18 06:45:39.819 192.168.1.5 [VT] 49212 116.255.246.111 [VT] 80 None www.matu-edu.com [VT] /d8h/?CZ=ulW4hg8SaoSBMicQPLeLzGLAYISMMUrPq5TiGuQvBZj25AUzjLF0HiLMwqY5/y8pnWBQwA==&F4=5jfHZl None None None 0
2020-10-18 06:45:44.816 192.168.1.5 [VT] 49213 54.85.86.211 [VT] 80 None www.anaejoao2021.com [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.anaejoao2021.com/d8h/ 0
2020-10-18 06:45:45.829 192.168.1.5 [VT] 49214 54.85.86.211 [VT] 80 None www.anaejoao2021.com [VT] /d8h/?CZ=+QMxmTeVf6/neLoGOkNsNs+LKlSXE0MxkEjUxGYXWHXlvifn05TjUCnrln+mEdCmifiDWQ==&F4=5jfHZl None None None 0
2020-10-18 06:45:50.831 192.168.1.5 [VT] 49215 72.55.191.197 [VT] 80 None www.winemakingkit.net [VT] /d8h/ None Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko http://www.winemakingkit.net/d8h/ 0
Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.1.5 49179 13.107.42.23 443 3b483d0b34894548b602e8d18cdc24c5 unknown
Sorry! No dropped files.
Process Name PO8479349743085.exe
PID 2584
Dump Size 187904 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\PO8479349743085.exe
Type PE image: 32-bit executable
PE timestamp 2020-10-17 09:19:45
MD5 3e213fa13ea3bc0680760eefd36f9415
SHA1 7f75682a294f6b4b5d8c1eb72482dd24786cc6d1
SHA256 cfa57035524836fbcb5a03201586bf0e80ba842af70a35d0476785137baa7946
CRC32 84E53C54
Ssdeep 3072:MjUImNCrFnnt8J0IVwLSA8pIE9cFGkhXbE4xqlEF7WzfCBxKUuUExQDoBjyLQcqM:MjUzWnIVwreI+cFhhrEqql/zf87uUExK
Yara
  • shellcode_get_eip - Match x86 that appears to fetch $PC. - Author: William Ballenthin
  • shellcode_stack_strings - Match x86 that appears to be stack string creation. - Author: William Ballenthin
  • HeavensGate - Heaven's Gate: Switch from 32-bit to 64-mode - Author: kevoreilly
Dump Filename cfa57035524836fbcb5a03201586bf0e80ba842af70a35d0476785137baa7946
Download Download Zip Submit file

BinGraph Download graph

2020-10-18T07:13:06.932954 image/svg+xml Matplotlib v3.3.0, https://matplotlib.org/
Defense Evasion Execution
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1106 - Execution through API
    • Signature - process_creation_suspicious_location

    Processing ( 41.782 seconds )

    • 30.528 NetworkAnalysis
    • 5.28 Suricata
    • 2.699 VirusTotal
    • 2.648 CAPE
    • 0.371 Static
    • 0.083 AnalysisInfo
    • 0.046 Deduplicate
    • 0.042 BehaviorAnalysis
    • 0.036 TargetInfo
    • 0.027 ProcDump
    • 0.01 Strings
    • 0.007 peid
    • 0.005 Debug

    Signatures ( 0.14900000000000002 seconds )

    • 0.036 network_cnc_http
    • 0.011 antiav_detectreg
    • 0.011 ransomware_files
    • 0.01 network_http
    • 0.008 ransomware_extensions
    • 0.006 antiav_detectfile
    • 0.006 infostealer_ftp
    • 0.005 guloader_apis
    • 0.005 territorial_disputes_sigs
    • 0.004 antianalysis_detectfile
    • 0.004 infostealer_bitcoin
    • 0.004 network_torgateway
    • 0.003 persistence_autorun
    • 0.003 infostealer_im
    • 0.003 network_dns_opennic
    • 0.003 recon_checkip
    • 0.002 antianalysis_detectreg
    • 0.002 antivm_vbox_files
    • 0.002 geodo_banking_trojan
    • 0.002 cryptopool_domains
    • 0.002 infostealer_mail
    • 0.002 masquerade_process_name
    • 0.001 betabot_behavior
    • 0.001 infostealer_browser
    • 0.001 kibex_behavior
    • 0.001 accesses_recyclebin
    • 0.001 tinba_behavior
    • 0.001 antidbg_devices
    • 0.001 antivm_vbox_keys
    • 0.001 browser_security
    • 0.001 disables_backups
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 network_dns_blockchain
    • 0.001 network_dns_doh_tls
    • 0.001 revil_mutexes
    • 0.001 ursnif_behavior

    Reporting ( 3.112 seconds )

    • 2.455 BinGraph
    • 0.639 MITRE_TTPS
    • 0.018 PCAP2CERT